Achievement tests, rumbling school buses, and Friday night football are a few signs that the educational ecosystem is up and running again for another academic year. Schools are increasingly on the radar of hackers, who view schools as repositories of data and as having unique vulnerabilities.
These vulnerabilities are opportunities for MSPs who can navigate the treacherous waters, which include both savvy students outsmarting the adults, and ransomware purveyors hoping to hold records hostage for a payoff.
Recently, a group of high school seniors in Pennsylvania took a senior prank too far by hacking into the sensitive information of thousands of students. Online life ground to a halt in the 50,000 student San Bernadino Unified School District when hackers gained access to the central servers and locked them for ransom.
Schools present a special challenge for MSPs
Smarter MSP caught up with Joe Hesske, vice-president of sales and marketing for Warwick, an Ohio-based MSP that counts many schools among its clients.
Hesske says that schools require a level of specialized care as clients, but the rewards are there for the MSPs who are willing to invest time and talent.
“Educational systems always add a unique security consideration – the presence of children using computers,” notes Hesske. This single factor makes the entire landscape of school cybersecurity different than your local business.
“Your local clinic may have to secure the health records of minors, but their security is designed for adults and professionals to interact,” details Hesske. On the other hand, a school must design their security to accommodate children, and both technical controls and human processes must be adjusted for them.
Questions MSPs with school accounts need to wrestle with include:
- How do you adapt security training to apply to a 12-year-old?
- Should a fourth-grader be required to use a fingerprint to turn in homework?
- Who can access a child’s classroom chat, and where is it stored?
Another unique component of schools is that their population experiences a great deal of churn. Every year a new crop of students comes in and controls must be adjusted accordingly.
Building out a cybersecurity program for schools
If an MSP can navigate the regulatory landscape and carve out a specialty in managing the networks of education institutions, the payoff can be new business.
“School systems are always challenging and rewarding clients for an MSP due to the breadth and depth of their IT needs,” warns Hesske. He advises MSPs to build a program that addresses the unique needs of administrators, teachers, and students. Building out a program that addresses all these needs, requires expert knowledge of the modern technology stack.
“From traditional brick-and-mortar planning, to cloud, to mobile, to the internet-of-things, educational programs draw upon all IT disciplines. Additionally, cybersecurity in educational systems overlaps significantly with privacy and confidentiality concerns,” states Hesske.
Heske continues by noting that a well-qualified MSP serving a school system will have subject matter experts that understand the interaction between technology and educational policy, including legal and regulatory requirements, acceptable usage enforcement, and social media management.
Social media, email, and more
Social media and kids are paired together like peanut butter and jelly or a soft drink and ice. But social media can present a minefield of issues for an MSP. According to Hesske, the key is oversight for MSP clients. If an MSP becomes aware of questionable student behavior on social media, there needs to be a plan in place to deal with it.
Additionally, as trusted custodians of the tools and platforms through which children may interact, a socially responsible MSP will have a well-structured practice to address social media incidents involving minors that align with the requirements of the school systems they serve.
BYOD devices
With students flooding campuses with smartphones, tablets, e-readers, and more, the strain on a network would seem to be an issue. While that may have been problematic ten years ago, today’s tools can help an MSP easily manage it.
“IT and security management tools have caught up with the practice of BYOD. Any modern MSP program can accommodate the technical risks of foreign devices connecting to a network, even in large volumes,” states Hesske. The more crucial component is deciding upon an acceptable usage policy.
“As with social media policy, a capable MSP will be able to provide guidance on the interconnectivity between BYOD technical controls and educational policy,” advises Hesske.
School vulnerabilities
Still, schools are not alone in facing internal threats — they exist everywhere.
“External and internal threats exist in both private and public sectors, and every industrial vertical. They are targets for ransomware, reputational damage, denial-of-service, fraud, and theft of data and resources,” admits Hesske.
“Schools add the additional threat of their vulnerable population of minors. Our youth are just more susceptible to social engineering and predation than the average adult or professional. Adjusting, monitoring, and re-adjusting the security controls around the technology used by children should always be a primary focus of a strategic IT program in the educational sector,” advises Hesske.
A strong client relationship can ensure the school year goes smoothly and that senior pranks stay offline.
Photo: Michael Jung / Shutterstock