School districts are especially challenged by IT security for a couple of important reasons. First, only larger districts tend to have network engineers or trained IT people available, let alone security experts. And second, schools are inherently open environments, so districts try to open up network access to as many people as possible.
To give you an example, at the district I worked at in New England as a CIO. We also ran an open network and later found that Chinese hackers were using our district network as a launching pad for other attacks.
Given the expanded threat landscape and the open IT environments schools strive for, here are some tips that will sharpen up IT security at your district:
1. Reach Out to a Network Security Expert
When I was a CIO, I brought in a group and told them to go through every aspect of the network. I wanted to find out all the vulnerabilities and what it would cost to fix them. Based on what they told us, we deployed a new firewall, upgraded all the software applications in our system and set up the system so it would notify us of any suspicious traffic.
2. Place Controls on the District’s Network
I’ve been to some districts where they have a completely open network with no logins and passwords. That’s unacceptable. Assign logins and teach users how to construct strong passwords. People shouldn’t use their birthdays or the names of their children, for example. Guests should only have internet access and should not have a path to any of the school’s financial or personnel systems.
3. Use Two-Factor Authentication
Users should have a username and password and then have a special one-time PIN sent to them every time they access the network. Of course, users must have a phone that’s also locked down, but the consultant the district hires can educate users on how to use these two-factor systems safely.
4. Sign Up for a Security Workshop
IT people at school districts are typically stretched thin and don’t have time to attend workshops and seminars. But it’s really important for them to leave the office and learn about the latest threat vectors, sources of threat intelligence and best practices. Just learning about how to apply appropriate patching routines can pay for itself. If time doesn’t allow, check out Google for Education’s online Digital Citizenship and Safety Course.
A More Secure Environment Doesn't Have to Break the Bank
Becoming a security-conscious district doesn’t have to take several years. A good network security group can complete an assessment in about a day and send back results within a week.
That’s what we did in New England. Once we got back the results, within a couple of months we upgraded the hardware and software, deployed a network access control system and put in a new firewall. Combined with some training to get our administrators, teachers and students up to speed, the entire process took about six months.
I understand that resources at school districts are tight, but with a reasonable investment in new equipment and time, districts can have a fighting chance against a threat landscape that’s only going to become more challenging.
This article is part of the "Connect IT: Bridging the Gap Between Education and Technology" series. Please join the discussion on Twitter by using the #ConnectIT hashtag.