SACRAMENTO, Calif. — As cybersecurity continues to be a major issue across every industry, experts in the field are sharing practical steps that K-12 and higher education leaders can take to defend their data.
Cybersecurity is the No. 1 issue for higher ed IT for the second straight year, according to Educause's annual top 10 list of IT issues. And it's increasingly becoming a headache for school districts as attackers lock them out of their own systems and make ransom requests.
Experts at the fall Educause conference in Anaheim, Calif., and the California Educational Technology Professionals Association conference in Sacramento laid out their recommendations for fighting back against these threats.
The entire education community can aspire to keep a clean machine that's free from infections, said Michael Kaiser, executive director of the National Cyber Security Alliance. To get there, it's important to keep software up to date and apply security patches as soon as they become available. A number of other experts echoed his advice about patches.
"Starting with good cyberhygiene and making sure that the health of your overall environment is good is a huge stepping point," said Erin Dayton, senior program specialist at the Multi-State Information Sharing and Analysis Center (MS-ISAC) at the nonprofit Center for Internet Security
An education institution can have the best defensive systems and tactics in place, but just one user clicking on a malicious attachment or link in a phishing email can lead to system compromises, Dayton said.
That's why it's so important to build up people's cybersecurity skills across campus, particularly for those who may have access to sensitive data.
"The human firewall is your most vulnerable asset in your organization," said Christopher Thomas, special agent in the cybersecurity unit at the FBI's Sacramento field office.
To strengthen the human firewall, Kaiser from the National Cyber Security Alliance suggests creating a cybersecurity culture by encouraging people to be responsible online so everyone can do more with a safe and secure Internet. Telling people what they can't do doesn't work because they'll just find a way around it.
He says cybersecurity is just as important, if not more important, than the campaigns to stop smoking and to start recycling. Those behaviors changed over many years with consistent awareness campaigns. The alliance has its own campaign that education institutions can borrow: Stop. Think. Connect. And ed tech leaders can tap into students who are studying communications and marketing to help craft messages that their colleges will listen to.
"You have to have ongoing campaigns on your own campus to just keep reinforcing the behaviors that you want people to do at the right moment," Kaiser said.
The state of California regularly asks a third party to audit and test its systems for vulnerabilities. A third party brings a neutral perspective to the audit and can quickly expose security holes that state insiders may not find.
Once the audits are done, organizations can work to fix any problems they found and improve their security posture.
"Instead of just throwing money everywhere, it helped us focus in on where we needed to do remediation activities," said Scott MacDonald, interim chief information security officer for the state of California.
Missouri State Auditor Nicole R. Galloway completed five Cyber Aware School Audits this year of school districts and published a report in October summarizing her recommendations for improving cybersecurity. Overall, her team found that many districts had not created a comprehensive data governance program, did not adequately control user account access through policies and procedures, and did not have a security awareness program, among other things.
Ransomware attacks lock education institutions out of their own systems and involve requests for large sums of money in exchange for unlocking them. The FBI does not recommend paying a ransom to hackers, who engage in even more criminal activity and don't necessarily restore the data once they receive payment, Thomas said.
Instead, education institutions should consistently back up their data and systems so that they can restore them once they're hit by an attack, Thomas said. They can also contact the local FBI field office or the FBI's Internet Crime Complaint Center to report the attack and learn about any mitigation techniques that may apply.
State attorney generals including Galloway of Missouri and California's Kamala D. Harris (now a U.S. senator-elect) have been using major cybersecurity standards to evaluate organizations in their reports. The No. 1 recommendation in Harris' 2016 California Data Breach Report is to follow at a minimum the Center for Internet Security's Critical Security Controls. And the report includes strong words of warning for those that don't: "The failure to implement all the controls that apply to an organization's environment constitutes a lack of reasonable security." These controls include taking an inventory of authorized and unauthorized devices and software; providing secure configurations for hardware and software on devices; conducting continuous vulnerability assessments and remediation; and controlling the use of administrative privileges, among other things.
In Galloway's report, she highlights four major sources of standards and best practices that she used to evaluate school district security:
MacDonald from California also recommended going through NIST's cybersecurity framework, establishing security controls and following up with audits to make sure they're providing proper policy direction that's put into practice. The Critical Security Controls take a similar approach, but are more achievable than the whole framework, he said.
By becoming a member of MS-ISAC, education institutions and government entities can access a 24/7 incident response center, receive information about cyberthreats and be alerted when their system may be under attack. The membership and most services come at no charge from the taxpayer-funded organization, but it does charge for audits and vulnerability assessments.
It's also important for education institutions to share with each other the attacks they're experiencing so they can collectively be better equipped to defend against them. That includes sharing information with the FBI and MS-ISAC as well.
Instead of taking a compliance-based approach, education institutions can take a risk-based approach that allows them to find the personally identifiable information they have, weigh the security risks they face and create a plan to protect that data with additional steps. Both MacDonald and Thomas advocate this approach.
On the whole, as executive leaders increase their awareness of security threats, they are starting to understand the importance of improving cybersecurity and are being held accountable to do so. And that's critical for an overall cybersecurity strategy.
"You need executive support," MacDonald said. "Without their support, you're going nowhere."
Additional reporting from Anaheim, Calif.