Article by Lynda Sailor, Aspen Academy
From the September/October 2021 Net Assets magazine
Companies everywhere are reeling from the impact of cyberattacks, and educational institutions are by no means immune. In fact, the FBI in early June 2021 identified a specific malware that targets K-12 independent and public schools. The malware turns off antivirus protection on the network, systems, servers and services, and proceeds to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. The threat is real, and the better prepared your school is, the better position you will be in to get your school back up and running should it experience a cyber-attack.
During the global pandemic, schools leveraged a layered risk-mitigation approach when reopening campuses. Consider adopting a multilayered approach to cybersecurity that addresses many aspects of your organization, including environment, employee awareness, proactive strategies and incident management.
Cyberattacks take a variety of forms that can range from spoofed emails and false error report emails to other, more serious attacks. These can include:
32% Network intrusion
12% Inadvertent disclosure
8% Lost or stolen records
5% System misconfiguration
Business and Professional Services 17%
Finance and Insurance 16%
Retail and Hospitality 12%
The first step in your cybersecurity efforts is to make a list of the assets you need to protect, such as connected devices, critical data and software.
To protect your school’s operations, you need to understand the value of your data and how it can be used. Criminals target data that has potential value to them — and your network is the means to that data. You may be required by law to protect certain types of information such as credit card and health information.
Some examples of data you will want to identify, inventory and protect:
If the data is not there in your network, it cannot be taken. Use good governance and retention practices to limit what is stored on your server, what is sent by email and how long emails are retained.
Know which devices are connected to your network. This makes your environment easier to manage as you determine which devices need to be protected.
Rogue or unlicensed software pose risks, including legal liability, that can be mitigated. It is important to keep software up to date, as unpatched software can be a common way for malware to infiltrate and attack your systems.
Schools should inventory software and applications running on your school network and the web services or cloud solutions your school uses. Initiate a transparent process for controlling individuals’ ability to add software to your network and protect user accounts with administrative privileges.
Other actions to reduce both the likelihood and impact of cyber events include:
$58,034 average forensic cost for all incidents
$120,732 average forensic cost for network intrusion
$302,539 average ransom payment in 2019 (average in 2018 was $28,920)
Human error remains the leading reason cyber criminals continue to succeed. Protecting your data requires not only technological solutions, but also employee awareness to prevent accidental damage to your systems. Educating your employees in cybersecurity is critical, and engaging on an emotional level can help them understand they are not only protecting your school but also their personal security.
Promote cybersecurity awareness through regular staff training. Encourage strong cybersecurity behaviors including the following:
Creating and managing backups is one of the best ways to secure your data and recover after an incident. Current backups should be easily accessed while also segmented from your school’s general production systems that are used to process daily work. This can help you avoid business interruption without paying a ransom.
Some cost-effective solutions you may choose to explore:
To prepare for a cyberattack, know what resources can be accessed in the event of an incident. Whether you have internal IT staff or a third-party incident management services provider, you should know — before an event occurs — the roles and expectations of the party responsible for incident management.
Sometimes, despite your best efforts, a cyber incident will occur. Whether a school restores from backups or pays to obtain the encryption key, returning to normal operations often takes weeks, if not months. Should an incident occur, consider these steps.
Criminals are constantly finding new ways to exploit vulnerabilities, so it is imperative that schools continually evaluate and test their plans. A plan review and simulation tests should be conducted annually with designated team members, including your IT department, third party vendors, insurance agent, and appropriate members of your leadership or crisis team.
Creating and utilizing multiple layers of cybersecurity controls while training and consistently communicating the importance of cybersecurity to your employees is your school’s best defense in stopping or mitigating the risk of a cyberattack.
Download a PDF of this article.
Risk & Compliance: Data Safety During a Pandemic (Jul/Aug 2020)
The General and the Diplomat: Protecting Data at Independent Schools (Sep/Oct 2018)
Risk & Compliance: Responsible Student Data Collection (Sep/Oct 2018)
Your Money or Your Data (Sep/Oct 2016)
Sign in to leave a comment
Get Net Assets NOW
NBOA's free twice-monthly newsletter
1400 I Street, NW, Suite 675Washington, DC 20005www.nboa.org