Education is one of the most often targeted sectors for cyber threats, and a recent study ranked schools as having one of the highest rates of incidents. Many schools and school districts struggle to attract more funding and make ends meet, so digital threats are the least of their concerns. This sort of incident can seem ethereal and inconsequential, but threats to education’s digital infrastructure are threats to their staff, faculty, student body, and even their funding or bottom line.
School Server Protection
Some schools expect that most threats will target their student records, but a significant enough portion of hackers are more interested in employee records and administrative information. Human Resources records include W-2’s, which contain valuable tax information in almost any industry. Criminals will acquire these documents early in the year so that they can file fraudulent tax returns and have the return sum sent to them. While student records should be your top priority for state and local compliance, usually this information is not as valuable to cyber criminals with the exception of any included student medical records.
Per the scam discussed above, about 70% of cyber crime targeting education is motivated by financial incentives. However, an additional 20% of attacks on schools are a form of espionage. This information shocked us as well. Schemes such as the W-2 scam specifically target education institutions because of their necessary transparency, so it would seem counterintuitive that institutions turn to hacking for information gathering. The only solace is that most of these attempts target universities rather than high schools or lower. 72% incidents of outage or breach were due to hacking rather than human error. IT departments of educational institutions should keep this in mind when prioritizing equipment purchases and training.
Student Data Comes First
As we have mentioned, the inclination to “think of the children” first may be erroneous for this topic. Hackers are rarely motivated to target that data unless it shows significant monetary value or if the hacker themselves has a personal affiliation with the school. Your state regulations for handling student records will include rules regarding how long to maintain a student record, who must or must not have access, and how to transfer transcripts between institutions. So most organizations already have solutions and contingencies in place to cover compliance.
For all other records on file, if you haven’t extended the protective measures to these repositories, you are putting very valuable data at risk that sees heavy attacks on a daily basis. What’s more, not every state has an up-to-date regulatory law for student information, in which case your school or district should take it upon themselves to discover the most updated means of security. This due diligence can benefit not just the students but the teachers and the administrative staff.
Content Management is for All Departments
In order to save files from human error, regular backups must be scheduled for as often as possible. If regulatory compliance allows for it, consider backing up to multiple environments: such as locally, in the cloud, and on external drives. In addition to a monitored backup schedule, establish an access log at every terminal and workstation. Give login credentials to each staff member individually and train them about choosing secure passwords and not sharing their login information. If you are still worried about access from irresponsible or inappropriate parties within your organization, then you need to invest in document or content management.
Whether in the cloud, installed on-premise, or implemented in a hybrid environment, a content management solution solves multiple security problems at once. Contentverse has double layered encryption to keep your data safe from third parties trying to access the database. User access permissions can keep students and other department staff out of folders where they don’t belong. The solution also provides the option to assign a security manager for controlling that access. And with audit trail, redaction options, print-screen prevention, and version retention, compliance is not an issue when implementing content management for your formidable database of student, administrative, and personnel records.
Outside Threats vs Internal Threats
There are some key projects that must be undertaken to ensure data security and to prevent loss through disorganization. In order to implement most of these protection methods, you need at least some sort of dedicated IT team. Most big districts will have at least one systems and server expert who can spearhead these projects.
For any measures that can be taken at the system or network level, start by closing off access to outside parties. This entails taking many systems offline and disabling internet access either for those workstations or for those filing structures. If the latter, you will need to separate any necessarily online systems from the offline infrastructure. Sometimes this means completely separate servers, but it could also entail entirely different Local Area Networks. If your data is hosted by a third party, then do not use a multi-tenancy cloud server. In searching for a hosting provider, choose one who will allow your files or system to be installed on discreet drives.
An Ounce of Prevention
This is the name of the game: preparation and prevention. Too many schools wait to update their system until a data breach happens. By then, the damage has been done. Education is one of the most targeted sectors for cyber threats. If your school takes the security and privacy of its students and faculty seriously, then it’s obvious what the next steps are.
A version of this article was published as Cybersecurity for K-12 Education on June 14th, 2018.