New Era of Cyber Attacks Requires a Multi-layered Security Strategy for Schools -- THE Journal

Cybersecurity

New Era of Cyber Attacks Requires a Multi-layered Security Strategy for Schools

It's time to move beyond the limitations of prevention-only cybersecurity and adopt a multi-layered security strategy to combat a new era of cyber threats for K-12 schools.

By Alan Jones
10/08/24

Of all the sectors at increasing risk from cyber threats today, the education field has emerged as one of the most vulnerable. Both in 2021 and 2022, for example, education and research institutions faced the highest cyber attack volumes every month compared to other sectors, according to Check Point Research. More critically, from 2018 to mid-September 2023, ransomware attacks against K-12 and higher education institutions are estimated to have cost over $53 billion in downtime, according to a report on 561 attacks released by Comparitech, and a majority of those attacks occurred in the United States.

These alarming developments are leading us to a crossroads with the security of K-12 schools, and it's time to make a decisive change of course. First, we must recognize that these schools are being targeted by cyber threats that deserve a new strategy because of a number of factors, such as a broad attack surface. Moreover, we have to move from a prevention-based approach to cybersecurity to an "assumed breach" model, where we assume a cyber attack is an inevitability for schools and build our defenses around that assumption. Finally, we need a more standard architecture to reduce cyber threats for schools, with best practices dictating network security monitoring, endpoint security monitoring, and deception technology implementation.

Together, these reasons make it imperative that we move beyond the limitations of prevention-only cybersecurity and adopt a multi-layered security strategy to combat a new era of cyber threats for K-12 schools.

Why Schools Have Become Target No. 1

The first step in moving to a multi-layered security strategy for schools is understanding the prime target they have become.

Schools have emerged as an enticing target for several reasons. First, schools offer a broad attack surface that includes students, alumni, faculty members, administration staff, extension campuses, and research facilities. Second, the surge in the integration of online learning applications has expanded this attack surface by adding additional infrastructure, software platforms and other vulnerable access points. Third, schools manage concentrated stores of intellectual property and research data. Fourth, they often have to manage their IT environments with limited budgeting and staff expertise.

Perhaps most importantly, K-12 schools offer an appealing target because many can be backed by public funding in times of crisis, such as for a ransomware demand, and because they have the personally identifiable information of minors. In the latter case, when minors are involved, it's not the actual personal data that is as valuable as much as the emotional impact of exposure of that data. A credit card number is one thing, but the identity of a child is quite another!

A Flawed Approach

A second step in pivoting to a multi-layered security strategy is coming to terms with the flaws of a prevention-based approach that many of us in the IT industry have relied on for too long.

This approach, in a nutshell, has the primary goal of stopping hackers before they can strike. Yet, this mindset is fundamentally flawed. It's impractical to try to keep adversaries out of a school's IT environment all the time. Attackers are too numerous, and they have a dangerous combination of expertise and time. This prevention-based model results in establishing just one layer of protection and a scenario where a school creates a single hurdle for an attacker. If the bad guys clear that, it's game over.

What makes more sense is to put in place controls to prevent intrusion but also controls to look for adversaries inside school environments and respond appropriately. To use an analogy, a strongly protected building will not just have locks on the doors. It will have a security guard in the lobby, other guards in the building, and cameras and alarms set up. The same principle applies to information security, but we in the IT industry have decided that having locks on the front doors is enough. To better protect our schools, we must change this approach.

E-Mail this page

Printable Format

Featured

KI Classroom Furniture Giveaway to Award Combined $200,000 to Transform Learning Spaces

Furniture company KI is launching its fourth annual Classroom Furniture Giveaway, which will award four K-12 educators $50,000 each to redesign their learning spaces.
New Report Examines How Enterprises are Scaling AI Initiatives

Cloud infrastructure is central to the shift from AI experimentation to AI integration, according to a report from Cloudera on enterprise AI adoption.
1EdTech Announces K-20 Collaboration to Shape Responsible AI in Education

The 1EdTech Consortium recently announced it will lead a cross-sector collaboration "to define how AI can responsibly and effectively support teaching and learning."
Report: Most Organizations See No Business Return on Gen AI Investments

Despite $30-40 billion in enterprise spending on generative AI, 95% of organizations are seeing no business return, according to a recent report out of the MIT Media Lab.