COVID-19 has caused havoc on the schools across the U.S. In the spring, school districts did whatever they could to provide the tools to students to get through the end of the school year. As schools are starting up around the country this month and next month, the challenge school IT departments are having is how to secure all of the devices distributed to students. Here, we talk to Jake Kouns, CEO and CISO for Risk Based Security, where he leads the company’s technology strategy and is responsible for product vision and leadership in the security industry.

Prior to founding RBS, Kouns worked for Capital One and was also the Director, Cyber Security and Technology Risks Underwriting for Markel Corporation. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry. He is also the founder of RVAsec and has presented at many well-known security conferences, including RSA, Black Hat, and DEF CON among others. He is the co-author of Information Technology Risk Management in Enterprise Environments and The Chief Information Security Officer. In addition, he holds a number of certifications, including: ISC2's CISSP, and ISACA's CISM, CISA and CGEIT. 

Security magazine: In your opinion, why has COVID-19 caused havoc on schools across the U.S.?

Kouns: It seems like years ago, but really it was just this past March that the 2019-20 school year ended abruptly for many school districts due to COVID-19. Many teachers and parents tried to pivot quickly to conduct virtual classes in order to make the best of a very bad situation, but it wasn’t successful for the most part.  Even though there were several months over the summer to prepare for the current school year, there have still been substantial struggles just to figure out what technology to use.  Teachers have done a tremendous job being flexible and schools are still working extremely hard to figure out how to provide a successful online learning environment, but that is asking for a lot of change in a short amount of time.

Security magazine: What challenges are school IT departments experiencing? Students were issued devices, such as laptops, to support their school work and online classes. Are these devices secure?

Kouns: We conducted some research back in August on school provided laptops and sounded the alarm that many devices that were previously issued, were not secured prior to the start of the year.  For many schools the only thing they were able to focus on was how to overcome the challenges of remote learning, and not on the security issues of how to secure the laptops, Chromebooks, and iPads that were previously distributed, or recently provided to children. School districts supplying new laptops or Chromebook seemed to have a decent handle on device security, however, previously distributed devices that were not returned at the end of the 2019-20 school year have caused considerable heartburn. In defense of school districts, very few organizations were planning for the long term effects of this global pandemic. So it makes sense that a routine patching strategy for remotely located devices wasn’t fully in place.

Security magazine: Are schools prepared to manage these challenges? What are the consequences of these devices being compromised by hackers?

Kouns: Managing cybersecurity is challenging for even the most well staffed, funded and prepared organization, none of which most school districts have to their advantage which makes it particularly hard.  Unfortunately, cybersecurity is something that needs to be constantly addressed, and if not many things can go wrong.  If a child’s school device becomes compromised by a “hacker,” there are a multitude of potentially damaging outcomes with some concerning privacy as the one that sticks out.  Consider for a moment if a hacker could potentially access a student laptop and then use the device’s webcam to spy on a child and family. With many families repurposing bedrooms as makeshift learning environments this becomes even more concerning.

When the school year started as we predicted, unfortunately we saw a large amount of cybersecurity issues affecting students and school districts. It felt like almost every day there was a new issue from the Zoombooming trolls that were just annoying to some really disturbing, in addition to other incidents.  The cybersecurity impacts then appeared to slow down a bit, but in the past couple months we have seen a substantial rise in ransomware events impacting schools.  As some school districts are finding recovering from a ransomware event can be extremely challenging, disrupting school activities for weeks or months.

Security magazine: What can school districts and their IT departments do to secure school-provided devices?

Kouns: The most important thing is that school administrators take the potential cybersecurity concerns seriously.  We recommend that they consider the following as a starting point:

• Determine your school’s cybersecurity risks and create a security improvement plan
• Patching catchup and on-going remote patching strategy implementation
• Secure the web browser
• Ensure Virus and Threat protection is enabled.
• Provide cybersecurity awareness training for students
• Consider cyber insurance

Security magazine: What can parents do?

Kouns: For starters, as parents we need to remain calm, but in the case of cybersecurity we must always be vigilant. The main issue with unpatched Windows laptops may not even apply to your children’s school district. However, cybersecurity, and what is described as good cyber hygiene, should be a focus for the entire 2020-21 school year. Without it, remote learning can be quickly derailed.

We recommend parents consider the following as a starting point:

• Review your children’s laptops and devices as soon as possible, and make it a regular weekly or monthly activity
• Review and secure your home network
• Consider using a Chromebook
• Speak with your children about online risks
• Understand your risks at home, and potentially to your employer