In just the first three months of 2011, cybercriminals created 26 percent more new computer threats than in the corresponding period of the previous year, and 16 percent more than in Q4 2010. This uptick in threat activity is creating serious headaches for school technology leaders and IT administrators.
But don't take my word for it. Panda Security's recent Kindergarten–12 Education IT Security Study surveyed more than 100 individuals who manage IT security in K–12 school districts in the United States. The survey provides compelling evidence that there's ample room for progress when it comes to computer security in our schools.
Here are some of the key findings:
- Security issues consume staff time, diverting attention from the business of education. IT administrative staff at 38 percent of schools report removing viruses or malware from IT systems a few times a week, and 21 percent are doing this daily.
- While schools have baseline IT security best practices in place, there is still significant room for improvement. Ninety percent of schools install antivirus and/or antimalware on computers. But nearly 25 percent do not use firewalls, block high-risk websites or employ user authentication.
- Social media is a top concern for schools, but the stringency of school policies varies greatly. Ninety-five percent of schools have a social media policy in place, citing the mitigation of malware-related risks as a main reason for implementation. Twenty-nine percent of schools allow students unlimited access to social media sites, while 32 percent deny students access altogether.
- Schools recognize that outside devices introduce external risks but struggle to fully integrate security policies for multiple devices. Eighty-two percent of schools allow students and staff to connect personal computers and notebooks to the school network, but only 74 percent are monitoring the use of external devices. Fifteen percent fail to take any additional security measures, leaving those school systems more vulnerable to infection.
What should schools be doing differently in light of these findings?
With the 2010–2011 school year drawn to a close and summer upon us, now is an especially appropriate time to reevaluate and hit the “refresh” button on IT security. Here are five practices to consider adopting, if you haven't already:
- Institute security awareness education programs. Staff members and students are the last line of defense against cyber threats, so keep them aware of the most common tactics employed to exploit users.
- Don't let managing security for multiple school networks slow you down – consider a managed security service. According to the study, 30 percent of school IT administrators are spending more than 10 hours a month monitoring network activities to detect high-risk behavior. Managed security (cloud-based) services not only drastically decrease the time spent hunting for new malware, but also allow you to manage your school's security anytime and from anywhere – remotely or onsite. This level of unified remote management is simply not possible with traditional client/server security solutions that require IT staff to manually log in to the designated server in order to manage each location remotely.
- Require registration of outside devices. With the growing popularity of mobile devices such as smartphones and tablet computers, and the ubiquity of notebooks, it's important to deploy the same security measures for them as for on-premises network machines and PCs owned by the school.
- Monitor social media access. Students and teachers alike are spending more time on social networks, so it's no surprise that these sites also have become a favorite tool among cybercriminals. Consider a tiered-access model to limit time spent on social media sites and reduce the opportunities for cybercriminals to exploit vulnerabilities.
- Eliminate infrastructure costs with cloud-based security. You may already be doing this; the study found that the majority of school IT administrators (91 percent) see value in cloud-based technologies and plan to implement them in the next two years. In addition to the management benefits of the cloud discussed above, the right cloud-based solution eliminates the need for antivirus servers, which can be very costly and cumbersome to maintain.