Leveraging Zero Trust to Protect K-12 Communities from Cyber Threats
Getting K-12 schools online during a pandemic was difficult enough. To make it even harder, schools are dealing with rising volumes of cyberattacks. These incidents come from all directions: criminals targeting schools to make money from stolen personal information and compromised emails; insiders looking to disrupt classes and online meetings; and opportunistic attacks that take advantage of unprotected systems.
What’s the Current Threat Landscape?
The number of publicly disclosed cybersecurity incidents affecting K-12 school systems rose by 18% in 2020 over the previous year, according to The State of K-12 Cybersecurity: 2020 Year in Review report by the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange.
The top kinds of attacks were:
45% Denial of Service
36% Data Breach/Leak (75% of these involved vendors and other partners)
12% Ransomware, increasing in severity over previous years (including extortion)
K-12 schools also saw an increase in disruptive cyberattacks (most of which were conducted by those with legitimate access) which did not meet the definition of a breach, but nonetheless caused concern:
Class invasions (Interrupting online class sessions)
Meeting invasions (Interrupting online board meetings)
Email invasions (For example, using email to bulk-share disturbing images)
These incidents are alarming, disruptive and costly. Some ways that they impact schools and their communities include:
Disruption of teaching and other school activities
Financial loss due to business email compromise
Cost of ransomware payments, and related recovery activities
Data theft of students and employees, leading to credit card fraud and identity theft
Exposure of children to disturbing content
Why are K-12 Schools a Target?
K-12 schools are resource limited, particularly for up-to-date technology and security solutions. They rely on a small number of IT staff who wear multiple hats, often with limited security experience. These teams support large personal data repositories, including historical student records and personally identifiable information. Organization charts and contact information are often publicly available, which can be used to create realistic phishing campaigns and spear-phishing attacks. Not surprisingly, larger, urban/suburban and/or wealthier school systems are more at risk, as they manage more students, employees and devices. Smaller schools may also receive random attacks, but they’re less likely to report an incident.
Financial Resources for School Administrators
Funding specifically for cybersecurity is available for K-12, like CARES Act grants and other pandemic-related sources.
Additionally, there are several bills advancing through the U.S. federal government, including:
President Biden recently enacted what is believed to be the first K-12 cybersecurity-focused law, the K-12 Cybersecurity Act (S. 1917). As GovTrack details, “This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks. The use of such recommendations shall be voluntary.”
State and Local Government Cybersecurity Improvement Act - To provide dedicated funding for the national infrastructure investment program and the capital investment grant program, and for other purposes.
Build America Act of 2021 (Infrastructure) - To provide dedicated funding for the national infrastructure investment program and the capital investment grant program, and for other purposes.
How Can Zero Trust Security Help K-12?
Applying a zero trust philosophy to K-12 supports remote learning and working, protects data and systems, and allows for faster incident response.
A zero trust architecture starts with having a multi-factor authentication (MFA) solution to ensure the person logging into a school system is a known, authorized user. Teachers and administrators can have a stronger authentication method while authentication methods for students can be age appropriate – and can be used to educate students on secure computing practices. Using MFA minimizes the impact of phishing attempts to steal and use credentials and can restrict a non-authorized user from accessing classroom and meeting online sessions.
Using device trust applications or mobile management solutions as a second step toward a zero trust architecture ensures that devices used to access school systems use current software versions and are current in security patches and other security controls. This allows for the flexibility of using personal devices without sacrificing privacy, meaning that faculty, staff and students can manage the health of their own devices without significant IT or helpdesk support requirements, and reduce the likelihood of compromise due to outdated software and operating systems.
By applying continuous trusted access policies which monitor user/device behaviors, schools comply with emerging compliance requirements while also allowing for faster detection of malware and other threats. A faster response leads to a lower impact when systems are compromised.
While the pandemic interrupted a lot of K-12 activities, it didn’t stand in the way of cyber threats impacting schools. Administrators now recognize the need to ensure systems, information and their communities are protected from ransomware, denial of service attacks and other threats. Zero trust architecture – focused on users and devices – is a place to start this work.
Try Duo For Free
With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.