Security Blog

What grade would your school get in cybersecurity?

Written by Tracy Fox | April 21, 2020

Cyberattacks that focus on schools are becoming more frequent. Why? Schools are considered an easy target as lack of funding for proactive cybersecurity means that the IT team is woefully outgunned and often already overwhelmed with providing the day-to-day support for staff and students with little or no time to focus on protecting the network from threats that come from so many directions and seem to evolve almost daily.

Ransomware has been the most common threat because it’s easy to send out the malware and look for unprotected networks. Once you find them and encrypt the data that the schools need to function, the ransom is often paid because the schools lack the ability to fully restore from their back-ups.  Third-party vendors add another level of risk as many schools rely on them to manage payments, payroll, and student data. Hacking (including phishing and malware) accounted for 76% of records that were exposed in incidents for the month of January 2020 – the month with the highest number of breaches to date according to the Identity Theft Research Center.

Let’s look at some key risk factors to get your cybersecurity “grade”.  Deduct 10 points for each “no”:

  1. How quickly are critical patches rolled out to systems that maintain key data?
  2. Does this include all systems that store or transmit sensitive data?
  3. Does your school use Remote Desktop Protocol (RDP) to allow staff or vendors to connect?
  4. Is Multi-Factor Authentication (MFA) in place for all remote access?
  5. Does your IT staff or support vendor perform FULL restore tests on your back-ups at least monthly?
  6. Do you require confirmation of cybersecurity framework adherence from vendors who have access to your network or data?
  7. Does your school have 24/7 monitoring of critical systems to detect and respond to suspicious activity on your network?
  8. Does your school monitor the dark web for credentials or other data that could be used in an attack?
  9. Does your school have incident response resources readily available 24/7?
  10. Have you reviewed your cybersecurity insurance coverage within the past 12 months?

How did you score? If you are like most schools and answered “no” to more than half of these questions, you get an “F”.

 

 
View full post