The chief aim of the security industry at-large typifies the old adage, “An ounce of prevention is worth a pound of cure.” And no more recently has this been clearly demonstrated then by the rash of cyberattacks on academic institutions, school districts, and universities as the pandemic has accelerated a shift to remote learning. But unlike the pandemic this isn’t a new or “unprecedented” issue. Forbes reported back in 2018 that a lack of cybersecurity funding expertise posed a very real threat to the U.S. education infrastructure.
There are countless stories describing how the Education sector was targeted and hit hard (and continues to be hit hard) by bad actors exploiting the security challenges that arose of this year’s patchwork stay-at-home orders.
The ‘blame’ for these challenges could be levelled squarely at the district level for failing to provide teachers and administrators with ample cybersecurity training, or with the education-sector-at-large dependence upon legacy systems, or with the fact that the pandemic caused too-rushed a response when it came to trying to coordinate millions of students for remote learning, or with a lack of funding. Or maybe it was all of these things. Nevertheless, and whatever the reason, the problems have emerged and they are many.
In October the school board in Yazoo County, Miss voted to pay a company $300,000 to decrypt their data after a cyberattack. Athens School District in Texas agreed to pay $50k after a ransomware attack encrypted their data. Two districts in Ventura County, California were hacked on the same day. Industry publication Education Week called the spate in COVID-19-related cybersecurity breaches a “catastrophic attack on our education systems,” and that might even be an understatement.
Education is particularly attractive to criminals because of the vast amount of valuable data it holds: student and staff information, supplier information, alumni databases, and research data - so, as security experts, what’s to be done to help schools secure their endpoint devices?
Blended learning is here to stay
As the first doses of SARS-COV-2 vaccine begin to roll out, and students start trickling back into classrooms, it’s not inconceivable to think that the model of teachers assigning work on laptops, tablets, or other devices will continue. After all, it’s easier for teachers to assign homework through a piece of software that can instantly grade multiple-choice worksheets or spelling tests, rather than have to spend hours manually grading physical papers at home.
What seems not to be working at the moment is how school districts, schools, or other academic institutions seem to think they can stick with a firewall, an antivirus software - paid or free - and take things for granted. And unless academic institutions have a robust system for managing mobile devices that connect to their networks, schools will remain open to cyberattacks originating from unsecured devices in the form of data leaks, phishing/spear-phishing attacks, and malware, ransomware, and viruses from suspicious email links and fake apps.
The benefits of using Mobile Device Management or Unified Endpoint Management (MDM/UEM) software to secure endpoint devices are numerous - not only from the obvious security standpoint by allowing administrators to geofence features, track devices and assign policies and restrictions to them based on the location - but also from the academic administrative side of things. By securing endpoint devices school administrators are allowed to limit what students are able to access on their devices while they’re in class via a Kiosk lockdown application.
Similarly, MDMs can be used to configure and assign Global HTTP proxy, APN, VPN, Wi-Fi, Emails, Certificates, LDAP, CardDAV, CalDAV, etc. to student devices. This undoubtedly saves admins the hassle of manually assisting each student with setup and periodic updates.
What can MDMs do for Education?
Tablets and laptops - devices that could be taken anywhere and that often belong to the students - are the kinds of devices used in education that are most vulnerable from a cybersecurity perspective. Most cyberattacks on these pieces of hardware occur due to poorly secured networks.
So, rather than take the outdated, “trust, but verify,” model of cybersecurity, administrators - particularly in the data-rich sector of education - need to adopt the “Zero-Trust” model of “never trust, always verify.”
This can be accomplished by incorporating an MDM into their cybersecurity arsenal. In addition to MDMs and UEMs, schools should include a firewall, antivirus, VPNs, secure router and router information into their arsenal defending against online fraud.
Institutions who vye for an enterprise solution to preventing cyberattacks are often best prepared in the event of an attempted breach. MDMs in particular can allow administrators a wide range of control over endpoint devices on their network, allowing them to remotely view, control and monitor devices flagged performing suspicious operations.
If the device in question is owned by the school itself and loaned out to a student, an MDM can be used to remotely wipe the data off the device in the event that the student forgets it somewhere. In less extreme cases, lost devices can simply be locked remotely by the administrator.
MDMs can be also used by admins to ensure robust password policies remain enforced, prevent unauthorized accounts from synching up with student or staff controlled devices containing enterprise data, eliminate the threat of devices automatically or deliberately syncing up with unauthorized WiFi networks, and disable storage ports to secure devices from malware.
Cyberattack Preparedness Seminars for all Students
Just as students in the midwest are prepared for what to do when they hear the tornado siren light up to a shrieking wail, and students in California must practice earthquake drills on a monthly basis, students from 2021 onward must be taught best practices for cybersecurity. This will not only provide a more robust security environment for schools right now, it will undoubtedly save IT and HR departments of future companies hundreds of millions a year annually in cybersecurity training when onboarding new employees.
Some best practices include:
- Secure the devices before handing out devices to students.
This one is obvious enough. Administrators who fail to secure devices across their network before distributing them to students are opening themselves up to potential liability in the form of ransomware attack, data breach, or other cyber security threat.
- Or implement a BYOD scenario
If the district can’t afford devices for all its students, they should be encouraged to bring their own devices. Of course, before these devices go live across the network, they will need to install the proper MDM/UEM selected by the administrator to ensure data integrity is maintained.
- Restrict use of unauthorized applications, disable app store, or let IT distribute the apps.
A report by MarkMonitor highlights why this is important. App stores are rife with counterfeit software posing as the real thing. If a student inadvertently downloads a fake app, that could potentially infect the whole system.
- Use services like Apple for education and G suite for education
By sticking with trusted services such as these, administrators limit further risk of liability.
-Restrict unnecessary internet usage, bluetooth connectivity, and usage of USB drives.
This goes without saying.
-Encourage students not to connect to unsecured WiFi, don't click on suspicious links, and adopt best practices.
Here’s where that robust cyber-security education comes into play. Some students might not immediately know what a suspicious link looks like. Even though the current generation of students are full “digital natives” that doesn’t mean they haven’t developed the wherewithal to figure out what is and isn’t a link to a website to be trusted.
The pandemic has exposed weaknesses and failures in the education sector’s cybersecurity preparedness. Now is the time to repair the damage and build upon that. “Cybersecurity is not unlike COVID-19. There is a certain prevalence of infected machines in the community,” the staff of Dice are right to point out. And just like the virus, there will be more infections if the outbreak is not controlled as early as possible.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.