On Monday (3/21/22), the White House released a statement by President Biden on our Nation’s Cybersecurity warning that “based on evolving intelligence” U.S. companies and organizations need to urgently harden their cybersecurity defenses against potentially imminent cyberattacks.
On Tuesday (3/22/22), Okta, the largest provider of single sign-on (SSO) in the world, confirmed that they had been breached over a 5-day period where malicious actors gained control of a support engineer’s device who was working as a third-party contractor. The extent and impact of the breach is yet unknown as the publishing of this blog post.
On Wednesday (3/23/22), tech giant Microsoft confirmed that they too had an employee’s account taken over and hackers gained access to Azure servers and allegedly internal source code repositories.
This sequence of events paints a stark picture of the urgent threat that is facing all of our organizations when it comes to cybersecurity and protecting our data and systems against malicious actors. This is even more critical when we are talking about education institutions which, as we’ve discussed previously, are the most targeted industry for ransomware attacks since the onset of COVID.
If the largest software companies on the planet (who are fantastic, security-minded companies!) are currently experiencing these attacks, it should be sounding alarms all across the education industry that they are at imminent risk.
So what are schools districts, colleges, and universities to do? Accompanying the statement from the White House was a fact sheet with a call for organizations to “execute the following steps with urgency.” The top 3 steps listed are summarized as follows:
- Mandate the use of multi-factor authentication.
- Deploy modern security tools to monitor and mitigate threats.
- Patch all systems and change passwords across your network so that previously stolen credentials are useless to criminals.
These are absolute, right-now steps that need to be taken to protect our academic institutions and the copious amounts of personal data and identities they contain.
Beyond these immediate steps, higher education institutions need to push the envelope on moving to a true zero-trust approach to security and lean on their point solution vendors to provide seamless integration with each other so that their entire cybersecurity ecosystem is tied together and working as a single, informed unit.
K-12 institutions should look to implement the Essential Protections lined out by the K12 Security Information Exchange (K12 SIX). These measures are specifically designed to be tailored to and achievable for K-12 organizations and the resources they have available to them.
“Unfortunately, the cybersecurity threats facing the K-12 sector are neither trivial nor hypothetical,” said Doug Levin, National Director of K12 SIX. “It is vital that all schools take immediate steps to uplift their cybersecurity risk management practices, including by implementing common sense, baseline cybersecurity controls.”
With typical user traffic expanding well beyond the bounds of a traditional perimeter model of network security, the key to safeguarding access resides at the individual identity level. Understanding and verifying who this specific actor is, what they are trying to access, and to what extent (if at all) they should be able to access it is at the heart of an identity-centric approach to protecting your resources.
Set up a consultation today with one of our identity experts to evaluate what your organization’s specific needs are and the steps we can take to help harden your identity and access cybersecurity posture together by reaching out to email@example.com.