When coronavirus forced school districts to condense decades of change into the span of a few weeks, there was bound to be difficulties. Right from the start, administrators scrambled to figure out how to transition the hundreds or even thousands of students in their district to tele-education platforms. The learning curve was steep, but eventually most were able to salvage what remained of the semester.
Why the Data Protection Policies Weren’t COVID-19 Ready
Districts were not ready for thousands of students and teachers to access their network and data from outside the security of their firewalls. Cyberattacks on schools had tripled in 2019 long before COVID-19. Now, all of the unsecured devices on unverified networks have put sensitive data into even further jeopardy.
In recent weeks, we’ve seen some particularly high profile cyberattacks on school districts far and wide. IT Systems for Baltimore County Public Schools in Maryland were crippled by ransomware a day before Thanksgiving. Elementary students at Chicago Public Schools were swarmed with inappropriate emails in the morning hours of the Sunday after. Those are just two instances in the same week and doesn’t account for the Zoom bombing and other novel attacks this year.
All it takes is one user to compromise your entire network. A student who picked up a malware hitchhiker on their computer after visiting prohibited websites. Faculty members clicking on unfamiliar links and inadvertently sharing their credentials with bad actors. There’s an endless stream of bad situations that your firewalls or on-site cybersecurity measures can’t prevent when people are outside of their safety net.
In some cases, districts may have been unknowingly vulnerable all along. Even if your internal IT administrators take IT security solutions seriously, the same cannot be said for all of your third party vendors. Your outsourced vendors don’t even need to offer technical services for their bad practices to be your downfall.
Though outside the education world, one relevant example that we always point to is the massive Target data breach that occurred in 2013. Hackers stole over 40 million debit and credit card numbers after they were able to compromise one of the retail giant’s refrigeration and HVAC vendors. The lack of segmentation between the big box retailer’s operational monitoring network and their point of sale network left the door wide open for a massive breach. Any of the current weaknesses in your network security will only be exacerbated in the pandemic.
When a data breach occurs, regardless of whether it’s your own data protection policy or a vendor’s that is not ready for the current situation, your district bears the responsibility. Senate Bill 820 (SB820) requires districts to have a cybersecurity risk assessment policy in place and to report any student data breaches to the Texas Education Agency (TEA) immediately.
What’s at Risk for Your School District
Once cybercriminals get a foothold in your network, there’s no shortage of terrible things they can do. The sensitive data contained within your applications, databases, and network are often a smorgasbord once your defenses are breached. COVID-19 is just giving them more opportunities. Here’s a portion of what’s at risk when your school district’s security measures are breached:
Massive financial losses
Hackers often see a quick payday from the education system. Schools have an abundance of social security numbers and other personal data without the cybersecurity budgets of financial firms or Fortune 500s. Last year alone 1,000 schools were hijacked by ransomware and the first few months of 2020 saw 284 schools targeted with a gradual rise as the school year resumed in August.
COVID-19 has the potential to amplify this threat. As more unauthorized devices access both your secured email and outside email platforms, it becomes easier for hackers to sneak their way into your system and hold your data hostage. Routine backups can undermine the leverage bad actors have over you, but it’s not worth risking your entire operations or data protection in the process.
Students’ digital identities
Your student information system is another prime target for cyber criminals. The social security numbers, medical history, family information, and other details about your current and former students sell for a high price on the black market.
Hackers who obtain the typical set of personally identifiable information (PII) can make as much as $500 per student’s information. Though the impact isn’t always immediate, identity fraud can hurt your students indefinitely. Car loans? Financial aid? Mortgages? All of these common life events might be a far greater struggle because of negligent data protection policies today.
This is the scariest by far. People in Texas know that our state is a hub for human trafficking. Our proximity to the border makes it easier for human traffickers to evade early capture – long enough for the children they take to disappear without a trace. And what’s worse is that schools with weak or out-of-date data protection practices contribute to the problem.
One of the school districts we’ve spoken with came to a sinking realization of how their data was being used when their IT security administrator noticed unauthorized outside access to their transportation records. When the perpetrator was caught, the police found out that the particular offender had been checking to see which students lived farthest from the schools and had purchased enough ketamine to subdue an 85 pound child.
This is a physical threat to our students. Any school that ignores their data protection policy during COVID-19 is not only jeopardizing their own operations, but the physical safety of the young people they’re entrusted to protect.
How to Keep Your Data Safe during COVID-19
All of those cyber threats are a lot to process. However, school districts only have one choice: take action to protect their data. What you do now will determine whether or not you can continue to protect your district and your students during COVID-19 and beyond. Though there’s lots of work to do, here are a few places to start:
Schedule regular backups
Since ransomware is such a significant threat to school districts, you need to create secure encrypted backups on a regular basis – preferably on a secure cloud storage platform. Wait too long and you can lose large chunks of data. Yet that alone isn’t enough. Hackers are exploring ways to breach these encrypted databases, so it’s essential that you create a number of backups (and using multilayer access whenever possible).
Embrace zero trust policies
Your school district shouldn’t take any access attempt on faith alone – even if it’s come from an application or individual user that has checked out in the past. The zero trust cyber security model requires identity verification every time your network is accessed through multi-factor authentication, micro-segmentation, dynamic risk scoring and other methods. As a result, it mitigates the magnitude of your threat from hackers.
Arrange for security awareness training
Are your employees security-conscious? They should be. The Texas House of Representatives passed a security awareness training certification bill (HB3834) requiring all public-sector employees to take an approved security training to detect and assess security threats. Security training like this can help staff within your district to mitigate the possibility of future data breaches or compromises.
Work with the right partner
Who you work with matters. If your partners don’t take the proper security precautions or invest in your success, then you’ll be more subject to threats now and in the future. The right advisor will guide you through this new normal – and help you make it safely through to the other side.
Connect with iSphere