School buses are beginning to rumble down roadways, lunches are being packed, and playgrounds are bustling with children at play. Yes, schools are back in session. After a year of on-campus instruction essentially lost to the pandemic, the 2021-2022 school year is starting more “normal.”
However, masks, virus variants and hybrid learning remain topics that schools, students and parents grapple with. This uncertainty is inviting for hackers, who are using it to capitalize on the chaos and educators and cybersecurity specialists should be taking note.
The number of cyber incidents aimed at K-12 school systems could jump by 86 percent in the coming academic year, the nonprofit Center for Internet Security said last week. With many MSPs having educational clients in their portfolios, preparation should be underway for this expected spike in attacks.
A wild card that MSPs and school IT officials deal with in any situation is the students themselves. Cyber-savvy kids can either serve as “watchdogs” in the school’s online ecosystem or wreak havoc. I recently had the opportunity to tour a couple of school campuses in Indiana, one that used an outside MSP for services, and one whose team was internal. Both schools were making final preparations for the return of students in mid-August. I agreed not to identify the schools or to write about any weaknesses that I saw in their cyberdefenses.
Here are some key takeaways from my tour:
Schools should conduct cyber-emergency drills
Most schools have drills for tornadoes, fires, and more recently, active shooter scenarios. Increasingly, schools are also implementing cybersecurity drills. One teacher remarked: “The drills help the staff grapple with the severity of the situation if an attack were to occur.”
At the Indiana school that use the outside services of an MSP, a recent cyber-emergency drill included a simulated ransomware attack. The MSP was in charge of launching the “attack.” The school that relied solely on its internal IT staff did not perform this type of exercise, but instead stressed the importance of preparedness to all staff.
Cyber-emergency drills, depending on the complexity of your school district, should involve the students, staff, paraprofessionals, and administration. If a school’s systems go down because of a ransomware attack, everyone is impacted, so everyone should participate in a drill.
There also needs to be a clear disaster plan in place that delegates what staff and students should do. This may involve shutting down equipment, contacting authorities and the school district’s central office, and communicating with parents. The MSP that serviced the Indiana school district had a step-by-step 10-page plan for the district to follow in the event of an attack.
A side benefit of a school-wide cyber-emergency drill is that putting cybersecurity front and center demonstrates future opportunities for children. Since the IT industry is so desperate for new talent, anything that helps generate interest is good.
Teacher and student training
One area where MSPs can add tremendous value for school districts is hosting a teacher “in service” or training day on cybersecurity.
During my tour of the two Indian school districts, I talked to teachers who had a wide range of IT and cybersecurity knowledge, from those who could speak fluently about file-less malware and firewalls to others who lacked literacy on even the most rudimentary threats.
All teachers need to know the basics of cybersecurity. Some teachers I talked to were sharing passwords with other teachers for cloud-based and streaming services. That’s poor cyber hygiene and can lead to credential stuffing or password theft.
Furthermore, while drills are great, what is even better is not having to execute the plan first. Prevention is always best. We teach students how to prevent all sorts of things, from car accidents to poor money management. They should also learn the basics of cybersecurity, from not sharing passwords to always having 2FA and responsible use of social media.
Additionally, certain students could be “deputized” to help watch the school’s network in the same way neighborhood watches are organized. Obviously, precautions and vetting of the students participating need to be done, but some schools view this as a viable option.
Utilize audits and off-site backup for outdated devices
I was struck during my after-hours tour how many connected devices were left in the “on” position, from printers to scanners to audio equipment and everything in between. Simply by turning all of these devices “off” will reduce attack surfaces, especially during after-hours and overnight times when hackers seem to be most active.
Not to add more to already overworked teachers, but if part of their routine is to pull the blinds and turn off the lights before they lock up, “disconnecting” connected devices should also be on the list.
One of the schools I visited in Indiana, had a secure, off-site office devoted to backing up data. If the main campus network were hacked, this school would be able to get up and running more quickly.
This is especially important on school campuses. I saw old printers tucked away in closets at both schools, old computers on carts, and laptops stuffed into lockers. The risk here is that some of these devices could be connected again, and chances are, if they have been sitting there collecting dust, no one has been keeping on top of their maintenance, patching, and hardware-based cybersecurity routines. Connecting old devices can leave gaping holes in a school’s security.
There is no way to fully safeguard a school, but by involving everyone – students, staff, parents – MSPs can reduce the odds of an attack and at least be fully ready if one does occur.
Photo: Billion Photos / Shutterstock