The mission of the educational system is to provide students with the best possible start in life. Giving the students the best start in life also means protecting their identity and data. Whether in higher education (colleges and universities) or in K-12 environment (public or private schools), the goal stays the same: educate the students. The mission of education requires data and data is valuable not only to educators, but to anyone that can get their hands on it, including hackers. Not only do schools have an abundance of data that is coveted by hackers, the very nature of the educational environment typically results in data flowing freely via an under-secured environment.
Open computing environment
Programs like BYOD are beneficial, but simultaneously introduce risk to the organization. Benefits come in the form of cost savings (initial purchase, maintenance, management and replacement), mobility and productivity. Risk comes from a less controlled compute environment with high variability, high risk surfing habits, and inability to enforce management and security control over the endpoint device.
This type of open computing environment strategy puts the districts further behind the data protection curve relative to peers in other industries. At a minimum, appropriate controls must be enforced before allowing BYOD to access sensitive data and networks. This includes endpoint protection software, security relevant configuration, the ability to control the flow of sensitive data to the device, and the ability to selectively wipe district data if the device is lost or stolen. Increasingly, these types of controls can be accomplished with agentless technologies, making deployment challenges and user privacy concerns a thing of the past.
The K-12 environment is being attacked on both sides, internally and externally. What makes school district data attractive to outsiders? Profit motive, which plagues organizations in every industry. The data being handled by the school districts are a buffet to bad actors – personally identifiable information (PII), protected healthcare information (PHI), and payment card industry (PCI – credit card data) information for students, staff and even parents.
Malware, increasingly traversing networks via BYOD and cloud apps, is a sustained threat. Hackers are turning their sites toward education, using well developed phishing and other techniques to compromise credentials. Data is leaving the environment and not being detected. These threats are real and they’re happening today. The information security staff will need to continue to expand their skills and tooling to identify the significant threats from the benign.
The student threat
A new initiative making its way into districts across the country is the introduction of the 1:1 device initiative, which gives each student a district-owned device to use as their primary learning device. Much like BYOD, these devices pose risks as well. Students have the device in their possession 24 hours a day (until they are collected, if they are collected). Pairing unlimited access with unlimited creativity means that students will think of ways to get to the internet content they want, not just what they’re allowed. This not only has the potential to introduce inappropriate content into the environment, but sometimes unleashes a fury of malware onto networks.
Beyond inappropriate use, there is a subset of students that fancy themselves as hackers, with a belief that they will never be caught. These adversaries are already behind perimeter defenses and often are not punished for their transgressions when caught, leading to delusions of invincibility.
Countering both the inadvertent and the malicious student threat requires coordination across the organization. While the InfoSec team must be appropriately armed with technology and trained staff, faculty, administrators, and even parents must understand the critical nature of data security and work to ensure that appropriate student education and punishments are in place to reinforce the serious nature of these behaviors.
The K-12 environment is not much different from a financial services organization when it comes to threats to organization data. The difference is that in K-12, those threats must be mitigated despite a smaller team, less budget and a more resistant user base than at a big bank.
Only by building, training and empowering the right team, working in concert with parents, faculty and administrators, and by focusing on the unique threats and challenges facing K-12 education, will InfoSec leaders succeed despite long odds.
[This article was written in conjunction with David Overton, Senior Director of Information Security, Orange County Public Schools. OC Public Schools are committed to combating cyber threats in the education sector.]
This article was written by Rich Campagna from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to firstname.lastname@example.org.