Would cyber-hygiene training in schools help thwart K-12 data breaches?
Now more than ever we must train our district personnel on good cyber-hygiene. I remember when serving as Director of Network Operations and then CIO some years ago, sending out the quarterly email reminding all employees to not open suspicious emails, and to never ever respond to work emails requesting personal information – under any circumstances. Although that warning always did some good, we inevitably encountered that small percentage of employees who did not heed the warning. Back then, the impact to those compromised employees might have been email spoofing, and my personal computing and support staff having to visit and clean their machine. Today, however, the risks are much greater.
Now, it only takes one compromised device to introduce highly evasive and signature-less malware infections onto a network. Well beyond email spoofing, today’s cyber-attacks include spear phishing, ransomware, data exfiltration (think LMS and Student Information Systems) and denial-of-service attacks. That is why I firmly believe that we must take a stand against the cyber risks we face every day as we move to a more open network posture by training our employees!
The fact is our districts rely on teachers and staff to educate our kids and to be there to help them as they grow. However in a recent hearing before the House Committee on Education “Protecting Privacy, Promoting Data Security: Exploring How Schools and States Keep Data Safe” a panel of security experts – including some of my colleagues – identified accidental online errors by school staff as the main threat to protecting schools.
As we know, schools are highly attractive targets for hackers who consider school networks data-rich environments, rife with Social Security numbers, medical information and test scores. In some cases, our students’ identities are compromised before they graduate from middle school. During the recent hearing on Capitol Hill, experts stated that they have seen an 85 percent increase in phishing attacks over the past year in some states.
The fact is, districts must establish increased education and a heightened level of awareness for teachers if we are to significantly reduce phishing attempts and the tremendous impact their exploits produce. Cyber-hygiene training can make a real difference, yet many districts have not embraced this solution. In addition, when coupling the lack of training with insufficient threat management and intelligence technology, it is no wonder that the 2016 Verizon security report cited K-12 education as the second most vulnerable sector following healthcare.