Preventive Assessments Are Crucial for Smart School Data Security

“The biggest issue with our school districts is that they have the last virgin information on the planet,” says Mikela Lea, principal field solution architect for security assessments at CDW•G. “It’s very profitable, for many reasons. It can be sold for identities, it can be sold for credit purposes — the list goes on. And a lot of times, our children aren’t going to know their identities have been stolen until they’re 18 or 19 and they apply for credit.”

School leaders traditionally have focused their energy and resources on developing instructional technology without adequately prioritizing security.

“Unfortunately, we live in a world where we have to secure it now,” Lea says.

The lack of funding for cybersecurity measures is particularly problematic for public schools, and staffing shortages are common because IT department salaries tend to be less competitive, says Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks.

According to experts, thwarting cybercriminals takes a multifaceted approach. Preventive third-party assessments are perhaps one of the most important components of a school cybersecurity strategy, along with having an incident response playbook and adequate staff training.

Lock the Doors of Your Network with Preventive Assessments

The best cybersecurity strategy is to prevent an attack altogether, experts say. There are a few options (and a range of price points) for preventive third-party assessments, which can root out risks before they turn into full-fledged problems.

One of the most common assessments is a network penetration test, or pen test. In an external pen test, a security professional simulates the activities of a hacker — without going all the way into the network — to identify any vulnerabilities in a district’s external systems.

Essentially, it determines exactly how a bad actor could break into the district’s network from anywhere in the world, Lea says.

“It’s like me walking around your house and looking for as many ways in as I can find,” she adds. “I prove I can pick your front door lock, I open the door, but I don’t come inside your house. Then I go around and make sure your windows are secure and your garage is secure.”

Once weak spots are identified, experts create a remediation roadmap to help the district strengthen those areas over the next few months. Lea recommends that districts get an external pen test annually.

An internal pen test identifies vulnerabilities within the system. These show what happens if a bad actor gains access to student or faculty credentials, for example. Then security experts explain how to prevent that from happening.

Automated scans can be a cost-effective alternative to pen tests, Miller-Osborn says, and they are a good first step in threat assessment if a district has not previously conducted a pen test. “They’ll probably be surprised by how much the automated scan finds, especially if it’s the first time they’re having a test,” she says.

READ MORE: Experts weigh in on ways to guard K–12 districts from bad actors.

A net asset inventory — sort of a pen test in reverse — is another option for districts in the early stages of threat assessment, Miller-Osborn says. This test gauges the security of a district’s entire network, including internet-connected systems, cloud assets and distributed workforces, and produces a real-time snapshot.

“Then you can start making decisions and corrections in advance,” she says.

Other Ways to Alleviate and Prevent Cyberattacks in Your District

Even with the best prevention measures in place, bad actors sometimes find a way through. IT leaders can prepare an incident response playbook ahead of time to keep a bad situation from becoming worse in the event of an attack. This playbook should outline step-by-step instructions for handling an attack; for example, if a teacher clicks on a malicious link or a student’s password is breached. It should have contact information for staff members; legal counsel; an incident response firm, if the district has hired one; and any other important vendors.

Districts should practice using the playbook the same way they run fire drills, to help avoid impulsive decision-making in the heat of the moment, Lea says.

Staff and students are the last line of defense, so it’s imperative to educate them about how to protect their data, Miller-Osborn says.

Simple, inexpensive or free strategies such as enabling multifactor authentication for accounts and enforcing the use of secure passwords can make all the difference in avoiding a crushing ransomware attack — yet credential issues are common in schools.

“Stolen credentials are the No. 1 preferred goal of many attackers,” Miller-Osborn says. “Especially as we’re working from home, it’s important to make sure people increase those good habits, and that can take some behavioral change.”

Starting with an assessment can help districts identify areas where change is most urgently needed, and where they should strengthen their systems.

EXPLORE: Use the exclusive checklist to grade your school's cybersecurity preparedness.