School leaders are now adding monitoring their security posture to their list of priorities.
A school’s security posture, or cybersecurity readiness, is a key element of its overall organizational health. As the list of priorities for maintaining healthy schools continues to grow in length and complexity, school leaders are working hard to balance a focus on the instructional vision of their school, the culture for students, strategies for communicating and engaging with parents, and plans for coaching, supporting and celebrating their teachers. In addition to paying attention to these key factors in a school’s ability to accomplish its mission, leaders find themselves needing to make time for managing the operational elements of school life. Tasks like reviewing safety plans and implementing strategies for mitigating cybersecurity risks and improving their security posture are then added to the growing to-do list.
Integrating technology into schools and classrooms has had a positive impact on student learning.
Even though it can feel difficult for school leaders to take the time to focus on their school’s security posture, the necessity of time and attention for this particular aspect of a school’s work is increasing in step with the increase of technology integration into classrooms. Even before the COVID-19 pandemic, schools were using technology, more and more, to support learning. The pandemic accelerated a shift that was already underway and made the need for online instructional platforms and hardware like Chromebooks and iPads urgent. Instead of using technology to simply improve student learning, suddenly tech integration became the only way to make learning possible.
Now that students are back to in-person learning, many of the innovations and benefits brought on by these new tech tools continue to be impactful. Many of the advances and best practices from the pandemic are here to stay and have been adapted for in-person instruction. For example, the use of Google Classroom grew significantly in 2020 and 2021. Even with a return to the normalcy of in-person instruction, teachers find Google Classroom to be a valuable tool making it easier for them to distribute and collect assignments, for students to collaborate with each other, and for parents to remain in the know about student assignments. The continued use of these technological tools in the regular learning environment is supporting student engagement and subsequently achievement.
Cybersecurity incidents at schools are growing in frequency and significance.
This increase in technology use in the classroom and in schools is great. Well-integrated technology can be used to power a school’s mission. While there are many positive impacts, one issue is that this growing reliance on technology can expose schools to cybersecurity incidents. Schools house a massive amount of sensitive information about students, families, and staff. Student and parent email addresses, birth dates, social security numbers, staff payroll and tax information, grades, and personal health information, are a few of the many types of data that schools are entrusted with and responsible for safeguarding.
Because of this trove of sensitive information and because schools don’t have the same resources dedicated to cybersecurity as larger companies, bad actors have set their targets on the education community. Ransomware attacks – where hackers hijack a school’s data and refuse to return it until they receive payment – were the largest category of school cybersecurity incidents in 2021. In these incidents, if payment isn’t received – or in some cases even if it is – hackers will post the hijacked data to the dark web where it becomes available for anyone willing to pay to access it.
Even some third-party vendors who work with schools are seeing an increase in cyberattacks. Earlier this year, Illuminate Education – a software vendor for New York City public schools for tracking grades and attendance – experienced a data breach during a cyberattack that compromised the data of over 800,000 current and former students.
The way forward is obviously not to limit the integration of technology in schools. Instead, it’s critical for schools to monitor their security posture and to take steps that safeguard their data from cybercriminals.
Multi-factor authentication improves a school’s security posture by providing a crucial additional layer of protection.
Multi-factor authentication (MFA) is an additional validation prompt when logging into an account. The prompt typically arrives via text message or authenticator app and verifies a user’s identity before allowing access. Instead of using only the standard login credentials (i.e., username and password), MFA adds another layer of protection. Additionally – without MFA – if one account is compromised, particularly if a staff person uses the same password across multiple sites or software, it’s possible that all systems could become compromised.
According to Microsoft, the extra layer of protection provided by MFA can block over 99.9% of account compromise attacks. While there isn’t a magic wand that schools can wave to eliminate their cybersecurity risks, implementing MFA in schools is high on the list of key mitigation strategies.
Not ready to enable MFA for all staff across all platforms at once? No problem. Schools have options for prioritizing an MFA rollout.
Increasingly, schools are making use of multi-factor authentication. Some cybersecurity insurance carriers have even started requiring school districts to use it. For schools that don’t already have a schoolwide MFA policy, it can feel overwhelming to figure out where to start. The good news is that there are multiple ways to phase in MFA usage for schools that might not be ready for a one-time rollout.
One option would be for a school to identify the roles that have access to the most data or the most sensitive data – like school leaders, school operations staff, or members of the HR team – and to begin the rollout for those roles first. Another option might be for a school to identify the software or applications that contain the most sensitive information – like student information systems or HR software – and start by rolling out MFA for those accounts.
In terms of gaining access to MFA account features, many of the platforms that schools already use for sign-on – like Microsoft and Google – already have an MFA solution with minimal or no additional costs to use it.
Staff training will also be a necessary step in the implementation process. Most staff members will likely be familiar with the concept of MFA from using it with their personal accounts like email or banking. Given this, staff training likely won’t need to spend a lot of focus on what MFA is. Instead, training can focus more on how to configure and/or enable MFA for particular accounts and on emphasizing why MFA is so important for schools. With so many competing priorities on staff time, the MFA process can feel like adding one more step or one more responsibility in a stressful time. Everyone in a school plays a role in strengthening its security posture, so ensuring that staff understands the importance of these security measures will motivate them to play their part in keeping the school’s data safe.
At CTS, we help clients protect their learning environment and strengthen their security posture.
Assessing your school’s security posture and taking the necessary steps, like implementing multi-factor authentication, takes time and effort. With all the other pressing demands of the day-to-day work of schools, it can feel hard for school leaders to carve out the space needed for this critical work. This is a place where outsourcing can help. At CTS, we work with our schools to strengthen their security posture and mitigate the cybersecurity risks that can disrupt education. Our managed IT services have supported more than 40 schools in securing their student, staff, and broader network data. Contact us today to learn more about how we can keep your school’s data safe, so you can focus on accomplishing your school’s mission.
