Sunny Suneja is a cloud security specialist with over 15 years of engineering and IT security experience. He previously worked for McAfee as a senior cloud security architect for the U.S. public sector.
In the rush to support remote instruction during the pandemic response, K-12 school districts had to put expediency ahead of security.
Early on in the crisis, funds were made available to boost the distribution of Chromebooks to students who didn’t have access to their own devices to ensure equity in remote learning. Though these devices do have their own internal security controls, the reality is that many students and teachers may be working from unsecured networks, exposing districts to a wider array of vulnerabilities.
Last year brought a sharp rise in cyberattacks, requiring district officials to take a longer-term look at their security strategies that address modern threats like breaches, phishing attacks and ransomware attacks.
Safeguarding users and networks
Attacks that are appearing in remote and hybrid learning environments will continue to increase. The fact that new devices were handed out and provisioned so quickly — without taking additional security measures — should ring alarm bells to security leaders. The lack of visibility and control of devices accessing district resources is a key part of what makes them so vulnerable in the first place.
Additionally, students, parents and teachers may operate under the assumption that default controls in certain devices — like Chromebooks — guarantees a certain amount of safety, integrity or confidentiality.
Knowing exactly the entire scope of school IT assets requires investing in — or for some, reinvesting in — modern asset management tools to build and maintain a database of devices. Once schools have a clear view of the devices connected to their network, it becomes easier to make decisions around security controls and establish a better risk posture.
Layering security controls
Throughout the past year, we have helped our K-12 partners invest in a combination of tools and practices that layer security across the network infrastructure. School leaders need to recognize how their infrastructure has effectively expanded and adopt a new mindset around their security strategies.
That includes being able to answer key questions such as: How to put up guardrails around collaboration platforms? How to protect users from phishing attacks? How to guarantee that users don’t go to an illegitimate part of the internet?
One of the benefits with the push to enable remote learning took shape in how quickly schools moved to adopt cloud-based consoles and platforms. These tools, from a technology standpoint, improve school’s security posture because they help remove some of the work involved in updating and monitoring security on the district’s underlying infrastructure.
Additionally, these cloud investments offer a layered approach to security, engineering and operational processes that scale over time and are device-agnostic. That means offering the same level of security and control no matter what devices students are using, and no matter how large or small the user population becomes.
Along with these cloud investments comes the flexibility to explore more advanced security capabilities that can future proof K-12 schools from threats as they evolve.
For example, capabilities offered by security vendors, like McAfee, around machine learning and data science, can be deployed to differentiate between known threats, unknown threats or things that are completely safe to use.
Take advantage of partnerships
Establishing partnerships is one of the best ways for school districts to modernize security controls. That can start with improving collaboration with districts’ respective state CIOs and education department advisors in order to see where they streamline cybersecurity efforts in accordance with state and regional programs.
We encourage our partners to check in with their state and local boards to see if there are funds they can access for security resources. More often, CIOs and state agencies are entering into conversations around sharing services in order to augment the level of security monitoring that can be infused into the organization.
Additionally, K-12 districts should try to align themselves with the same security guidance that may be issued to state and local agencies. This can help them prioritize which areas of their security strategy to tackle first.
Lastly, a shared security model or security-as-a-service shouldn’t be overlooked. Delegating certain IT and security tasks to an external provider makes it possible for understaffed school IT departments to put the operation of the underlying infrastructure into more experienced hands.
Instead of educational institutions having to create a dedicated program associated with disparate security functions, we’ve seen our partners adopt managed services. In this model, the reports they receive are rich enough for security teams to be to become smarter over time — in terms of how decisions are made — and are kept up to date with the evolving security and threat landscape.