teissTalk: Industry focus - how educational institutions effectively navigate cyber threats

Views on news

 

Hackers targeted the second-largest school district in the US with a cyber-attack. The perpetrators appear to have targeted the facilities systems, which involves (publicly available) information about private-sector contractor payments through records requests rather than confidential details like payroll, health and other data, officials said. Ransomware attacks targeting the education sector are on the rise with 57% of ransomware incidents reported to the FBI in August and September 2021 involving K-12 schools compared to 28% of incidents from January through July.

 

The mindset of cybercriminals has been changing with their focus shifting from extorting money towards reputational damage or inflicting harm on political enemies. Investigation and response involved the White House, the US Department of Education, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which lends the breach a political dimension.

 

During the pandemic, schools were expected to turn digital overnight, and, therefore, they created a huge number of vulnerabilities in their processes. It’s key that educational institutions assess their teachers’, researchers’ and students’ cyber security awareness.

 

The changing exposure and risk appetite of educational institutions

 

A new attitude and openness seem to be permeating the education sector. There are a lot of things, however, that school can do to fill their security gaps. Cyber security is a closely-knit community, and conferences are places where you can get good ideas regarding the most cost-effective solutions, as well as the biggest threats. At the moment, educational institutions are trying to achieve as much as possible with the scarce resources they have. Some universities have already mandated MFA for staff and students.

 

But MFA fatigue can be a problem and open attack surfaces for cyber criminals. But MFA and security training is often seen in the sector as exercises taking time and resources away from delivering educational targets. However, teaching cyber hygiene in primary school from day one may be a way forward in the future. The pandemic threw the concept and practice of business continuity into sharp focus, then came remote work and now security professional need to accommodate hybrid work arrangements. These shifts show that it’s key for institutions now to prepare for the unprecedented risks of the future. 

 

Risk tolerance has to increase thanks to the implementation of cloud-based solutions and using the services of other third parties. Security may shift to the use of physical tokens and screen recording software, or universities may even set up a full-time security operation centre. Universities in the US are managed by Boards of Regents – a sort of Board of Directors, a body that pre-Covid wasn.t at all concerned with information security, while now many of these boards have members from the IT industry.  This means that cyber security is now getting much more support from the top.

 

The panel’s advice

 

Decentralise information security decisions by involving staff and students too.

 

Contacting ISACs or Information Sharing and Analysis Centers (ISACs) – non-profit organizations that provide a central resource for gathering information on cyber threats and allow two-way sharing of information between the private and the public sector about root causes, incidents, and threats -,  and especially taking advantage of their education and research services are a great way to start improving a school’s or university’s security awareness and posture. It’s also worth checking out EDUCAUSE.

 

Universities such as the University of Oklahoma, also organise events where best practices and lessons learnt can be shared.

 

In information security, teachers, professor and their student are equal – they’ll need the same education.

Practise fundamentals and keep getting your people to practise them too. (password hygiene, MFA, etc)

 

Watch on-demand here.