Expert Viewpoint

The Need for Powerful Identity and Access Management Throughout Districts

Districts seeking to optimize their IT, and specifically, their cybersecurity efforts, must focus on deploying common sense tools and operational resilience plans that will help defend against cyber attacks as well as respond in the wake of a successful hack.

• By Carter Dunbar
• 06/13/23

In an effort to combat growing cybersecurity challenges in K–12 districts, the Cybersecurity and Information Security Agency (CISA) released a much-anticipated review of the cybersecurity readiness of school districts across the United States. Given the steady drumbeat of targeted scams, breaches, and ransomware attacks plaguing school systems across the country, the report was published amid heightened urgency, felt by students themselves, their parents, staff, teachers, and administrators.

Schools have long struggled to effectively respond to this call to action due to small or non-growing security budgets and limited IT personnel with necessary skills. After the COVID-19 pandemic forced K–12 educational institutions to pivot their learning methods online, schools continued to adopt more advanced networking technologies designed to facilitate learning and make classrooms more efficient and effective. Unfortunately, such technological advancement often resulted in school districts becoming even more vulnerable to ransomware attacks and data breaches when security efforts failed to keep up with new IT related programs.

According to the CISA report, the gigantic uptick in K–12 ransomware attacks not only spawns a renewed emphasis on identity-related security, but it also stands as an opportunity for curriculum, IT and board members to work together to innovate and protect at the same time — all guided by identity-focused safeguards that can make a marked difference in the wake of growing attacks.

Districts seeking to optimize their IT, and specifically, their cybersecurity efforts, must focus on deploying common sense tools and operational resilience plans that will help defend against cyber attacks as well as respond in the wake of a successful hack.

"Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution," CISA noted in the report. "Leaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services."

Academic institutions must continuously find secure ways to support the exploding number of digital devices, users and applications. Identities reign supreme in a K–12 environment — and a student's stolen credentials can be just as detrimental as that of a teacher or administrator in some cases. Resilience is key and begins with districts making impactful security investments that implement an education-centric identity and access management (IAM) platform. Through such a platform, every digital identity within a district can be properly provisioned, continuously monitored, and provide the correct access to the right people at the right time in the most effective way possible. By adding in an accompanying multi-factor authentication (MFA) system, users are provided one-click access to thousands of cloud-based and on-premises applications and services. Proper MFA strategy in K–12 should accomplish four objectives:

1. Secure the entire digital ecosystem;

2. Integrate seamlessly into the existing technology stack;

3. Provide equitable deployment that caters to the individual needs of each user; and

4. Continuously evolve with a district's ever-changing and unique needs.

With this strategy in place, districts can opt to phase-in their use of MFA based on their level of risk. Although K–12 districts are historically slow in their adoption of MFA, it still stands to be the most basic practice districts can deploy to significantly strengthen their cybersecurity posture.

CISA further emphasizes that school administrators should consistently lead ongoing exercises aimed at keeping emergency response plans top of mind among everyone in the district — implementing strong cybersecurity training programs among staff and students alike.The education sector provides a variety of constituencies that range from educators, staff, and students — each with their own unique needs that require attention based on their abilities and any special needs. Encouraging collaboration between IT departments and curriculum leaders can help promote healthy discussions surrounding specific risks within their environment and promote holistic approaches to risk management.

Change management can often stand as the biggest hurdle during cybersecurity enhancements. Security measures can threaten valuable instructional time if not implemented in a way that provides a frictionless environment for the user. If too many steps are involved, users will simply skirt around them and create more security risks, or delay the school day due to the need for greater assistance in accessing systems.

But bolstered cybersecurity does not have to be overly intrusive, costly or time consuming. In fact, encouraging the continuous development of responsible, appropriate, and empowered use of technology through digital citizenship can provide consistent awareness initiatives within a district. Teaching all involved about digital citizenship goes far beyond personal responsibility. Students should be taught online awareness with their digital footprint, password management, and how to recognize potential cyberthreats — not to mention the importance of notifying and working with teachers or others if untoward scenarios are encountered.

With rising cyberthreats and stricter insurance mandates being placed front and center, MFA and proper risk management in schools are no longer a "nicety" but a necessity. By focusing on these specific, impactful goals, districts can minimize the chance of exposure to attacks and in their cybersecurity efforts.