No summer break for cybercrime: Why educational institutions need better cyber resilience

The education system isn’t equipped to handle today’s cyberthreats. I’m not just talking about cybersecurity education in schools shaping the technical workforce of the future – America’s schools themselves are prime targets for cybercrime today. In fact, according to some reports, attacks – from ransomware and phishing, to denial-of-service and more – on these institutions are growing each year.

Support on the federal and state level, like stimulus to help schools upgrade their hardware and security and the recently formed Government Coordinating Council for Education Facilities Subsector, is designed to flatten this trend. But with risks such as student data getting leaked on the dark web, school districts’ reputations getting tarnished by ransomware mishandlings, and the potential of any single attack to not only disrupt classes for days or weeks but also threaten the livelihoods of our youth, the stakes are too high to ignore the cyber resiliency (or lack thereof) of our school system.

More endpoints than ever

Schools are low-hanging and ripe fruit for cybercriminals. As the US Cybersecurity and Infrastructure Security Agency puts it, American schools are “target rich, cyber poor.”

Across both K-12 and higher education, schools rely on legacy IT systems (firewalls and VPNs) and have more endpoints than ever, with students, parents, staff, and faculty accessing systems on their devices. All the valuable student and employee data that is stored in systems – and the fact that schools don’t have high budgets for cybersecurity – compounds this issue. Simply put, it’s a perfect storm for risk.

The years since the onset of the pandemic only helped the cyber risk storm gain traction. When schools had to transform to accommodate remote learning overnight, schools scrambled. Many weren’t equipped to support staff working from home. Few had visibility into just how many devices or access points into systems they had. Most lacked the basic security processes to fight the sudden increase in online activity and, thus, cyber risk. Unfortunately, that hasn’t changed as much as it needs to.

Most IT administrators at schools don’t have answers to basic questions, like how many student and staff devices they have, how many servers they have, whether each device is up to date with system configurations and patching, and which devices hold personally identifiable information. That information is central to securing systems and data: one unprotected or misconfigured endpoint can open the doors to an attack. Even CCTV systems – designed to keep students physically safer – can introduce security and privacy risks if the infrastructure isn’t secure.

But let me make this clear – that is no fault of the IT administrators. They are doing what they can with the resources they have. The main culprits are the processes and technologies they’re using.

A concerted cyber resilience effort for educational institutions

You can’t protect what you can’t see. Most legacy tools that schools rely on were developed to view and control only endpoints deployed on premises, failing to manage and defend today’s remote networks. Improved visibility around endpoints is key to improving IT security in schools: With a better look into what laptops, desktops, servers, and software exist in a school’s ecosystem, IT teams can understand the security, ongoing operations, and potential vulnerabilities at hand.

For example, Barnaby School District in Canada found 9,000 endpoints in their ecosystem after incorporating an endpoint management solution, which is 2,000 more endpoints (each a potential inroad for an attack) than they previously thought they had.

Let’s look at higher education as another example. Higher education institutions face two main cybersecurity threats: advanced ransomware (seeking personal information and demanding payment) and nation-state-sponsored attacks (often seeking sensitive research data, including military research conducted at universities). Both threats use complex, multi-stage attack patterns and take advantage of existing vulnerabilities across endpoints, both on and off campuses.

Unlike an enterprise with a top-down view of security processes and procedures, higher education institutions’ security operations are relatively balkanized; it is common to see different organizations on campus have their own IT and security staff along with the collection of solutions they prefer. This results in a fragmented security system, and time is wasted stitching their tools and information together.

To defend against threats, institutions must be able to understand and measure the known vulnerabilities across their networks, proactively hunt for indicators of compromise to remediate them before they progress toward catastrophe, and investigate any attacks that have already occurred to understand the scope of the issue. Endpoint visibility and control that take stock of all endpoints, not just those on-premises, can dramatically reduce cyber risk.

A reactive plan in place

In addition to improving general data hygiene and backups, endpoint visibility, and efforts to manage access to networks through tactics like multi-factor authentication (MFA) and principles of least privilege (PoLP), schools need a plan in place for when (not if) an attack occurs. This incident response plan should give IT teams a framework to detect and respond to threats, from the initial alarm and alert to insurers and authorities to containment, evidence collection, eradication, and recovery. This also includes pre-planned negotiation tactics for a ransomware incident.

Like any other sector, schools must adopt a “not if, but when” mindset toward cyberattacks as they increase in cadence and complexity. Combining proactive and reactive cybersecurity efforts is essential to preparing for this new era of ransomware and phishing threats.

Cybersecurity is central to school safety. It only takes a few staff members falling victim to a phishing scam or one ransomware attack over a long weekend to create an expensive, corrosive, and disruptive security crisis. As devices and endpoints increase in education, preparedness against threats is paramount.