K-12 Schools: An Easy and Lucrative Target for Cybercriminals
Cybercriminals are viewed as apex predators of internet, and like an avid hunter their unlucky victim will be the one member of the herd that has fallen the furthest behind. Where other industries have made strides at improving their security posture, K-12 schools in the US have yet to catch on.
K-12 Schools: An Easy and Lucrative
Target for Cybercriminals
Cybercriminals are viewed as apex predators of internet, and like an avid hunter, their unlucky victim will be the one member of the herd that has fallen the furthest behind. Where other industries have made strides at improving their security posture, K-12 schools in the US have yet to catch on.
How do I know this? In a former life, I sat at the helm under the moniker, “Director of Technology,” which appropriately should have been CIO. Don’t worry, I am not playing to my ego. I also could have carried the title of, Hall Monitor, Janitor, and any other operational support staff that a school might employ. Schools require their staff to wear many hats. That goes for everyone.
Where the Problems Lay
Schools have enough on their plate. They are not as concerned with securing data as they are with bridging the learning gap. They make technological investments in one-to-one initiatives, interactive learning boards, and educational software. With their limited budget, security just doesn’t fit into the agenda. Technical staffing is also slim. Many K-12 schools operate with few technical resources on the payroll, or they may depend entirely on third party managed IT service providers. Staffing for security is not even a consideration. “Security controls?” you ask. Also limited, but without the resources to actively monitor them, they would have little impact regardless.
They’re a Treasure Trove
Think about it. Schools possess a plethora of personal data. Everything from academic records and PHI, to financial information, and it is not just the students who are at risk. Alumni, parents, and staff can easily fall victim, because all of their information is maintained in one centralized system; the student information system (SIS). The SIS, not to be confused with learning management systems (LMS), becomes an administrative hub where access to student data is readily accessible. Academic records, disciplinary action, and medical history are all maintained as part of the student’s profile.
To make matters worse. Data collected over the years can be disparate and go unnoticed. Schools that supply teachers with computers often leave them unmonitored, with limited ability to manage them, and with no device encryption. Policies to protect the devices are weak and it is not uncommon for teachers to use a school-issued device for their personal interests as well.
A Recipe for Disaster
They are a shiny object hanging out in an open field with no one watching. This makes them a prime target for nefarious hackers.
Take into consideration the stolen identity of a student. Children do not apply for credit, loans, or undergo background checks. It could take years before they even learn that their identity has been stolen. By then, determining the source of the theft would be next to impossible, which brings up another point. Remember those student information systems that I mentioned earlier? Well… many of them do not employ any type of data encryption.
The situation may seem bad… because it is. Let’s look at the facts:
• Low security
• Lack of understanding
• Limited staffing and financial resources
• Lots of data, in one place, ripe for the picking
A single unencrypted database backup could contain tens of thousands of records and easily net more than a million dollars on a dark net marketplace.
5 Ways to Reduce the Risk of Your School Being Hacked
Vet the Product Vendors – When looking to acquire a student information system, ask questions about security. Have the vendor provide you with a list of security features and measures that they have taken to protect your data. Do not just take their word for it. Ask them if they have undergone an independent review, and if so, can they provide you with those results.
Outsourcing – This is one of the biggest problems that exists when it comes to acquiring a student information system and working with third parties in general. Whether or not a company outsources development may not be of great concern to you. However, many providers offer services to import historic data into their product after it is acquired. The problem is that the data is often outsourced out of the country. Out right ask if data entry will be outsourced and have your school’s attorney ensure that is in the contract. If they do not outsource, ask about the vendor’s process and where your data will be stored. Your best bet is to prepare and import the data yourself.
Encrypt! – Everyone should take advantage of full disk encryption. Just about every platform now supports it, so there is no excuse. Schools that issue devices to their faculty should provision and enforce the use of encryption, because it is not unlikely that a device will go missing. It happens. Especially when there are students everywhere.
Only Collect What You Need – Unbelievably, many schools collect an unnecessary amount of data, and they never purge irrelevant data. Schools used to use social security numbers to identify students, but today, the majority of them just assign a student identification number. Parents can actually waive providing their social security number. The same goes for birth certificates, race and ethnicity, and religious information (some private schools do ask for this). For starters, do not collect it. If you collected that information in the past, purge it.
Managed Services – I am not promoting any particular service provider. I am just simply recommending that you look into getting a reputable managed security services provider. If you lack the capability of doing something in-house, then augmenting your capability with third-party expertise is a great way to save money and get some degree of protection. Now, a managed service provider is not going to be a silver bullet, but they will monitor your environment and notify you of malicious activity. Some also offer response services where they will take action in the event of a security incident.
Schools are an easy target. The recommendations outlined above are no silver bullet, but are important considerations that are often overlooked. In the end, the best defense is education. Understand the threats; understand your environment, and your needs. That is the best starting point, and the only way that you will mitigate the risk of your school being hacked.
James Taliento is the founder and principal consultant of Cursive Security, a New York based cyber security services consultancy.