Steven Miller, director of Cybersecurity for the non-profit watchdog organization Digital District says “On a scale of zero to 10, with 10 being districts that have done a good job of protecting their networks and databases, I’d say the general score nationwide is close to zero, maybe 1 to be generous.”
Miller also adds “I’m not just talking about small districts, but most medium-sized ones too. School districts tend not to have specialized staff for information technology until they get very large or very wealthy. A middle-sized district might have a person or two. A small district might have a principal or other administrator handle IT just another part of their job.”
Cyberstone understands what schools are up against technology- and security-wise and that it is sometimes better for districts to reach out to an objective third-party, especially when cataloging cybersecurity risk and developing an actionable game plan for remediation.
Least privilege, a central concept for effective security, is not usually implemented well. This concept means people are only given access to what they need to do to perform their job. Students don’t need access to admin networks. VLANing internal resources is critical. Also, the district’s “back office” should be segregated from each individual school.
Patch management is lacking. Schools often have Windows patches in place but often fail to consider third-party applications such as Adobe Reader and Google Chrome. Most cyber threats enter school districts through phishing emails or emails with malicious web links. Once inside, most modern malware then “looks for” old versions of software or software missing patches. It is there that criminals start their journey toward privilege escalation and ultimately capturing student and staff information.
The attack surface is unnecessarily large. School districts allow almost anything to go to the Internet. If a system doesn’t absolutely need to be online, don’t connect it to the Internet. This includes printers, cameras, TVs, and any other internet-of-things (IoT) devices. It may also mean denying student devices (smartphones and laptops) access to the internet, depending on your district’s unique rules.
Employees are adding to the risk of a cyber breach. Employees who click emails without thinking twice are often the single most significant contributor to schools getting breached. All employees who touch technology should be regularly trained in topics such as password hygiene, safe browsing, and physical security.
There isn't a plan. Technology is in place. Firewalls and antivirus software are installed and up-to-date. But there just isn’t a plan. Every school system needs to have a cybersecurity incident response plan in place so they can effectively discover and recover from a breach. Having a plan also means the district won’t lose reputation points with the public and will be able to get back online quicker.