Data breaches affect millions of Americans when social security numbers are lost, credit card numbers stolen, and email accounts are infiltrated and misused by cyber attackers.
You see the headlines when big organizations like Target, Home Depot, or the U.S. Government suffer data breaches. However, local school districts are just as vulnerable to data breaches as high-profile organizations.
In fact, hackers are very interested in accessing systems that store the kinds of information gathered by schools. Schools collect a treasure trove of information (student and employee names, social security numbers, dates of birth, etc.) that criminals are eager to get their hands on.
An attacker targeting schools could be after the personally identifiable information (PII) of students in order to steal their identity. Child identity theft is a disturbing new trend we have seen on the rise.
Other cyber criminals may be seeking an immediate monetary gain as was the case when a would-be thief wormed their way into the computer network of Vermont's supervisory union.
These rising threats have prompted the passage of a new bill in New Hampshire, House Bill 1612 aims to help schools strengthen their data security posture amid increasingly sophisticated cyber attacks.
What security risks do schools face?
Schools collect a lot of highly valuable information, like social security numbers, from both their students and employees. Social security numbers are the keys to the kingdom for thieves looking to commit identity theft. This makes the systems storing that information big targets for hackers.
It's no longer a question of "if you get breached" school district leaders need to be asking "what should we do when we get breached."
Understanding these four risks that school districts face will help prepare you for a breach:
- Poor Practices
TheftThese deliberate attacks on systems or individuals with access to sensitive data can cause a lot of harm. HR record could be breached and social security numbers and other PII stolen or ransomware may be installed to hold your data hostage until you pay a ransom.
LossThe accidental exposure of data due to the loss of data is less nefarious but still potentially damaging. This can happen when backups fail or laptops and storage devices are misplaced.
NeglectLeaving data unprotected is comparable to leaving your laptop on the front seat of an unlocked car. Old district computers or hard drives are often recycled without properly erasing district data. Often, data is stored and not adequately protected with a strong password or encryption, leaving it vulnerable to a hacker or thief.
Poor PracticesData needs to be protected at every step - collection, transmission, storage, encryption, and even data removal - an insecure practice at any point in this path can leave your data vulnerable.
How do school district breaches happen?
Intrusions of your computer system can happen in a number of ways. A highly sophisticated attack may be executed to break into networks protected by strong security protocols but often times attacks are much simpler.
Phishing emails are one of the most prevalent types of attack and they don't require high level skills to execute but they do deliver high level rewards when successful.
Attackers use phishing emails to trick individuals into providing their personal information which can be used to gain access to computer systems. Once inside, the attacker can find even more valuable information. You might be familiar with the 2016 phishing attack on a school district in Concord, New Hampshire. The breach resulted in hackers stealing employee names, social security numbers and other PII.
Initially, phishing emails were very crude and fairly easy to identify by users with cyber awareness training. Today, phishing emails have become incredibly sophisticated and harder to spot.
Many phishing emails will try to create a sense of urgency with their messaging in order to lure the recipients to act quickly, click on a compromised link, and provide their information without questioning the emails legitimacy. Another indication of phishing emails may be found in an email's "From" field. The sender will often use characters like "0" instead of "O" - for example:
While breaches can occur in a number of different ways, including simple honest mistakes, phishing attacks are one of the most common attacks but also one of the easier threats to manage. Tools like spam filtering and email protection will prevent a lot of corrupt content from hitting your inbox in the first place.
What should my school district do to protect our data?
Create a comprehensive network map, data map, and data governance planIn order to protect your district from data breach, a clear understanding of the data being collected and your data collection procedures is required. What information do you collect? Where is it stored and who an access it? What protections are in place at each stage as the data moves through your system? To fully understand this an information technology audit should be conducted by in-house IT or third party experts.
Develop employee policies and procedures focused on securitySome easy action items here include appointing a Chief Privacy Officer, developing an Incident Response Plan, train your employees, and monitor data protection capabilities and processes regularly.
Implement the practice of least privilegeYou should limit access to sensitive data to the employees who require access to such information to complete their job. You likely have entire departments within your district that have no reason to access student, staff, or other sensitive information.
Check that your service providers use the right security measures
Your school district could have the best data security in the world but if it works with a cloud services provider with weak data security then you're still vulnerable to a breach. Make sure that third parties aren't putting you at risk.
The only true way to protect your school district from the varying types of attacks is to apply a defense in depth strategy. Technologies like next-gen firewall, email protection, spam filtering, ransomware protection, user-awareness training, and dark web credential theft monitoring will go a long way to keep you protected from sophisticated attacks and simplistic phishing campaigns alike.
While there is never 100% guarantee, implementing these recommendations will put you in a position of strength to defend yourself in the event of a breach and mitigate the damage that a breach can inflict.
For more information on data governance for schools, check out this handy Guide to Education Data Privacy funded by the Department of Education.