New Era of Cyber Attacks Requires a Multi-layered Security Strategy for Schools
It's time to move beyond the limitations of prevention-only cybersecurity and adopt a multi-layered security strategy to combat a new era of cyber threats for K-12 schools.
Of all the sectors at increasing risk from cyber threats today, the education field has emerged as one of the most vulnerable. Both in 2021 and 2022, for example, education and research institutions faced the highest cyber attack volumes every month compared to other sectors, according to Check Point Research. More critically, from 2018 to mid-September 2023, ransomware attacks against K-12 and higher education institutions are estimated to have cost over $53 billion in downtime, according to a report on 561 attacks released by Comparitech, and a majority of those attacks occurred in the United States.
These alarming developments are leading us to a crossroads with the security of K-12 schools, and it's time to make a decisive change of course. First, we must recognize that these schools are being targeted by cyber threats that deserve a new strategy because of a number of factors, such as a broad attack surface. Moreover, we have to move from a prevention-based approach to cybersecurity to an "assumed breach" model, where we assume a cyber attack is an inevitability for schools and build our defenses around that assumption. Finally, we need a more standard architecture to reduce cyber threats for schools, with best practices dictating network security monitoring, endpoint security monitoring, and deception technology implementation.
Together, these reasons make it imperative that we move beyond the limitations of prevention-only cybersecurity and adopt a multi-layered security strategy to combat a new era of cyber threats for K-12 schools.
Why Schools Have Become Target No. 1
The first step in moving to a multi-layered security strategy for schools is understanding the prime target they have become.
Schools have emerged as an enticing target for several reasons. First, schools offer a broad attack surface that includes students, alumni, faculty members, administration staff, extension campuses, and research facilities. Second, the surge in the integration of online learning applications has expanded this attack surface by adding additional infrastructure, software platforms and other vulnerable access points. Third, schools manage concentrated stores of intellectual property and research data. Fourth, they often have to manage their IT environments with limited budgeting and staff expertise.
Perhaps most importantly, K-12 schools offer an appealing target because many can be backed by public funding in times of crisis, such as for a ransomware demand, and because they have the personally identifiable information of minors. In the latter case, when minors are involved, it's not the actual personal data that is as valuable as much as the emotional impact of exposure of that data. A credit card number is one thing, but the identity of a child is quite another!
A Flawed Approach
A second step in pivoting to a multi-layered security strategy is coming to terms with the flaws of a prevention-based approach that many of us in the IT industry have relied on for too long.
This approach, in a nutshell, has the primary goal of stopping hackers before they can strike. Yet, this mindset is fundamentally flawed. It's impractical to try to keep adversaries out of a school's IT environment all the time. Attackers are too numerous, and they have a dangerous combination of expertise and time. This prevention-based model results in establishing just one layer of protection and a scenario where a school creates a single hurdle for an attacker. If the bad guys clear that, it's game over.
What makes more sense is to put in place controls to prevent intrusion but also controls to look for adversaries inside school environments and respond appropriately. To use an analogy, a strongly protected building will not just have locks on the doors. It will have a security guard in the lobby, other guards in the building, and cameras and alarms set up. The same principle applies to information security, but we in the IT industry have decided that having locks on the front doors is enough. To better protect our schools, we must change this approach.
More Standard Practices
A third way we can move to a multi-layered security strategy for schools is by establishing a higher-quality set of best practices. This isn't easy to define, because there is such a wide range of tools and tactics that can be used to put in place multi-layered security, but here at least three practices that offer a starting point.
The first is regular network security monitoring. This is the collection and analysis of security information to discover an intrusion in an IT network. It involves developing a baseline understanding of an organization's security capabilities, identifying tactics of bad actors that may intrude in a network, and analyzing network information to detect anomalies indicative of an attacker.
A second practice is endpoint security monitoring. This is similar to network security monitoring, but instead of looking at the network, this technique looks at the endpoints of the network, such as a user's computer, tablet, phone, or other device. As more users access employer data from their own devices, it's become increasingly crucial to ensure that users' endpoints are secure and compliant when they access a network, whether through officially issued devices or their own.
A third practice is the use of deception technology. It's the equivalent of putting trip wires in a computer network, using files, computers, user accounts, or other technologies to deceive an adversary. These fake assets don't have any business use, but they look like they do. An attacker will go and poke at those elements, and when a trip wire is activated, a hacker is exposed.
By taking steps to codify network security monitoring and deception technology implementation as standard practices, we as IT professionals can go a long way toward strengthening information security for schools.
Moving to a New Mindset
Schools today are facing a rapidly rising cyber threat. We must recognize this threat, move away from a prevention-based security approach, and implement more standard practices for security monitoring and deception technology use. To truly safeguard our schools' information security, both school administrators and IT professionals must make it an imperative to adopt a multi-layered security strategy to combat a new era of cyber threats for schools.