Though garnering only scant attention over the years, especially in comparison to other traumatic school safety challenges, cyber criminals are a major threat to information security and systems operability in schools.
Nebraska’s K-12 schools have been working diligently to diminish this risk but still have a long way to go in order to make education entities less vulnerable.
As recent headlines have made painfully evident, vulnerability through technology networks is not a problem isolated to schools. Our society’s willingness to trade security for convenience in the tech realm comes at a price.
Organizations of any type with revenue or information which can be sold on the dark web are at risk for cybersecurity attacks. In recent years, schools, including those in Nebraska, have been targeted with increasing frequency. To some extent, this is completely predictable in an information economy: Schools retain substantial amounts of personal information for employee payroll and student records.
Not all attacks on school networks are intended to extort funds. Some are merely intended to create disruption and downtime. We are living in an era when virtually all work systems rely on the internet and a high degree of interoperability exists with many basic software programs (from lunch to attendance to school grading programs).
It’s not always sophisticated criminal syndicates at work, but sometimes merely a 14-year-old with a smartphone wreaking havoc on a school’s tech systems. DDoS (Distributed Denial of Service) attacks can be launched by bad actors to overwhelm the systems capacity of a website to handle traffic, thus shutting it down. One possible result can be that schools are unable to perform basic operations, and the school day grinds to a halt.
Schools have been working hard to address myriad cybersecurity issues. Nebraska’s Educational Service Units are a source for technical expertise and consultative support as well as information exchange among ESU tech experts and school district technology directors to ensure best practices are enacted.
The ESU COOP purchasing program is an excellent source of support to schools by negotiating statewide buys and discounted prices for key products such as website monitoring and security awareness tools.
Some salient cybersecurity takeaways applicable to educational entities, businesses, and nonprofits:
* Multi-factor authentication or the requirement that an individual user signing on must acknowledge and enter a time-sensitive login key code from a separate device than the initial login workstation. MFA is a necessary but not sufficient step in information security.
* Offsite or air-gap backup systems for retaining key information are an essential security step to ensure that if a network is hit or a campus based server is decimated by natural disaster, systems functions can be restored with a close-to-real-time backup.
* Regular updates of critical software help to apply program patches that ensure the latest version of a software program is installed in order to provide the best defense and optimal security updates. Unfortunately, critical updates can be missed when tech workers are overwhelmed and overextended.
* Social engineering through phishing attacks is one of the greatest areas of vulnerability for schools and other entities. Social engineering banks on trust through the appearance of normalcy. A phishing attack occurs when an email or message that appears at first glance to be legitimate is actually a spoof; when opened or clicked on, it triggers malware, a program that may infect an entire network. The best defense against these (in addition to robust email filtering that flags potentially malicious messages) is to educate the end-user to beware.
* Employees are not only your greatest asset; they are your greatest risk. In many busy workplaces, employees are dealing with a high volume of electronic correspondence and may take requests at face value. Unfortunately, this can lead to someone being duped by an email masquerading as a linked work task which actually triggers a virus when opened.
Currently, the bad actors in the cybersecurity game are just playing the percentages -- and sometimes winning. It is catch-up time for the rest of us. Many of these efforts to undermine information security in schools and elsewhere spool out from automated "bot" packages that are unleashed at scale. These bots will continually target individuals until a victim surfaces. Once an employee is duped into providing their credentials, a threat arises; the bad actor now has access to the network.