Jun 28 2024
Security

Why Multifactor Authentication Should No Longer Be Optional in K–12

Implementing MFA at schools can guard against cyberattacks. Here’s how to set it up.
April Mardock
by

April Mardock has supported cybersecurity and IT in 132  companies. She is well versed in multilayered, complex environments and serves as the CISO for more than 60,000 users at Seattle Public Schools.

Anyone who uses online banking probably gets multifactor authentication prompts, usually via a text message or authentication app, although fingerprint scans and facial recognition are also common. Users may not like the additional validation prompts, but they understand the function and the need to verify access to sensitive accounts with something stronger than a password.

Until recently, MFA remained a hotly debated subject in K–12 education circles, but cybersecurity insurance carriers are now requiring school districts to use the technology to prevent ransomware and other cyberattacks.

MFA was originally seen as too expensive and complex for districts to manage and operate, especially in classroom environments. Why? Districts do not have the extra funds or extra employees to manage it. Changes that impact the classroom can require more than a year of planning, take away from productive classroom teaching time, and require input from community and unions to be successful.

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

x_prrcloud_static_2024_na_desktop x_prrcloud_static_2024_na_mobile

 

Still, MFA can make a very real difference. It's one of the five pillars of zero trust.

Unfortunately, cyberattacks including ransomware, data breaches and business email compromises remain clear threats to K–12.

Consider Options for Your District

What can you as a K–12 administrator do as you wait for funding, additional employees and approvals? First, you may be pleasantly surprised to learn that the vendor you already use for sign-on (Microsoft, Google, etc.) may already have an MFA solution ready to go, with minimal or no additional licensing costs.

MFA functionality runs the gambit from cheap (but perhaps more difficult to configure) to expensive (and more streamlined). Both Microsoft and Google offer inexpensive authentication solutions that are common in K–12 environments and offer MFA as part of existing license agreements. If you want more advanced features, such as conditional access, they will cost extra.

Other vendors also provide advanced services in this space while maintaining ease of use. Cisco Duo offers features such as an MFA self-service portal and simplified deployment. Larger organizations may be interested in Okta, as it can provide full identity roles management and detect viruses based on suspicious behavior.

LEARN MORE: What is a rapid maturity assessment, and why is it useful for zero trust?

Stage MFA Based on Priority Groups

Much of the risk to a school district boils down to two things: theft of information and destruction of resources. You should address influential and high-risk accounts with MFA first, then move on to stage MFA for your other users.

In my district, Seattle Public Schools, where we have 52,000 students, we used a phased approach to implement MFA. I recommend you do the same, and I suggest that you address district groups in the following order:

Start with your IT staffers, so they can work out the bugs. Next, leverage your annual phishing exercises and apply MFA requirements to those who fail. Then, require MFA for accounts that control sensitive data and money, such as payroll, HR and accounts payable. School board members, principals, and executives with authority and trust should go next. Last, require MFA for classroom teachers and remaining staffers. Students can opt in to MFA.

Don’t forget to activate MFA for the school social media apps such as Twitter and Facebook.

Ease Adoption Through Advanced MFA Options

If you pay for more advanced MFA options, you could also choose to block MFA prompts when the account is being used from a campus location. This on-campus exemption approach increases risk somewhat but also greatly increases acceptance and adoption.

GET THE CHECKLIST: Use these five steps to secure student data.

Also, get your union leadership involved early in the testing and planning stages, so it can guide your work. Ours was immensely helpful both in helping us tune our communications and craft an appeal/exception process.

Educate Staff on the Risks of Stolen Passwords

How do you convince people to use MFA if your cyber insurance carrier mandates it? Invite them to visit this eye-opening site: haveibeenpwned.com using test@test.com as well as their own email accounts. (Yes, it is a trustworthy website.)

Over the past 10 years, both League of Legends and Evite have seen major thefts of K–12 passwords. Wide-reaching cyberattacks accomplished via bugs like Heartbleed and vulnerabilities like Log4Shell continue to threaten vendors and websites. The Spam Auditor blog reports that large volumes of passwords are being sold on the dark web.

Since COVID-19, more district staffers have the ability to work remotely. If a district exposes tools like VPNs or remote access without MFA, it increases the chance of a districtwide ransomware attack. At any point, you should assume more than 7 percent of your passwords have been stolen and can be used against you.

It is worth reminding staffers that stolen district account passwords can potentially be used remotely to change grades, redirect paychecks to criminal bank accounts, and search the district’s shared files for sensitive data to use in ransom and blackmail threats.

MORE ON EDTECH: IT leaders are optimistic about cybersecurity.

Editor's note: This article was originally published on March 8, 2022.

Donna Grethen/Ikon Images

More On

Related Articles

Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report