3 critical elements of a K-12 cybersecurity strategy

School IT leaders are facing a number of cybersecurity challenges that have emerged as education becomes more connected

Technology has significantly changed the classroom experience over the last decade, with the ubiquity of the IoT, mobile apps, and teleconferencing ushering in a new era of instruction and learning. What’s more, this sea of change shows no sign of abating—case in point, late last year Roblox announced plans to reach 100 million students in the metaverse by the end of the decade. As K-12 institutions invest in emerging technologies and platforms, it’s critical that they not overlook cybersecurity concerns.

There are numerous cybersecurity challenges emerging in the connected education age, but following are some of the most pressing:

Increasingly Sophisticated Phishing Campaigns

Phishing has been a perennial security concern for the K-12 sector, but it’s become more pressing in recent years. With a plethora of free email services such as Gmail, Yahoo, and iCloud and access to personal information from social media and other online platforms, it’s incredibly easy for hackers to create fake accounts impersonating school personnel. These can then be used to target other district employees, students and families, or external companies with whom the school frequently works. While these are all bad scenarios, they can generally be addressed through education and, if they do occur, handled internally without requiring public disclosure.

However, hackers have become more sophisticated in their attacks on the K-12 sector and are increasingly launching “spear-phishing” campaigns, in which they can spoof the email domain of their intended victim. Bad actors first identify the district employees with financial authority and their contractors, and then use phishing emails to change contractors’ payment routing information, access sensitive data or additional user accounts, or activate malware in the network, to name just a few.

This can be a highly lucrative attack method; according to a recent report by the K12 Security Information Exchange and the K-12 Cybersecurity Resource Center, $9.8 million was stolen from a single school district via a phishing attack last year.

Schools need a layered cybersecurity approach to combat the phishing threat but, at a minimum, it’s important to ensure that firewalls are enabled, that anti-virus and anti-malware are installed, and that all patches are up to date. Another best practice is turning on the multifactor authentication features available in select browsers to further protect against attacks.

New Vulnerabilities Introduced by Third-Parties

As schools grow increasingly digital, they are interacting with a wider array of external partners, suppliers, and software providers. This, in turn, opens them up to new threats as bad actors target these companies with the ultimate goal of breaching a school or district’s system. The K-12 Cybersecurity report found that at least 75 percent of the data breaches affecting K-12 districts in 2020 stemmed from incidents involving vendors and other partners.

Schools should ensure they have an updated list of approved apps and software and allow only those apps to connect to user accounts in order to get ahead of these threats. In addition, they must implement a robust process for evaluating any new technology against key security criteria prior to authorizing access to students, teachers, or staff. Depending on the size of the school or district, another consideration is investing in automated tools to audit and sanction third-party apps, as this can alleviate the burden on stretched IT departments.

The Human Element

Another prime security challenge is the threats unintentionally introduced by students, staff, vendors, and partners. For example, it’s a relatively common practice for people to employ the same password across multiple online accounts. If just one of these accounts was breached in a prior attack, there’s a good chance the associated password is known to hackers. The legacy enterprise approach to credential security was to enforce complex passwords, including numbers and special characters, but the National Institute of Standards and Technology, or NIST, has outlined numerous reasons why this practice actually results in weaker passwords. Not to mention that it’s highly unrealistic to expect an elementary student to remember a long, complex password.

A better approach is to invest in credential screening solutions that check for compromise when passwords are being created and continually thereafter with intelligence from the latest data breaches. This allows K-12 schools to ensure that no exposed credentials are in use without imposing complexity requirements. In addition, because this screening can be entirely automated, there is no additional work required on behalf of the IT team.

Recent technological innovations hold great potential for the K-12 sector. However, in their rush to explore these opportunities, it’s critical that districts and schools also ensure that basic security considerations are addressed. Otherwise, it’s akin to rolling out the welcome mat for hackers—and this welcome mat will only grow larger as new technologies are introduced.

eSchool Media Contributors