The ubiquitous yellow school buses are starting to rumble down the roads. High school athletes can be seen out on practice fields. Work-from-home parents will soon have their days “free” again. And for MSPs that manage school networks, summer breaks are over. With thousands of kids on campus, not to mention teachers and administrators, K-12 campuses can turn into a cybersecurity nightmare.
For a writer who graduated from high school at the tail end of the typewriter age, this is mind-boggling. My 8-year-old niece talks of teachers handing out Chromebooks like candy, chalkboards have long been vanquished and replaced by whiteboards, which will soon be replaced by smart boards.
There was no security threat with chalk. The biggest danger was choking on dust while pounding the erasers
However, as the school year begins, campuses are a Petri dish of potential cyber risk, from students trying to mess with their grades to crypto miners salivating over the latent server time during nights and weekend.
School security challenges
What are some of the biggest security threats facing public schools as they open their doors this fall?
For some answers, Smarter MSP turned to Glenn Meeks, founder of North Carolina-based Meeks Professional Services, an MSP that services scores of schools for their technological needs.
First, imagine the sheer number of devices found on the average school campus. Meeks estimates in the K-12 market, a 50,000 student school district heading to a 1-to-1 computing device to student ratio will have somewhere on the order of 60,000 computing devices (a device for every student, lab desktop units, teachers, staff). That’s many devices to secure, but the issue with schools isn’t hackers trying to access banking records or big data.
Both students and teachers have not been trained on good #cybersecyrity practices, so the #malware comes back into the system via their devices @SmarterMSP
“Schools do not have anything of value to resell to the dark web, so the biggest challenge is just plain old malware. However, the challenge is shifting based on students and teachers taking district computing devices out of the district’s protected digital ecosystem. We do not know where the device went last night. Both students and teachers have not been trained on good protection practices, so the malware comes back into the system via the device the next morning,” Meeks says.
This potential “device contamination” adds a bunch of unknowns into the school’s system.
“This has a direct impact on the district firewall. In addition to monitoring the ‘public’ side of the district connection to the internet, the firewall must monitor the ‘private network’ side of the district digital ecosystem looking for network behavior indicating malware is now inside the ecosystem,” Meeks says.
Navigating different regulations
Schools have several variables that the local doctor’s office or manufacturing plant doesn’t, one being that the vast majority of people in the building are minors, which requires a different set of regulations and responsibilities.
Two points of the law that Meeks points to:
- CIPA: Children’s Internet Protection Act – As the name implies, this is an FCC-monitored law that requires the school district to protect children (minors) through the provision of content filtering. “Essentially, the protection means that a student cannot access any of their social media accounts while logged onto the school district,” Meeks says, adding that typically the URL for Facebook, Instagram, Snapchat, and others are blocked by the district firewall.
- FERPA: Family Educational Rights and Protection Rights – The district must secure the identity of or data about a student (a minor). All student-related databases must be secured.
Perhaps the added regulations have tamped down on MSPs jumping more actively into the public school market. Meeks says MSPs in schools seems to have mainly caught on in parts of the Midwest and the West Coast.
“The biggest advantage of using an (MSP) is the ability to hold the vendor accountable. It can be quite hard to hold public employees accountable. The negative of that is most districts do not know how to structure the Service Level Agreement portion of the service contract to protect the district. Most districts do not know if their MSP is doing it the correct way until something goes wrong,” Meeks says.
Meeks says the best way for an MSP to manage security at school is to use one of the more advanced approaches to IEEE 802.1x standard for network access control.
“Essentially it is a much more detailed network log-in authentication process where the network intelligently matches your ID, the device you are using, and the security apps on the device to allow you access to digital resources on the network. The network restricts each type — user, guest, student, teachers, an administrator — to a specific set of resources available on the digital ecosystem,” Meeks explains.
It’s all enough to make one long for the days of chalk, but it presents a significant opportunity for MSPs that are willing to take on the challenge.
Photo: Monkey Business Images/Shutterstock.com