Still, MFA can make a very real difference. When President Joe Biden met with key executives from technology companies last year, they noted that multifactor authentication can help prevent 80 to 90 percent of cyberattacks.
Unfortunately, cyberattacks including ransomware, data breaches and business email compromises remain clear threats to K–12, as noted in a 2021 report from the K–12 Cybersecurity Resource Center and the K12 Security Information Exchange. In 2020, the report shows, the number of disclosed K–12 incidents grew from 49 in the first quarter to 132 in the fourth quarter.
Consider Options for Your District
What can you as a K–12 administrator do as you wait for funding, additional employees and approvals? First, you may be pleasantly surprised to learn that the vendor you already use for sign-on (Microsoft, Google, etc.) may already have an MFA solution ready to go, with minimal or no additional licensing costs.
MFA functionality runs the gambit from cheap (but perhaps more difficult to configure) to expensive (and more streamlined). Both Microsoft and Google offer inexpensive authentication solutions that are common in K–12 environments and offer MFA as part of existing license agreements. If you want more advanced features, such as conditional access, they will cost extra.
Other vendors also provide advanced services in this space while maintaining ease of use. Cisco Duo offers features such as an MFA self-service portal and simplified deployment. Larger organizations may be interested in Okta, as it can provide full identity roles management and detect viruses based on suspicious behavior.
Stage MFA Based on Priority Groups
Much of the risk to a school district boils down to two things: theft of information and destruction of resources. You should address influential and high-risk accounts with MFA first, then move on to stage MFA for your other users.
In my district, Seattle Public Schools, where we have 52,000 students, we used a phased approach to implement MFA. I recommend you do the same, and I suggest that you address district groups in the following order:
Start with your IT staffers, so they can work out the bugs. Next, leverage your annual phishing exercises and apply MFA requirements to those who fail. Then, require MFA for accounts that control sensitive data and money, such as payroll, HR and accounts payable. School board members, principals, and executives with authority and trust should go next. Last, require MFA for classroom teachers and remaining staffers. Students can opt in to MFA.
Don’t forget to activate MFA for the school social media apps such as Twitter and Facebook.
Ease Adoption Through Advanced MFA Options
If you pay for more advanced MFA options, you could also choose to block MFA prompts when the account is being used from a campus location. This on-campus exemption approach increases risk somewhat but also greatly increases acceptance and adoption.
Also, get your union leadership involved early in the testing and planning stages, so it can guide your work. Ours was immensely helpful both in helping us tune our communications and craft an appeal/exception process.
Educate Staff on the Risks of Stolen Passwords
How do you convince people to use MFA if your cyber insurance carrier mandates it? Invite them to visit this eye-opening site: haveibeenpwned.com using email@example.com as well as their own email accounts. (Yes, it is a trustworthy website.)
Over the past 10 years, both League of Legends and Evite have seen major thefts of K–12 passwords. Wide-reaching cyberattacks accomplished via bugs like Heartbleed and vulnerabilities like Log4Shell continue to threaten vendors and websites on a regular basis. The Spam Auditor blog reports that large volumes of passwords are being sold on the dark web.
Because of COVID-19, more district staffers are working remotely. If a district exposes tools like VPNs or remote access without MFA, it increases the chance of a districtwide ransomware attack. At any point, you should assume more than 7 percent of your passwords have been stolen and can be used against you.
It is worth reminding staffers that stolen district account passwords can potentially be used remotely to change grades, redirect paychecks to criminal bank accounts, and search the district’s shared files for sensitive data to use in ransom and blackmail threats.