Every August, across the United States orange school buses rumble from their summer slumber, school cafeteria workers put on their hairnets and march back into the kitchen, and students grab their backpacks and books and make their way to their respective campuses. But they aren’t the only ones heading back to school. So are hackers.
“It happens every year,” says Richard Lindsey, a cybersecurity advisor in Buffalo, New York. “Cybercriminals pick certain schools to keep an eye on and possibly commit criminal mischief. Their reasons range from “easy” ransomware money to schools generally not having the latest equipment, which can lead to vulnerabilities. Add in thousands of students with their own devices into the mix and you get a massive opportunity and attack vector for cybercriminals.”
Schools rate high on cyberawareness
For MSPs, the start of the school year is a good time to makes sure any education clients in their portfolio have the basics covered when it comes to cybersecurity. And statistics do show that schools today are faring better when it comes to reducing the impact of cyberattacks.
“Ransomware attacks increased from 50 in 2020 to 62 in 2021, while the number of cyberattacks in general on schools declined for the first time in three years, from 408 in 2020 to 166 in 2021, according to the report from the K12 Security Information Exchange or K12 Six.”
Lindsey points out that these statistics validate the work schools are doing in bringing awareness to the issue. “Sometimes encouraging statistics like the ones we are seeing can breed complacency, now is not the time to let down our guard when it comes to schools,” he warns.
Lindsey and school IT staff recommended several steps to Smarter MSP for safeguarding school’s cybersecurity.
Reading, writing, ‘rithmatic, and don’t forget cybersecurity
Educators in collaboration with their CISOs and MSPs should provide cybersecurity training to students.
“The good news is that students are like sponges,” explains Lindsey. “They will absorb whatever is taught and are often very cyber-savvy anyway. Training students on cybersecurity best practices is far easier than doing the same training with teachers.”
Lindsey recommends that cybersecurity school begin at the earliest possible age for students. “There really is no ` too early’ and I advise that schools begin talking about cybersecurity basics in big, broad terms as early as kindergarten,” he says. “By the time these kids are in elementary school, they’ll know the language and be comfortable with the concepts. When they reach junior and high school begin, cybersecurity should be a consistent part of the curriculum.”
And there are added benefits to cybersecurity training in schools, Lindsey continues. “Not only will you make campuses safer in the short term from a cybersecurity standpoint, by introducing cybersecurity into the schools you’ll potentially spark an interest in the field in young people and that could, over the long-term, help alleviate the terrible talent shortages,” he says.
Another benefit of offering cybersecurity training to the student body is that you can have “eyes” and “ears” all over.
“Make the students stakeholders and show them how important it is, and you’ll have 1000 cyber-savvy students who can report any potential problems,” Lindsey recommends. “That’s exciting, it makes students part of the solution as opposed to the problem.”
Schedule regular cyber-drills
Schools have tornado drills, fire drills, and active shooter drills. To protect the school clients in their portfolio, MSPs should consider cyber-drills.
“This should be simulated training across all levels of staff and perhaps students, depending on their age, but there should be a plan in place, a set protocol for who handles what during a cyber-emergency,” Lindsey advises.
The drills should cover everything from an amateurish teenage attempt to change grades to an all-out criminal gang ransomware ambush.
Establish a chain of command
Breaches are like illnesses. If caught early, damage can be mitigated, so there needs to be a clear chain of command.
“If a 16-year-old kid in chemistry class notices something amiss with the network, they need to tell their teacher, but then the teacher needs to have a person to report to, it can’t just stop at the teacher’s desk,” Lindsey says.
This involves establishing a single point of contact for the campus so that teachers can report information. “Cybersecurity is like a puzzle and if one person gets all the pieces, they can see the full picture,” explains Lindsay. “If the pieces are going to ten different points of contact, something can fall through the cracks more easily.”
Establish BYOD policies
Students will inevitably bring in their own devices despite a school’s policies on the matter. “Schools may think they are clamping down on BYOD but unless you are going to search each student and each backpack and purse, you won’t’ catch it all and each device is a potential access point into the school’s network,” Lindsey warns.
Schools must have clear, enforceable, and realistic policies. The same BYOD policies must apply to teachers, as well.
“In today’s world, it may be unrealistic to ban this or that, but there need to be clear protocols spelled out,” Lindsey emphasizes. “I’ve seen student handbooks that don’t even mention cybersecurity, so if a school isn’t going to deem it important enough to include the handbook, then students and staff won’t’ deem it important either.”
Following these basic steps can help to ensure that the trend of attacks on schools continues to diminish.
Next week, we’ll examine specific cyberthreats facing schools as they reopen.
Photo: pyansetia2008 / Shutterstock
