Look at recent data breaches and you’ll see most attention points to commercial businesses, with Imperva being the most recent firm falling victim to an attack that exposed email addresses, scrambled passwords, API keys and SSL certificates.
Data breaches and ransomware attacks continue to show no signs of slowing down. Companies across many industry verticals fall victim to what seems to be an almost daily occurrence. Most recently, another sector is proving to be an attractive target: education.
On August 2, the K-12 Cybersecurity Resource Center’s K-12 Cyber Incident Map reported its 533rd publicly-disclosed cyber incident, which means the number of data breaches against K-12 school districts in 2019 has already surpassed 2018’s total. With under four months to go in the year and the 2019-2020 school year having just kicked-off, school districts must adapt and take appropriate measures to protect themselves going forward.
This past summer made it evident that it’s not only K-12 school districts — higher education and even commercial companies working with educational institutions are at risk. Every year, more schools make the transition into the cloud and security falls further behind. The adoption of cloud technology in schools means that not only must security teams have the resources to monitor for suspicious and malicious activity from the outside — they must also be better-equipped to monitor for potential threats from within at the same time.
Schools today cannot function without education-oriented cloud technologies and applications. Computers, laptops, and cloud applications like Google G Suite and Microsoft 365 are now as essential to a school supply list as notebooks, binders and pencils. Teachers and staff members use these cloud-based productivity applications as much as they do email, spreadsheets and word processing.
At the same time, funding shortages mean that securing them is often deprioritized. And hackers are now aware of this. Here are three approaches to the new school year that school districts must take to protect themselves moving forward.
1. Focus on prevention — not mitigation
Most school districts have fewer than 2,500 students and don’t have a staff member dedicated to handle cyber security incidents. Because of this, schools have become a target and the mindset must shift from “if an attack happens” to “when an attack happens.”
Many schools across the nation have made the transition to running classroom and administrative operations in the cloud. The problem is that securing the data in cloud applications is an afterthought. As a result, schools are leaving student data vulnerable to identity theft, fraud and other emerging threats.
By shifting the focus to secure applications and data before an attack happens, rather than after, school districts will be better prepared to protect students, staff and operations against an external attack, or internal incident.
2. Make data loss prevention a priority
There are numerous data security and privacy requirements mandated by laws and regulations, such as the Family Educational Rights and Privacy Act (FERPA), the Children’s Internet Protection Act (CIPA), the Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA). Under some of these regulations, an organization may be penalized for each lost or stolen record, which can add up quickly. However, there are other penalties for failing to protect data school districts must be thinking about.
They include the loss of personal and financial data such as payroll information, school financial information and student personal information. Schools across the country have also been forced to shut down for days at a time due to ransomware and safety systems attacks, interrupting academic achievement and safety for students.
School districts don’t have the huge security budgets of the Fortune 500 and, unfortunately, are key targets for many cyber criminals. When thinking about preventing data loss, implementing tools and solutions are what most think of doing as the first step. Data loss prevention tools can monitor user activity — of both staff and students — to detect improper or unusual behavior.
However, preventing data loss goes much deeper. Educating staff and students on the most common types of internal incidents caused by human error and the various external threats they may come across will help immensely. It also requires planning and documented processes by the school itself to be better prepared, and protected.
3. Minimize the internal threats to your organization
The increase in adoption of cloud applications means schools must also improve their security posture to prevent an internal incident. School districts that have recently transitioned to the cloud may not realize cyber security means more than securing a network with firewalls and gateways. It also means securing the data within the cloud environment — even when an individual and device physically leaves the premises.
For example, a member of a school’s faculty — or a student — could be at home and click on a phishing link. That link has now granted hackers access to the school’s cloud environment. Hackers are then able to pass through any firewall and gateway schools have in place, and can download and share any files they want, which is why schools must also monitor the activity taking place on the inside of their environment. Most worrying of all, schools may never know the breach took place unless the hacker discloses it, which is what is typically seen in a ransomware attack.
Verizon’s 2019 Data Breach Investigations Report found that nearly 32 percent of breaches involved phishing, 34 percent involved internal actors and that errors were causal events in 21 percent of breaches. Focusing on cloud application security as much as network or endpoint security will help minimize the internal threats that could occur throughout the school year and will help prevent sensitive data from leaving a school’s environment.
These steps can usually be taken using the native security controls provided by popular cloud applications such as Google for Education and Office 365, but then you are leaving cloud security in the hands of the cloud provider. Hackers are becoming more sophisticated in their attacks, and they are increasingly viewing schools, districts and higher education institutions as easy targets.
Remember, better security doesn’t have to be more expensive or more complicated. It does have to be configured correctly, and continuously monitored for vulnerabilities and potential breaches. Otherwise, hackers will go unnoticed in their attacks. The time is now for school districts to focus on prevention and stop hackers in their tracks.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.