With over 120,000 schools in the United States, it is easy to think that your district can hide safely in the noise or that among the pack, your schools are safe. While this mindset that cyber criminals have “bigger fish to fry” may give you some peace of mind, the facts instead point to a rise in cyber attacks targeting organizations exactly like yours.
This trend, highlighted in a recent New York Times story, outlines numerous examples of cyber attackers taking advantage of vulnerabilities that make many school districts easy targets. The reality is that cyber attacks can and do happen to all sizes and types of organizations—not just large commercial enterprises—and school districts often lack the resources to keep up with these ever-evolving threats.
So, with tightening budgets and packed priority lists, what can your district do to keep your students, staff, and data safe?
“It Won’t Happen To Us”
As noted in the New York Times article, cyber criminals have begun to turn toward school districts because they believe that these targets lack the financial and human resources needed to employ and maintain robust cyber defenses. Unfortunately, the numbers support this: with nearly two-thirds of school districts counting less than 2,500 students, there is often no staff available to focus solely on cyber security.
Cyber attacks in Louisiana and Texas are prime examples of how school districts are being targeted. Each of these districts were left with crippled computer systems that severely disrupted operations and impacted thousands of students, parents, and staff. The fact that hackers used these attacks to gain access to hundreds of thousands of private data records is equally worrisome.
Possible motives haven’t been released; however the Internal Revenue System postulated in 2017 that the ease of access to students’ social security numbers may be a factor as to why school districts are targeted.
After all, K-12 students lack credit history and have virtually unused Social Security numbers. Because of this, a student might not even realize their identity has been stolen until years later when they apply for their first loan and are rejected for poor credit and debt that they did not accumulate.
How to Fight Back
While it is impossible to know exactly how a cyber criminal will choose to attack their target, both ransomware and phishing attacks are commonly used to infiltrate school districts. Both of these attacks take advantage of unsuspecting victims that have some form of access inside of a network.
For example, an attacker could send a phishing email to a school district employee that’s disguised as an email from a superintendent with instructions to download an attachment. When the unsuspecting employee downloads the attachment, malware is unleashed, corrupting data and systems or allowing a cyber criminal to further exploit their access.
While training can help identify signs of these attacks, human error is a fact of life. As part of a larger cyber security awareness program that trains staff to identify common threats, such as malware and phishing attempts, school districts can also take advantage of the advanced controls that modern identity and access management (IAM) solutions offer.
IAM solutions automate the lifecycle management of user identities, meaning school districts with limited time and resources don’t have to prioritize day-to-day tasks over security.
Automating processes like provisioning, account changes, and deprovisioning at scale eliminates the risk of manual human errors, users accumulating unnecessary privileges, and orphan accounts being left open. This is especially important during peak times, like the beginning and the end of the school year where IT must handle massive waves of onboarding and offboarding.
Furthermore, fine-grained access controls enforce the principle of least privilege by ensuring users have the right level of access, at the right time, and only for the needed duration. Access to applications, files and folders, authentication requirements, password complexity, and more can all be configured based on a user’s attributes or role.
IAM also helps protect an organization’s most sensitive resources: privileged credentials. Privileged access management protects privileged credentials from unauthorized use with techniques, such as just in time access, privileged session management, time-based expiration, and segregation of duties.
Multi-factor authentication (MFA) can be applied as an extra layer of security that can prevent these attacks altogether. With MFA, even in the event that a user’s password is compromised, the attacker would still be unsuccessful, as they wouldn’t have the second authentication factor. While MFA can be implemented across all users and applications, it’s critical that it’s used to protect privileged user accounts, business-critical systems and applications, VPNs, and servers.
Take the Next Step
If your district does not already have the necessary security and cyber security protections in place, then the examples of breaches outlined in the New York Times article should serve as a wake-up call to take action.
One of the best steps your district can take is to research into how an IAM solution can help your school district prevent cyber attacks, while increasing overall security and business agility. An effective IAM solution can serve not only as the foundation of your cyber security program, but as a supplement to maximize your limited budget and resources.