Schools are top targets for Cybercrime. It’s time to get educated and educate about the risks, and how to implement a Zero Trust framework for security.

With students of all ages still in the early days of their academic year, cybersecurity experts issue stern warnings about cybercrime in schools.  With the increased use of technology for teaching, learning, and continuing school operations in today’s largely remote environment, schools are a primary target for cybercriminals. Microsoft Security Intelligence found that 61% of roughly 7.7 million enterprise malware events reported last month came from the education sector. And, according to a study by security company PurpleSec, education ranked last on the list of 17 industries for cybersecurity preparedness, while that same report identified nearly 500 cybersecurity incidents involving education institutions in 2020.

Why are cybercriminals targeting schools?

The reason behind cybercriminals’ attraction to schools is simple: Schools are easy targets. First, they don’t often have the budget or the right tools, IT resources, and dedicated trained personnel to protect against cyberattack. Schools also manage a myriad of sensitive personal information on students, faculty, and administrators. That information can be easily compromised through DDoS attacks, SQL injection, phishing, ransomware, and password attacks. What makes it worse is the need to implement remote education tools to enable “hybrid” learning due to the ongoing COVID-19 restrictions. With more teachers and students online, and working offsite from less controlled environments, the attack surface of the school community has increased dramatically.

Despite warnings and efforts to modernize (cybersecurity was the number 1 priority according to a 2020 educational technology leadership survey conducted by the Consortium for School Networking) many schools are still not set up to handle the risks.  

What kinds of risks are we talking about? How bad could it be?

According to experts, the number one threat for students, faculty, and administrators is their personally identifiable information (PII) which attackers are getting to through social engineering. Fake emails or “phishing” scams, phone calls from people posing as company representatives … anything that attempts to manipulate a user or to persuade them to divulge personal information. While one may ask why anyone would want information from a poor student, the reality is that they’ll take what they can get. And such scams could affect others in your circle of family or friends. The most common form of phishing email is one that attempts to get your login credentials, which very often will be the same or similar for your student accounts and your bank info. Other types of information could be your parents’ names, addresses, birthdates, etc. which, if compromised, could have disastrous effects.

[Read more here on how phishing has evolved and become more dangerous]

Ransomware is a serious threat to schools. Ransomware attacks involve cybercriminals overtaking and encrypting files and systems via malicious software – often shutting down entire systems with paralyzing effects. School districts worldwide have been the victims of such attacks, where bad actors demand ransom money before giving back access to critical resources. According to an FBI report, schools have become the number one target for ransomware attacks, with ransoms as high as $1.4 million. At the root of most of these attacks? Credential theft.

Attacks are particularly challenging in remote environments because many systems aren’t set up to support heightened security protocols nor to handle a patch when the network is down. Without Zero Trust security, where users must verify their identity at every stage before being granted access, the risk is too high.

What is Zero Trust?

Zero Trust is a security concept that centers around the belief that it is irresponsible of organizations to automatically trust anything inside or outside their perimeters. Rather, before granting access, they must verify anything and everything that attempts to connect to their systems. Ultimately, what Zero Trust means, despite what some perceive to be a negative connotation, is that trust is transferred from the network to the individual. In other words, the identity of the user must be verified – not the once-trusted perimeter of the organization or institution.

For a more detailed look at how Zero Trust works, read more here.

How can schools adopt Zero Trust for security?

What many don’t understand is that security protocols can be improved with tools that are far less costly than the price of an attack, and on top of that the right tools will make life easier for users and administrators, reducing time spent, cost, and headaches.   

Here are the first fundamentals institutions should employ now to start adopting a Zero Trust approach for security.

  1. Zero Trust is for EveryoneZero Trust needs to be adopted by leadership and utilized for the protection of all – students, educators, and administrators. In other words, not the open, flexible environment that many schools now provide.
  2. Apply conditional access controls for each role/user: Institutions should enforce Least Privileged Access (LPA) by providing each user access only to resources that are necessary. This will not only improve security, but also keep it simpler, making it easier for users to find and use the tools they need. The right authentication tools will make it easy for administrators to switch permissions on and off as needed.
  3. Most importantly, enforce multi-factor authentication (MFA) and single sign-on (SSO) for all usersEnabling MFA reduces risk of attack by more than 99.9 percent. MFA and SSO used together will strengthen security posture while improving the user experience for everyone involved – students, educators, and IT personnel. SSO means less attack surface because users will only need to log in once to access resources, and SSO provides a single pane of glass for multiple applications.
  4. BONUS: Ditch the password altogether and use Real Passwordless MFA +SSO for True Zero Trust Access™. Wherever it lives, whenever it’s required for access, the password is a pain, and it will render systems more vulnerable to attack.

TraitWare is simple, secure, passwordless login – in 3 touches – wherever you are – from a device you already carry.

TraitWare®’s all-in-one solution for Identity and Access Management (IAM) ties login to the user by leveraging a device they already carry, with MFA enabled and transparent to the user from account creation. SSO gives users access to all their resources and applications from a single console, on any screen. It’s simple, secure login in 3 touches – from a device you already carry. What’s more, TraitWare eliminates the #1 vector behind data breaches – the Password – saving on cost, time, and headaches.

For more information on how you can vastly improve security and reduce friction for users with Real MFA+SSO for True Zero Trust Access ™, please contact us and we’ll show you how it works in just a few minutes.