Schools do far more than educate students. Their IT departments have to support and secure functions including healthcare, retail, research, human resources, finance and accounting. Some of those functions present rich targets for data thieves—just look at all the healthcare and retail companies that have suffered well-publicized data breaches.
Breaches in education continue to happen, but not all of them make headlines. According to ESET security researcher Lysa Myers, many educational breaches go unreported simply because nobody knows how many records were compromised.
IT departments are taking notice. Back in 2015, an Educause survey found security issues were lower areas of concern for CIOs and IT leaders. In 2016 and 2017, information security became the #1 issue for educational institutions.
So what should educational IT departments be doing and thinking about before they go on summer break? Below, Myers shares three steps worth studying:
1. Know what you need to protect. Perform thorough, regular, ongoing assessments.
- Inventory your assets and the risks to them. This is vital, given the wide variety of data you’re protecting. It can also help to prioritize and justify cybersecurity investments amid shrinking budgets.
2. Address the technology risks. Many threats use automated methods to exploit system and network vulnerabilities.
- Update early and often. Enable automated updates on desktops, laptops and mobile devices. Routers also need updates, but you will likely need to manually check for them.
- Segment your networks. Keep mobile devices or laptops brought in by staff or students off of subnets where payroll, healthcare or research records are stored. And keep these sensitive areas separate from each other.
- Apply the principle of least privilege. Don’t give any individual, system or part of your network any more access than is absolutely necessary. Don’t give employees administrator-level access to their machines or to network resources outside of their departments.
- Strengthen authentication and authorization. Use more than simple usernames and passwords to verify identities, especially on machines with valuable or sensitive information. Two-factor authentication can be easily added to your login processes.
- Filter network traffic. Deploy web and email filters that check for spam and phishing, and block file types used by malware authors.
- Use security software. Install antimalware software on gateways, servers and endpoints to prevent malware from entering your network and to mitigate potential damage. Stop unknown or unwanted network traffic with firewalls or intrusion-prevention software.
- Encrypt sensitive data that could be exposed.Encrypt sensitive data stored on computers and mobile devices, and data sent across the network via email, web or instant messaging applications, to protect it from unauthorized users.
- Prepare for emergencies. Perform backups and test them regularly to mitigate damage caused by ransomware and other malware, as well as to protect your organization against technological or natural disasters.
3. Address the human risks. Often, threats rely on social engineering tactics to lure victims via the web or email.
- Train users the smart way. Because more than half of security breaches result from human error, computer security education is a must. Take a tip from classroom teachers: introduce security concepts one-by-one and build on them over time. Get started with this free resource: ESET Cybersecurity Awareness Training can be used for both staff and students.
- Make security work for users. Don’t reinforce cybersecurity’s bad rap by preaching “don’ts” and looking over users’ shoulders. Work with your users, understand their processes, and then tailor security measures so they can safely complete tasks without unnecessary restrictions.
- Reward safer behavior. Enlist the community’s help to determine and identify what is abnormal behavior in your environment, and give incentives to employees that find weak spots or notice phishing attempts.