All over the country, students are heading to school unwittingly, placing their personal data at risk. Schools, universities and colleges collect a wide range of sensitive data on each of their students. Digitized student data often includes health data, social security numbers, and birth dates, as well as financial, academic, and personal contact information. If malicious actors acquire even a few pieces of this data, the results for the student could be lifelong.
The problem is that once a breach occurs, not only is the damage done, but there is no stuffing that evil genie back in the bottle. K-12 schools, both public and private, run even higher risks, sending home paper forms asking for not only student data but data on the entire family. Lack of a secure method of transport, hard copy that passes through the hands of student assistants as well as multiple office personnel all increase the risk of data loss even before the information gets entered into the school's system.
Once a student or family’s data is in the wild; it’s out there forever. The school might suffer short term inconveniences both financially, and in terms of reputation, but the real tragedy is what it costs the individuals to whom the data belongs. A stolen identity due to a data breach can cause student loans to be delayed or canceled. A parent may find their accounts locked, or false tax returns filed in their name. The theft of their data may force them to spend their time contacting financial institutions, filling out reports for the Federal Trade Commission, and the police. This is undoubtedly going to impact their school performance. Short term hassles translate to long-term negative effects if their stolen data is used.
1) Data Inventory
A full inventory of all information systems classified by the confidentiality of the data stored on each plays a vital role in protecting your data. This creates a foundation for making risk-based decisions about what systems need what level of protection. Not all data needs equal protection. Limited resources require a risk-based approach, and that starts with knowing where the priority data is stored.
2) Automatic End-point Updates
Unpatched endpoints offer attackers easy access to an otherwise secure network. Failing to patch leaves software vulnerabilities malicious code exploits and can allow escalation of privileges resulting in a system takeover. Unpatched vulnerabilities also offer opportunities for malware embedded in innocent-looking websites or ads to slip into organizational infrastructure when visited by unsuspecting end-users. This opens your network up to rootkits, ransomware, and keyloggers, all of which endanger sensitive data and mission-critical systems.
Automating updates reduces risk by removing the human element from patch application. Vulnerabilities systematically remediated minimize infrastructure risk. Central management of updates and patches further reduces vulnerability by allowing tracking to ensure no endpoints have been overlooked.
3) Patch Management for Mission-Critical Systems
Mission-critical systems such as servers require patch testing prior to updating due to the risk of service interruption. Several variables might impact patch application causing extended downtime that would be intolerable for mission-critical server and systems. Server configuration, custom or proprietary software, and even patch flaws can negatively impact the patch application.
A patch management program ensures that these systems get patched while protecting critical organizational processes from interruption. Test systems that mimic the production systems should be in place for patch testing to prevent unintended degradation of service. Once patch testing has been successful, patches should be scheduled for production environments as soon as possible to reduce the window of opportunity for attackers.
4) Multifactor Authentication
While a strong password policy for your network is essential, it won’t prevent the use of credentials acquired via social engineering or phishing. Without multi-factor authentication, the user name and password are all the attacker needs to access the network. Requiring a second factor of authentication can be as simple as a digital key generated on the users' smartphone or another stand-alone device such as a key fob. The addition of multifactor authentication stymies the attacker because they now need a changing value key kept on the end user's person. While this adds minimal complication for an end-user, it creates significant difficulty for an attacker. The result is a high impact control with a relatively low-cost implementation.
5) End-User Awareness and Training
The human element is the weakest link in any cybersecurity program. The 2016 Enterprise Phishing Susceptibility and Resiliency Report noted that 91% of cyberattacks began with a phishing email. Educating the end-user on phishing, social engineering, and good password hygiene is an effective way to turn the end-user from a security liability to an asset. Training end-users how to recognize and deal with threats prevents them from inadvertently handing off credentials or accidentally opening the doors for attackers. End-user who know to alert IT to suspicious activity can become an institution’s first line of defense.
The education industry has long struggled to keep pace with emerging risks in an increasingly dangerous cyber landscape. Building a robust cybersecurity program is neither quick or inexpensive. Proper tools and experienced security professional cost significant amounts of money. It’s easy for cybersecurity to fall off the radar until a breach happens, but starting with a few practical steps and some substantial time investment, you can reduce the risk of that breach happening now.
While these practical steps will help mitigate cyber risk in education, we advise every organization to protect itself from the digital unknown with a cyber insurance policy that is customizable to their unique risk profile. Start your cyber insurance quote now.