Securing Hybrid Learning in K-12 schools

iKeeping students, educators, and administrators safe in schools doesn’t end at classroom monitoring (anymore). In today’s remote and digital-first learning environment, it requires technology accountability, or the software to keep information safe and enable administrators to respond proactively to potential threats online.

We’re exploring a new frontier, and bandits abound. And, with hybrid learning being the new normal in education, cyber safety in schools has gone from a little explored topic to a mandatory bylaw in some states. This is good. However, are K-12 schools prepared to respond?

Ransomware Targets Schools

Ransomware attacks on education are on the rise, and last year saw a staggering 44% of schools fall victim. 56% of “lower education” or K-12 schools got hit by ransomware, which is just slightly under the 64% of higher education institutions (and those students are paying for their tuition). Encrypted attacks, in particular, have a 73% success rate within schools, and in response, 78% of educators have adopted cyber insurance.

According to one industry researcher, the attacks come for two reasons; one, schools are notoriously underprepared in terms of cyber defenses, and two, they hold a lot of valuable personal data on their students. It’s no wonder that lower education schools rank in the top three in terms of ransomware payouts. The average sum these taxpayer-funded institutions are paying to recover stolen data? $1.97 million.

Best practices for cybersecurity in education 

In the ongoing digital transformation, schools have adopted convenient new technologies while cybersecurity has gotten left behind. Consequently, “Schools are an attractive target for ransomware attackers because they often lack the resilient IT infrastructures…of other organizations,” says Dan Schiappa, CPO of Sophos.

And these ‘other organizations’ – who are arguably more well funded, defended and fitted with security solutions – are already falling prey to ransomware gangs like Darkside, Ryuk and REvil. What chance do schools have?

They have a better chance than they think. It is estimated that 93% of data breaches result from human error, and in a school district, that’s a big part of the problem. Students who lack cyber awareness and basic security training will click on treacherous links, fall victim to phishing scams, or even dabble in online piracy.

Thankfully though, human error – and the basic security issues that lead to so many of the problems – are easily and affordably solved. So if you’re a K-12 school with little training or resources, don’t worry. Most attacks exploit low-hanging fruit, so putting a plan in place to shore up basic defenses might deter opportunistic attackers more than you might think.

To help you with this are the CIS controls. Once referred to as the SANS Top 20, they present 18 recommendations to building a cyber-secure environment, and prioritize them based on Implementation Guidelines (IGs) for easy use. These are perfect for K-12 school systems who, before now, had little reason to invest heavily in cybersecurity.

“An IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise” and one that can’t handle a lot of downtime, says the website. So, a school, district or public school system, in other words. IG1 is all about security training and security awareness, and gives organizations with little cybersecurity background a great place to start. As the website states, “The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.” In addition, here are some more best practices that can help keep schools digitally safe and up-to-speed:

Ensure secure connectivity. Keep online activity protected through password protected campus networks and wireless.

Deliver end-to-end security. Protect data, research, and intellectual property by only providing access to those who are authorized. MFA – including biometrics, tokenization and app-based authenticators – can help ensure privileged access management so only those who need access to certain resources have it.

Transform operations using hybrid cloud. Deliver a range of student services, including health counseling, financial services, and academic advising in a hybrid mode, in addition to administration work and campus recruiting.

Create secure hybrid experiences. Utilize a cloud-based security offering to make sure that all your student data – in DropBox, Google Classroom, on online counseling services and shared between administrators – is as safe in the cloud as you would have it be in the classroom.

Fuel innovation. Connect and manage campuses together into a single network at high speeds across city, regional, national, and international locations.

These are great guidelines. However, to do any of these safely, you’ll need the right tools.

The most important security technologies to staying cyber secure

Today’s poorly protected hybrid learning environments give attackers plenty of places to hide. To combat this, you need a full view of your network traffic and the ability to stop attackers at the earliest signs of intrusion. After all, you don’t want to be one of the statistics paying nearly $2 million dollars in ransom.

Improving your school’s existing security technology – known as a “security stack” – starts with the basics.

●  Access management. With so many educational apps, online learning environments, and cloud-based storage systems like Box and OneDrive holding grades and assignments, you need something to make sure the ones accessing that sensitive information are the right ones. Duo provides multifactor authentication for students, teachers and any third-parties, and OneLogin SSO secures access to every app, letting you use single-sign on technology and user access management in the cloud.

●  Network traffic protection. Your students and faculty are accessing the internet constantly, and on their own devices. Umbrella lets you extend web filtering and internet security to all those devices, and gives you clou-native protection that you can have up and running within a day. And, the Cisco Umbrella Secure Internet Gateway (SIG) for Education package can help you stay compliant with CIPA and FERPA requirements for more granular visibility across the web.

●  Secure Wi-Fi. With Meraki, you can manage the Wi-Fi networks of all the schools in your district from one central location, all from the cloud. And, a secure Wi-Fi connection is key to ensuring child safety, making sure the only ones on the digital networks of your students are the ones who are supposed to be there – no uncomfortable surprises.

Wherever you are in your cybersecurity journey, Port53 is here to meet you at that level and help you take the next steps. We can help you implement the basics, all the way up to full cybersecurity maturity, and we specialize in small organizations. Did you know – we received the 2022 America’s Partner Program Award from KnowBe4, a leader in security awareness training. After working with thousands of K-12 clients, we have decided to put together a simple, yet effective, K-12 specific package to provide you with the security you need. Stay tuned for part two, where we’ll dive into tailored solutions – until then get in touch to learn more!