Remember way back in December of 2020, when the FBI warned Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data? Well, it is 2021, and rest assured it isn’t over. For most IT professionals working at K-12 schools, every day is challenging and even more so over the last 12 months. Porzio Compliance Services continues to receive inquiries from districts about what to do about these warnings. Thankfully, a career in federal law enforcement provided me with experience in reading and deciphering these types of threats. I may shed some light on this type of “intelligence” and what to do with it. Here is my assessment and some recommendations:
Notifications:
These general notifications reflect best practices schools should implement as they incrementally focus on protecting those digital assets most important to them. We know certain information classes are commonly targeted by threat actors, such as personally identifiable information (PII), i.e., student data. Equally important is access and control of data systems to extract payment (Ransomware) and social engineering for a staff member to divert funds (Business Email Compromise). My assessment of this specific notification was that schools are targeted now more than previously known. They should reinforce best practices while looking specifically at both Microsoft and Apple Operating Systems.
Recommendations:
During PorzioCS’s assessments of client data privacy and information security practices over the last two years, several frequent issues have been identified that address the best ways to protect confidential information and systems. We continue to advise clients to take a few next steps in the face of a changing threat landscape. As always, It begins with a few key areas:
What is our current state of cyber hygiene is when it comes to patching vulnerabilities, upgrading, or migrating from end-of-life applications/systems that are no longer supported? And what is our enforcement of user administrative controls, and password rotation, etc.?
The weakest link in the cybersecurity protection kill chain is the end-user. A good place to start is prreparing a brief statement to the staff and school community to “think before they click” as part of cybersecurity awareness training campaign.
Do we have a process to manage our third-party software provider’s that we share student information? Have we assessed how our ED Tech companies protect data and understand what happens if they have an incident or a breach?
Final Thoughts:
While the variants of malicious code, Tactics, Techniques, and Procedures (TTP), and the “patterns of activities or methods associated with a specific threat actor or group of threat actors” may have evolved, the vulnerabilities in any environment often remain available for exploitation unless identified and remediated. Good cyber hygiene, students and staff education, and a well-thought-out third-party vendor management program are critically important to mitigate risk for better digital resilience, no matter what the threat.