Since 1983 when I first saw WarGames and Matthew Broderick hacked into the school’s computer, I have been fascinated with technology. When I reflect on the past 35 years of working with technology and for a good portion of that time working on securing that technology for schools, I see it as an ever-evolving game of cat and mouse. Back in the 80’s and 90’s, it was more about keeping kids from breaking into schools’ Student Information Systems and file servers. Today, it is more about keeping bad actors (including some students) from installing ransomware and locking up the entire school’s ability to function.
One of the main challenges of any school is providing students with access to leading-edge technology, but at the same time still protecting the school’s network from both inside and outside threats. The key to gaining this safety is the point of this article. What are the steps that schools need to take today to be safe in an ever-evolving unsafe Internet?
People & Process
When I read most articles around security today, they are focused on the technology and, while those are critically important, they usually leave this part until last. In WarGames, Broderick’s character says, “They change the password every couple of weeks, but I know where they write it down.” Improving the education of your people about IT security and the processes around technology is the best way to help prevent an incident at your school. Many of today’s most damaging cybersecurity attacks have been started by a student getting a teacher password. As part of your training budget, you should include at least annually some IT security training for faculty and administration.
The second of these is process. We have dealt with many schools that have had an email compromise where a user was sent an email asking for money via payroll changes, vendor bank account changes, or wire transfer requests from administrators that was fraudulent. In all these cases, a simple phone call to the person initiating the unusual request would have been all it takes to thwart the attack. Your school should have documented policies around anything involving money that requires a second form of verification.
If you have a Managed IT Service Provider like Spera Partners and/or a Managed Cybersecurity Provider then most likely you already have all these in place. If you do not, I cannot encourage you strongly enough to find one or both. It is very difficult for a school with limited resources to keep up with the pace of IT security today. If you do decide to undertake this, here are the 6 major components of a good security infrastructure.
This used to be called Antivirus software but today goes by Endpoint Security. It is often the first line of defense against attacks directed at a user’s PC, server, or even your Student Information Database. All devices with an operating system (such as Windows) on them and that are connected to your network should have this software – and it is required for most cyber insurance coverage. Today’s best vendors also offer protection from malware that attempts to propagate across the network and/or try to encrypt your data. This software requires a subscription to keep it current and should be automatically updating. Ideally, it will have a central dashboard (today, most likely cloud based) that will enable you to see at a glance if everything is protected and current and if anything needs attention.
Network Security Appliance
Often just called a firewall, this is a device that sits between your network and the Internet that protects your network from various forms of attack. These devices can scan email and web traffic destined for your network, looking for active threats and blocking them before they even get to the internal network. This requires a monthly subscription. We also strongly suggest that you separate the student network from the administrator network to ensure that no enterprising students gain access to confidential information or restricted systems.
Email is the most common attack method today. Therefore, protecting your school’s email is critically important. If you are a using a cloud vendor such as Microsoft or Google for your email, they are handling some of the threats as well as spam that are attempting to come into your organization. You should also consider a secondary security vendor for increased protection. Microsoft, for example, offers a secondary level of protection called Advanced Threat Protection, and Google offers the Advanced Protection Program within the Google Workspace Admin console. Other security vendors offer routing email to them first before going to your hosted email provider.
Two-factor Authentication (2FA)
This is becoming a critical requirement for email and access to critical systems as well as a requirement for most cyber insurance coverage. The majority of today’s Student Information Systems and Content Management Systems are cloud based. Username/Password security is no longer enough to protect these systems. Two factor authentication offers a way to ensure the person logging in has the password but also possess a device that provides a second login method. This can be a smart phone app or a text message. All critical school systems should have this login method.
System Recovery & Backup
Almost every school has some form of this already. Some still use tapes, network attached storage devices (NAS), or external drives. While these were sufficient for years, they are no longer good enough today. Bad actors have figured out that if all of your data is encrypted, you will just revert to your backups and not pay them their ransomware. So, if they get on the network, in addition to encrypting your server and PC data, they also encrypt the backups. To protect against this, you need an air-gapped backup. This can be a cloud-based system that has a unique username and 2FA login; alternatively, your backups could be housed offsite using another method. The key is that this system needs to be automated and for some period of historical copies to be kept.
If your key systems are already in the cloud and you are relying on them for your system backup, make sure you have a clear understanding of how your cloud vendor handles backups and that they have the proper certifications in place to make sure they are able to recover in an instance where they are compromised.
Make sure your school has Cyber Insurance. It is usually just a call to your current insurance provider to add this to your policy. Review the application with them to make sure you have everything in place that the application recommends and that you are comfortable with the limits. If there is an incident, this is your last line of defense to help pay for the cost of downtime and recovery.
There are a number of things needed to stay on top of and maintain a secure IT environment. The level of reliance your school has on technology should dictate the level of resources you dedicate to these systems. An IT Managed Service provider like Spera Partners is one of the best ways to do this as they already have all the tools and systems in place to help you get to this level of security. If you need an even higher level of protection, an IT Security Managed Service provider can do real-time monitoring with an automatic incident response to further alleviate potential risk and downtime.
Brian Hess, President
For more information on Cybersecurity from Spera Partners President, Brian Hess, tune in to this Podcast from Braun-Bostich & Associates.