Security

Legacy Technology and Systems Open the Door for Cybercriminals

Human error accounts for some cybersecurity challenges in K–12 districts, but outdated tech also leaves school networks vulnerable.

Akilah Willery

Twitter

Akilah Willery, education strategist for CDW•G, is a former instructional technology executive director with more than 20 years of experience in K–12 education. She has led a long-standing virtual school program and guided districts in making the pivotal pandemic shift to remote learning.

Legacy devices and legacy systems commonly provide opportunities for cyberthreats to enter the school’s network in two instances: when they are not or cannot be updated.

Frequently in K–12 settings, and across many industries, end users choose not to shut down their computers. While it may make life easier in the short term, this prevents the device from installing necessary updates. When the device does shut down or restart, all of the updates will try to go through at once, resulting in a long wait.

Shutting down devices frequently not only prevents these backups, but also keeps users safe. Software engineers create and push out these updates when there’s a vulnerability in the system. The patches close off that vulnerability.

Eventually, however, a device or system will reach a point where it can’t be updated, and that will make it even more susceptible to cyberattacks. Here’s what that might look like for K–12 institutions and how IT teams can take preventive steps to keep users safe.

Click the banner to access cybersecurity resources from CDW for your K–12 district.

Old Operating Systems and Devices Can’t Install Necessary Updates

The vulnerability in legacy devices and operating systems is that they can’t update appropriately. They reach a point where they don’t have the computing power to run and install new updates. This means known weaknesses in the systems can’t be patched, leaving the doors open to cyberthreat actors.

When new OSs are released, some users push back against updating because they fear it will wipe their machine. It’s important to remember, and to remind staff, that these OS updates are released for security reasons. A smooth transition across the entire organization can help keep the network safe.

Additionally, with rapidly advancing technology, end users’ refusal to use new releases means their systems won’t be able to run programs when they are updated and become incompatible with the old OS.

MORE ON OPERATING SYSTEMS: Chrome OS Flex extends the life of district hardware.

Outdated OSs and devices — laptops, servers and even printers — can also be a huge drain on the IT department’s time. Legacy technology requires a lot more maintenance, and IT admins must work harder to keep these systems alive. If a district is holding on to an old server, for example, because it runs one program that no longer serves a purpose, it may not be worth keeping. Schools should do audits regularly to see if programs are still being used; these audits can help to improve the district’s security.

In addition, committing to annual evaluations of various ed tech tools can help districts make informed decisions about whether legacy software programs are worth renewing. Older online programs may also need to be evaluated for security concerns, especially if they were created to be compatible with old OSs. IT teams should determine whether older software is still supported by the original manufacturers. If not, users could find themselves with no way to update or troubleshoot when problems occur.

Give K–12 IT Admins Visibility into Vulnerabilities

Annual audits can help districts determine what tech they need to keep, and what they can let go. A solution’s usefulness should be weighed against its cost. Often, with legacy technology, it’s more beneficial to find updated programs and devices. This not only ensures staff members are working with the latest tech, but also keeps the school safe. Regular usage reports and progress monitoring can help districts make the difficult decision of whether an online business or instructional tool is still serving a purpose. By strategically abandoning old programs, districts can find cost savings.

KEEP READING: Improve business continuity planning with these key considerations.

Districts should also maintain a data privacy agreement that software companies are willing to honor annually. These data privacy agreements should protect the personally identifiable information for all the users of the software, with the companies agreeing not to sell or distribute that data during or after the contract period.

On the hardware side, device refresh cycles prevent technology from becoming too outdated. Proactive IT teams can turn to partners to assist with maintaining the cyberhygiene of student and staff devices. CDW provides solutions for mobile device collection, wiping hard drive data and updating systems during the crucial summer months when IT teams are preparing for the new school year.

Audits and refreshes also allow the IT department to see what’s happening under their own roof. Corporate organizations frequently have strict software adoption policies, where nothing is assumed to be safe and every new technology or program must be approved on multiple levels. In K–12 institutions, it can be much more difficult for IT admins to keep track of who is using what, which is why audits and refreshes are helpful.

Districts concerned about their cybersecurity posture, and those looking for an easier path to cybersecurity insurance, should work with a third party on a risk assessment and penetration testing. Pen tests can help schools identify vulnerabilities in their system, whether it’s a user who refuses to upgrade to Windows 11 or a 10-year-old laptop that can’t handle another update. These vulnerabilities do not simply go away or become less of a problem over time. Instead, they compound growing cybersafety issues that school districts must give attention to before it is too late.

This article is part of the “ConnectIT: Bridging the Gap Between Education and Technology” series. Please join the discussion on Twitter by using the #ConnectIT hashtag.