As many institutions pivoted to online education delivery models over the past couple of years, the need to protect biographical and academic data became even more paramount. With the increase in students, teachers, and administrators having to learn and work remotely via online platforms, an increase in serious K-20 cybersecurity issues such as hacking, malware attacks, and data breaches have afflicted vulnerable schools. In fact, according to the Global Tech Council, cybersecurity experts report that “63% of the total reported encounters were from educational institutes…evident that the sector of schooling is a favorite target among cybercriminals.”
As one of the nation’s leading online, competency-based universities, Western Governors University (WGU) has long valued the importance of protecting the digital footprints of students and staff, as well as the academic delivery models that comprise our education experience. Our School of Education, along with WGU’s colleges of information technology, health, and business, have a vested interest in protecting Personal Identifiable Information (PII) and the storage of sensitive data to ensure that our students have a safe learning environment that is free from disruption and harm.
Three Critical Factors of K-20 Cybersecurity
For K-12 schools and other universities across the country, I believe that cybersecurity must be a top priority, for internal and external threats can infringe and endanger education institutions, students, faculty, and staff with devastating consequences. Here are three critical areas for education leaders and administrators to examine as they implement or improve their schools’ cybersecurity strategies:
User Access Management
A broad concept that encompasses processes, methodologies, and tools that maintain user access privileges within an IT environment, strong Identity and Access Management (IAM) practices can eliminate many common vulnerabilities to attacks and theft. IAM is critical to protecting the integrity of our networks because if bad actors can successfully compromise an authorized user’s access, they not only gain access to our network but also gain access to all of the privileges assigned to the authorized user.
My colleague Paul Bingham, CISSP, CPA, CFE, WGU Vice President, and Dean of the College of Information Technology (IT), shares what he believes is key to keeping user access secure: “For all of us, the importance of good password hygiene – combining long passphrases with multi-factor authentication (MFA) whenever possible – cannot be overstated. From a system administration perspective, effective access control through proper permissions, coupled with consistently offboarding unauthorized accounts, will significantly eliminate potential entry points into our networks.”
User Education and Training
Cybersecurity is a flourishing field in the world of education. With so many students, faculty, and staff accessing the internet on a daily basis, there are many opportunities for cybercriminals to steal passwords or personal information. Cybersecurity awareness training is important because it teaches all members of a school community how they can protect themselves from cyberattacks, how to recognize potential harm, and the steps to take to protect themselves regularly.
Even with limited budgets and resources, schools can still protect themselves from cybercriminals via training. User awareness is the number one way to influence responsible user behavior. For example, at WGU, we host ongoing phishing awareness campaigns to increase user awareness and thwart potential network breaches through phishing attacks. By learning about phishing scams, malware, ransomware, and other computer threats, a sense of confidence, trust, and safety are built throughout our university community.
K-20 Cybersecurity Crisis Response Plan
“We hear much in the news about cybersecurity incidents, but what we don’t hear about is all of the thwarted attacks because of great policies, procedures, and provisioning in place,” says Bingham. Leaders in the education sector should take a proactive approach by prioritizing important changes in protecting their students’ and staff’s data.
Through the implementation and rehearsal of a crisis response plan, schools can thwart attacks by prioritizing key areas to limit the damage that can be inflicted by an inevitable cyber threat.
According to the National Institute of Standards and Technology (NIST), the four most effective phases of crisis response plans – preparation, detection, and analysis; containment, eradication, and recovery; and post-incident activity – can help schools be more prepared to handle a cyber incident and more likely to come out whole on the other side.
Future of K-20 Cybersecurity
With cyberattacks on the rise in K-12 districts and universities, no institution is too small or too secure to be hit by a breach, given the depth of data available at each. As stewards of integrity and our students’ well-being, school leaders have bountiful opportunities to tackle cybersecurity issues by laser-focusing on protection, education, and planning. As our education sector works hard to provide access to extraordinary learning experiences, let’s proactively learn from each other to mitigate cyberattacks for the safety and security of our students and communities.