As we mark the first anniversary of the COVID-19 pandemic, remote work and remote learning have both become the norm. Unfortunately, this shift to remote learning brings with it a myriad of cybersecurity concerns that need to be addressed in order to keep your network, and its users, safe and secure. 

Many schools had to pivot to remote learning quickly when the pandemic shuttered classrooms, and for many, cybersecurity became a secondary concern as educators focused on getting learning materials to students and minimizing educational disruption. Now that the dust has settled and students and educators alike had time to adjust to remote learning, educational institutions need to ensure they are investing in their cybersecurity. 

Why is Cybersecurity Important?    

Cybersecurity is important because it protects both your network and its users (including staff, educators, students, and parents). Cybersecurity attacks on K-12 educational institutions are also on the rise, and this trend is likely to continue. 

Common attacks targeting K-12 educational institutions include: 

• Ransomware: Ransomware refers to attacks where cybercriminals infiltrate networks and then lock legitimate users out of the network and encrypt the network’s files. The cybercriminals then demand the victim pay a ransom to return control. However, even if victims pay the ransom, there is no guarantee that the attackers will return control or leave systems and files intact and undamaged. 

• DDoS (Distributed Denial of Service): A DDoS attack is when a cybercriminal or group of cybercriminals attack servers, devices, networks, or applications in an attempt to drown a system with data requests, causing it to crash. The goal of these attacks is to deny service to legitimate users such as employees or students. 

• Zoom Bombing: Zoom bombing may get its name from the popular video conferencing platform, but it can occur on any similar platform. Zoom bombing involves unauthorized users crashing your business (or classroom) video conference call in order to cause disruption. Attackers may scream profanities or share inappropriate images, making this type of attack particularly harmful for classes with younger students. 

• Phishing Scams: Phishing is when a cybercriminal poses as a person or institution you trust (such as your boss or the school board) or someone you know personally in an attempt to trick you into revealing sensitive information or granting access to your network. They then use this ill-gotten information to engage in identity theft or other illegal activities. 

Start with Cybersecurity in Mind 

It’s always easier to develop a robust cybersecurity posture by considering cybersecurity in every step of the development pipeline, from the initial planning stages through to deployment, rather than leave it to the end when a lot of critical infrastructure decisions have already been made. 

When schools rushed to implement remote learning, many failed to consider the cybersecurity implications of the tools and strategies they were using. Many tools that schools adopted were also designed with corporate environments, not classrooms, in mind causing gaps in both functionality and scale. The rush to get students online and minimize disruptions meant too many organizations failed to properly audit the tools they were using. 

So, now that remote education is well underway, what steps should educational institutions be taking to reduce their risk and safeguard users? 

Audit Your Systems & Identify Potential Vulnerabilities ASAP 

You can’t identify issues if you aren’t familiar with the systems you are using. To keep your network secure, you should begin by making a list of all programs, apps, and other software your teachers are using in the classroom. Next, create a list of potential threats these systems currently pose and assess your security performance (in this case, determine what might go wrong and what steps you can take to fix the issue). Once you know what issues need to be addressed and have a plan for addressing them, prioritize these items from most to least dangerous and begin addressing these vulnerabilities as soon as possible. 

Choose Your Remote Learning Tools Carefully 

Make sure to vet all technology used in the classroom carefully to ensure it meets your security standards and won’t inadvertently leave your network or users vulnerable. 

Create or Update Your Approved SaaS Vendor & App List 

Make sure you have a master list of all approved SaaS (Software as a Service) vendors and apps and that those vendors meet your security standards. Teachers and district staff likely don’t have the cybersecurity skills necessary to ensure the tools they are using in the classroom are safe, so creating a list is critical. If your team needs some assistance, you should consider consulting with a cybersecurity expert to create an approved list. 

Once you have an up-to-date list in place, teachers and other staff can then consult this carefully vetted list of approved vendors and apps to ensure that the program or vendor they wish to use is safe. This list should be reviewed every time you conduct a security audit to ensure all the apps and vendors on the approved list are still safe to use. You should also consider using a cloud security tool to keep an eye on the apps and programs that teachers, staff, and students are using.  

You should also consider creating a list of unsanctioned or risky apps and programs that educators, staff, and students are prohibited from using or have not been properly vetted by cybersecurity experts. You should also make sure all users understand why they should not be using these unapproved or sanctioned apps and programs. 

Create an App Security Review Workflow 

If a teacher or staff member wants to use an application or program that isn’t already on your approved list, you need to have a mechanism for them to request a security review. This review process doesn’t need to be complicated: a simple Google form or other online form that requests the name of the app and a link where it can be found, as well as the name of the person requesting the review, should be sufficient. 

Once you have had a chance to complete a security audit, you can approve or reject the application, update your vendor lists accordingly, and inform the party that made the request of your decision. 

Have Clear Cybersecurity Guidelines in Place 

It is vital that your organization have clear cybersecurity guidelines in place and that all staff, students, and parents know where they can access this information. It is also beneficial if you explain why the guidelines exist and why following them is important. Users that understand the why behind the what are much more likely to follow guidelines than users who feel these guidelines are arbitrary or unfounded. 

You should also make sure that your guidelines include password guidelines to ensure all users are selecting strong passwords. To determine what constitutes a strong password, you may wish to consult section 5.1.1 of the NIST password guidelines. 

Monitoring is Critical  

You can’t adequately defend your network, or safeguard its users, if you aren’t monitoring your network. Educational settings, in particular, can benefit from network monitoring because students (especially younger ones) aren’t as tech-savvy as adults and don’t yet have the necessary life skills to consider every request or app they encounter critically. Unlike enterprise companies where all network users are adults, educational institutions are tasked with not only safeguarding their network and the data stored on it, but also have a legal obligation to safeguard students. 

Remote learning also brings additional challenges since you can’t guarantee that every student’s home network or device is as secure as it needs to be, so extra precautions need to be taken, particularly if your school has a BYOD (bring your own device) policy. 

To help improve your cybersecurity posture, you should strongly consider setting up 24/7 network monitoring and automating your SaaS connection monitoring and management. 

Invest in Cybersecurity Training for Staff, Students, & Parents 

Even the most detailed and comprehensive cybersecurity strategy is toothless if users don’t know how to implement it. Investing in cybersecurity training for both staff and students (and in the case of young students, their parents as well) is a great way to safeguard your network and its users. 

UC Berkley has some excellent cybersecurity resources for teachers, parents, and students that you may want to consider leveraging. 

Teachers 

• What Teachers Should Know: Threats and Tips 

• Cybersecurity Resources for Teachers 

Parents 

• What Parents Should Know: Threats and Tips 

• Cybersecurity Resources for Parents 

Students 

• What Students Should Know: Threats and Tips 

• Cybersecurity Resources for Students 

Cybersecurity is everyone’s responsibility. A good cybersecurity posture is critical for keeping your network, teachers, staff, and students safe. For more information about cybersecurity and technology, please consider reading our blog or watching one of our educational webinars.