Information Security: Reducing the Risks for K-12 Schools and Higher Education
Learning institutions can find themselves particularly at risk from cyberattacks due to the multi-faceted nature of their networks and email systems. Not only are educators and staff accessing them, but the additional layer of student and parent portals also provides other access points for potential scammers.
Fortunately, there are protective measures available to minimize risks and prevent attacks. We look at a number of them here.
It Starts With A History Lesson
The early days of the internet seemed like a much simpler time when we were more amazed at the possibilities of information sharing and less concerned over the nefarious activities and risks of cyberattacks and data breaches that could derail things at any time.
While cyberattacks and their prevention are part of the landscape today, not all institutions are learning at the same pace.
What Makes Education Uniquely Susceptible
Schools and university systems have a significant reach, and the age, maturity levels, and information security IQ of its members vary. Consider the typical K-12 school system and the access scenarios that accompany it:
- Administrator needs to communicate with teachers
- Teacher-student communication and teaching portals
- Grading and curriculum platforms
- Activity portals, sites, and social media platforms
When you consider who is accessing these channels at any point in time, the possibilities for cybercriminal activity are endless:
- School email systems may be infiltrated by phishing emails and social engineers
- Unsecure portals can be targeted or manipulated by bad actors
- Social media sites can serve as a basis for harvesting open-source information used to perpetrate scams
- Age, equipment, and security protection of users can vary widely
It all adds to the myriad ways cybercriminals can exploit the system. What’s more, it can be challenging to assess where to apply training and assess comprehension.
A Two-Pronged Approach
Securing the ‘cyber perimeter’ of school systems begins with some tactical steps that can be accompanied by information security training.
We begin with the assumption that the network security stance has been fortified with basic firewalls and other technical barriers that come with the territory. These factors can be controlled and monitored by information security staff, such as a chief information officer.
We then turn our attention to variables that are difficult to control, such as network access by system users, including teachers and administrative staff. Access by username and password is the first line of defense, but as these can be easily cracked or compromised by sharing, information security experts recommend multi-factor authentication (MFA).
MFA is an additional step to a log-in process that verifies that the user is uniquely the user. It might require the teacher or administrator who’s logging in to:
- enter a code from their smartphone
- provide the answer to a personal question
- use a thumbprint or facial scan from
MFA as a second log-in step can prevent virtually anyone but the legitimate user from logging in. Although it can be highly effective, MFA has met resistance in some school districts due to cost and the fact that an extra step may be considered inconvenient by users. However, compared to the downside of a cyberattack, the MFA case is nearly irrefutable.
Beyond MFA, mandated information security training is one of the most effective methods for securing a school system’s network.
For many, this means a curriculum of training most often administered by email through the system or provider’s learning management system (LMS). Core topics typically include:
- Introduction to phishing and different phishing types
- Training on spotting phishing scams and the language of scam emails
- Incident response training that outlines what to do if they’ve fallen for a scam or triggered an attack by responding to a phishing email
- Strong password creation
- Training on how to secure system smart devices, laptops, and computers
The LMS allows those administering the information security training to verify who took the training, and, in some cases, how they performed on training quizzes to help gauge comprehension.
Once administrators and staff are up to speed on training, then awareness can be shared. Teachers can recommend basic training resources to students, and systems can include information security as an ongoing topic in system communications to parents.
It all adds to a comprehensive approach to a complex challenge that today’s education systems can overcome with knowledge and perseverance.