Nov 01 2023

How to Solve the Cybersecurity Policy Whack-A-Mole in K-12 Education

Schools can improve student online security with simple, effective tools such as multifactor authentication.

When an IT administrator in K–12 puts a cybersecurity policy in place after an incident, they could be responding to anything from a high-level ransomware attack to an amateur phishing attempt targeting emails for network access. But regardless of the size or complexity of the incident, the privacy and security of students’ sensitive personal information is at risk of falling into the wrong hands.

According to Verizon’s 2022 Data Breach Investigations Report, the educational services sector experienced 1,241 incidents in 2021, with 282 involving confirmed data disclosure. Of those attacks, 75 percent were from external sources; the remainder involved insiders.

Click the banner to learn how to stop ransomware in your K–12 learning environment.

Adding Disparate Policies Is a Poor Cybersecurity Strategy for K–12

Policy enforcement and smart cybersecurity solutions can dramatically reduce this risk. However, policy setting too often is a one-off, whack-a-mole approach to locking down systems. It’s easy to forget about a breach after it’s cleaned up and the headlines simmer down. Then a more sophisticated breach hits, and another policy is added. The cycle goes on.

Adding disparate policies every time a security incident occurs is a poor cybersecurity practice that will create more work in the long run. With technology evolving as fast as the viral trends on social media, school IT administrators are doing all they can to secure network access while allowing permissions for authorized users. They’re also tasked with facilitating remote and hybrid learning and implementing the tools and apps that support it. Policies are not agile enough for this dynamic technological environment. 

RELATED: Learn about the four foundational components of a strong cybersecurity strategy.

Schools Need Policy Enforcement for Better Password Management

A proactive approach would be to implement solutions that have policy enforcement baked in. Security policies need to find a balance between usability and effectiveness or they won’t be adopted in the first place.

Passwords fulfill the rules, but they’re often weak, and the requirements to create them can be complex. For example, using initials and a birthday might meet the requirement for numbers, uppercase and lowercase letters and special characters, but sophisticated methods for cracking these codes puts data at risk.

Fatigue surrounding passwords and cybersecurity doesn’t help. Given the lack of user training and how often security incidents are connected to password breaches, doing the bare minimum is no longer sufficient. Advanced password protection should be standard operating procedure in our public schools.

As the line between physical security and online security narrows, every perimeter must be sealed. Strengthening password management with multifactor authentication is an affordable and necessary first step.

Creating unique and complex passwords for every online account is a standard security best practice that needs to be continuously enforced, but resistance to doing so often stems from the friction involved in implementing stringent security measures. 

DIG DEEPER: This is what K–12 organizations need to combat current cyberthreats.

Password Managers Are Simple, Cost-Effective Tools

With all the ed tech initiatives in K-12 education, it stands to reason that security and privacy would be baked into the curricula as well as the back-end technology systems and infrastructure that keep these institutions running. Multifactor authentication is now critical.

In a 2021 meeting at the White House, technology executives said deploying two-factor authentication decreases the risk of a cyberattack or a data breach by over 80 percent. And earlier this year, the Cybersecurity and Infrastructure Security Agency released a report targeted at K–12 recommending MFA as a crucial cybersecurity best practice.

K-12 organizations rarely have the resources to procure and implement the most expensive solutions to meet their cybersecurity needs, which are often as complex and demanding as those of private companies. However, as threats become more sophisticated, reliance on legacy systems won’t suffice.

Schools must implement unique solutions that are cost-effective and easy to adopt, and that protect against the most common risk factors leading to these damaging attacks. Password managers are a simple, affordable solution with inherent credential management that goes far in policing who gets access to what.

DISCOVER: Learn how to implement single sign-on for efficiency and security.

Trusted Partners Can Help Navigate Limited Budgets to Boost Security

Procurement teams can source and compare credible and secure authorized solutions through trusted programs that help reduce the duplicative efforts, inconsistencies and cost inefficiencies that beset cybersecurity in public education. For example, by working with StateRAMP authorized solution providers, K–12 education organizations can comply with the zero-trust cybersecurity directives outlined in the White House’s National Cybersecurity Strategy released in March 2023. These directives set standards for the highest levels of security and privacy. 

The challenges are increasingly complex — from limited budgets to staff shortfalls — but new commitments of funding and grants to increase cybersecurity safeguards and training for K-12 schools this year present a great opportunity for IT administrators to improve their resources and modernize their approach to cybersecurity.

monkeybusinessimages/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.