4 Focuses to Anchor Your School’s Security Posture for Smooth Sailing

K–12 institutions often lack the funding to support advanced cyber initiatives or hire skilled cyber experts, leading to continued ransomware attacks against districts. Meanwhile, cyber insurance premiums keep increasing.

In support of school cyber efforts, the U.S. Department of Education recently announced key K–12 cybersecurity resilience measures — including the establishment of a Government Coordinating Council — and released three K–12 Digital Infrastructure briefs.

“Dr. Jill Biden pulled together a number of vendors and K–12 folks like myself to talk about cybersecurity,” says Seattle Public Schools CISO April Mardock, who took part in the recent White House summit on K–12 cyber.

Mardock describes several new initiatives, including “a promise from vendors to be more transparent and leadership-oriented, called K12 Ed Tech Secure by Design. A number of vendors are also starting to provide resources, especially to smaller districts, where they can get some cybersecurity protections for free.”

Additionally, the Cybersecurity and Infrastructure Security Agency “is working really hard with K–12 this year,” she notes. CISA has defined sector-specific Cybersecurity Performance Goals, a set of protections K–12 must have in place.

Click the banner to learn how to stop ransomware in your K–12 learning environment.

The new government focus on K–12 schools takes cybersecurity “out of the realm of being an IT problem to being a leadership problem,” says CoSN Cybersecurity Program Director Amy McLaughlin. “It helps reinforce the message that this is a systemic challenge. It’s an organizational challenge. It’s not just a technology challenge.”

Even districts with advanced cybersecurity technologies already in place need to focus on the building blocks of good cyber hygiene, as defined by the National Cybersecurity Alliance’s four priorities for Cybersecurity Awareness Month. They are: multifactor authentication, strong passwords, software updates and phishing prevention.

Multifactor Authentication's Extra Layer of Security Stops Hackers

As a multistep login process that requires more than just a password to gain access to applications and systems, MFA is a key safeguard for K–12 schools.

Without it, bad actors can steal credentials through methods such as phishing or through third-party companies and applications. Those credentials give them access to school systems and data. MFA “prevents the cyberattackers, in most cases, from being able to use a stolen username and password,” says Mardock.

For K–12 staff, MFA’s extra step — such as asking users to respond to a text message — offers “an additional safety net,” says McLaughlin. “It adds one extra layer that makes it that much harder for an adversary to get into an account and compromise it.”

Strong Passwords Keep K–12 Accounts and Networks Secure

IT leaders generally know that complex, hard-to-guess passwords are a deterrent to bad actors.

Cyberattackers “go after the easy targets first, and those are the people with simple passwords: something with 1-2-3-4 or their last name in it,” says IEEE Fellow Karen Panetta, dean of graduate education at Tufts University School of Engineering and author of Count Girls In, a book about mentoring K–12 girls in STEM fields.

Lately, the thinking is changing regarding what constitutes a “strong” password. Twelve characters with upper- and lower-case letters, numbers and special characters? That’s just a mess.

Faced with these over-complex requirements, “I’ve seen people with passwords on sticky notes on their name tags. When you lose your name tags and your passwords, then we have all your information,” McLaughlin says.

RELATED: Build a culture of cybersecurity awareness in K–12 schools.

The National Institute of Standards and Technology now encourages the use of passphrases, and McLaughlin calls this a great strategy for K–12 users. “‘Drink More Coffee!’ is a password that’s easy to remember and easy to type,” she says.

Software Updates Protect School Technology from Vulnerabilities

Software vendors continually put out updates to patch known vulnerabilities, and it’s crucial that K–12 IT administrators keep up with these changes.

When software makers alert users to a vulnerability, “they’re also notifying the cyberattackers, and the attackers capitalize on the fact that people are not proactive, that they don’t act quickly,” Panetta says.

With bad actors leveraging automated attack tools, outdated software assets present an immediate security risk. When software isn’t up to date, “the cyberattackers can use little robots to go out and find the vulnerable servers and attack them. It doesn’t even require a human anymore,” Mardock adds.  

Some K–12 leaders worry that updates might disrupt system operations. Mardock says this can be avoided by rolling out patches strategically. “We patch an elementary school, a middle school and a high school first, before we patch all of our schools,” she says. “That way we can see if there’s a problem, and we can reverse it quickly without it causing a huge amount of disruption.”

KEEP READING: Tech alone isn’t enough to secure K–12 schools.

Prevent Phishing with Tech Tools and Staff Training

With phishing attacks, bad actors typically use fraudulent emails to trick people into disclosing passwords, allowing the hackers to gain access to K–12 systems and data.

Such attacks are “a huge risk to K–12, partly because the human attack vector is the easiest attack vector. It is easier to get somebody to help you than it is to try to break into an actual computer system,” McLaughlin says. “Psychologically, people are prone to be helpful. In K–12, they’re expected to be helpful; that’s their job.”

To counter the threat, “it is very important that people are trained, that they are aware that phishing attacks are real,” she says. “It’s also important for K–12 schools to invest in the tools that help reduce phishing: spam filtering, phishing monitoring tools and the ability for people to self-report. Then you can pull messages out of systems before everybody clicks on them.”