Security

Tech Alone Isn’t Enough to Secure K–12 Schools

Education institutions need funding to cover cybersecurity tools — and the human expertise needed to implement and manage them.

Tina Thorstenson

Tina Thorstenson is vice president of the industry business unit and executive strategist at CrowdStrike, where she provides strategic cybersecurity advisory services for organizations across all industry verticals. Prior to joining CrowdStrike, she served as CISO and deputy CIO at Arizona State University, capping a career of IT and security service spanning more than 28 years.

The education sector has a cybersecurity problem on its hands. Adversaries have ramped up attacks on K–12 schools and universities, using ransomware and double-extortion campaigns to target institutions with vast stores of data but limited means to protect their critical digital assets.

Today’s schools fully depend on technology. Inside the classroom, it supports teaching and learning; outside the classroom, it powers everything from door access to security cameras and bus schedules.

Federal initiatives, such as E-rate, were developed to help schools procure the technologies they need. However, even as schools face ongoing cyberattacks, the E-rate program has not been updated to cover the purchase of security and network defenses to protect those systems.

Implementing new technologies without necessary cybersecurity protections creates significant risks. If changes aren’t made, schools will continue to face disruption.

Double extortion is a common strategy of cybercriminals who steal data and share it on data leak websites. CrowdStrike noted an 82 percent increase in ransomware-related data leaks in 2021, underscoring the growing prevalence of these threats.

Click the banner to learn about the latest ed tech when you register as an Insider.

Technology alone isn’t enough to give schools the protection they need. Security products require trained staff to implement, operationalize and maintain them. They must also design reference architectures and update strategies and tooling as threats and technologies change.

Securing schools is a complex problem that demands innovation, technology, expertise and an openness to change. Education, like cybersecurity, is constantly evolving and requires people and products to do the same.

Balance K–12 Ed Tech Implementation with Teamwork

Focusing on innovation challenges the norm in a positive way.

I learned this firsthand as a technology buyer at Arizona State University, a school that has topped U.S. News and World Report innovation rankings for seven years running. I made an effort to avoid spending money on products that would just sit on a shelf, something IT execs call “shelfware.” It also became clear that purchasing technology without security was irresponsible, and ineffective at stopping breaches. We created a plan to fully fund both the technology and the expertise for any initiative we wanted to pursue.

When bringing in a new service, it isn’t enough to only buy the tools or to only hire staff without providing them the tech they needed to do their jobs. Schools must commit to both: best-in-class security technology and people to implement, operationalize and enhance these tools as required.

At ASU, we implemented an IT rationalization initiative: Each year, we went through a list of every asset with a security implication, no matter where in the organization it existed. We followed these assets closely to ensure security features were implemented, and each year we revisited these crucial questions:

Why do we have this software?
What can we do to fully implement the licenses we have?
Do we need more people to support this product?
Do we need this technology?
What do we need that we don’t have?

This type of process can give schools a broad view of security across the organization and allow them to adjust strategy as their needs and tooling evolve. It isn’t possible without the right products and expertise, which is exactly what today’s schools need to strengthen defenses.

As education institutions continue to face security threats, funding technology without proper protection is a recipe for disaster. Schools need security tools and trained staff to defend against advanced attacks.

Five Tips for IT Teams Working to Secure Schools

Creating a culture of cybersecurity awareness is essential to every school’s success. Within that risk-based approach — and the governance and architecture conversations that go along with it — a few key recommendations continue to prove invaluable as we build and maintain capable, effective security teams.

Refocus your tech funding. Unlike larger organizations, schools often lack resources to acquire technology and build out enterprise-grade security strategies. Create an IT rationalization initiative with your team and examine the products you’re using. Are there opportunities to use open-source products instead of paid software? Is there space to reallocate existing funds to a tool that would provide greater value?
Be ready to act. If an incident occurs, the only thing you can control is your response. Organizations are largely judged not by the attacker’s actions but by how they respond to a crisis. Put together an incident response plan; it is the most important step you can take as a security leader.
Protect your identities. Secure service and admin accounts with multifactor authentication and adopt a zero-trust approach in which you verify the user to access key systems and resources. Ensure only known entities can connect to your school’s environment.
Practice good hygiene. Ensure software is properly configured, eliminate unnecessary software and stay up to date with the latest patches. Sometimes adopting software that’s easier to maintain is the best path to proper security hygiene.
Control remote access. Avoid exposing server message blocks and remote desktop protocol ports to the internet and restrict the use of remote access tools. Controlling remote access is a comparatively simple precaution, but it continues to be an area where schools and universities could improve.

Schools face more cyberattacks than some other industries but often have significantly less funding to fight them. There are many cybersecurity resources and experts offering advice for anyone in the education space seeking to learn more about improving their security posture and responding to an attack.

Kobus Louw/Getty Images