Could ID Management Limit Cyber Attacks on K-12 Districts?

With K-12 schools incorporating digital tools, platforms and social media into their classrooms — heightened, of course, by the COVID-19 global pandemic — comes a proliferation of users, accounts and points of access waiting to be exploited by ransomware and phishing attacks. Districts big and small can be vulnerable to the attacks. Case in point, hackers took down the L.A. Unified School District computer system last week, leading the district to look into its vulnerabilities. As schools nationwide increasingly rely on these digital tools, the need to manage their user accounts and passwords becomes ever more critical for limiting, if not preventing, cybersecurity incidents, according to people like Michael Webb, the chief technology officer at identity management software company Identity Automation.

“Historically, K-12 has done a pretty poor job at cybersecurity,” Webb told Government Technology.

Webb said that with the pandemic and the transition to remote learning, there came a growing awareness of the potential for data breaches. Likening it to a commercial venture, he said that when ransomware attacks started to funnel in, schools and districts paying off these demands basically came down to “return on investment.” How do you pare down the malicious attacks, which are taking place through phishing attacks on student and staff emails, as well as through social media and other accounts?

“Implement multi-factor authentication for school staff and educators,” said Doug Levin, the national director of K12 Security Information Exchange, or K12 SIX, a nonprofit dedicated solely to helping school districts and other K-12 organizations protect themselves from emerging cybersecurity risk.
“It is vital that passwords are not the be-all and end-all protection,” Levin told Government Technology. “It is vital that school districts monitor the accounts that they provide to their school communities to students and to staff, meaning they need to remain aware of whether or not those credentials may have been compromised.”

Levin said schools and districts need to place much stricter controls on accounts when they have been found to be vulnerable or accessed by unauthorized users. He said it’s imperative that these sorts of controls be applied to the full range of IT systems and tools that school districts are using, not just in the classroom. That trickles into social media, SMS messaging and other applications that are taken home after school.

Webb agreed with Levin in that schools should implement two-factor authentication as a bare minimum. In truth, since he said the schools aren’t well-versed in the industry of ransomware, he advises they get software that can oversee password protections and track irregularities to avoid major breaches.

“What most people forget to think about is if they don’t have a centralized platform to control accounts, this is the risk,” Webb said. “A common breach is accounts that are no longer in use. So nobody’s paying attention when somebody tries to break into them. So that’s a challenge. And then without a centralized platform, you don’t have good auditing, you can’t see what’s going on, and without that visibility and control, it’s very hard to govern one of these platforms, which really leads to increased chance of breach and that nobody notices.”

Avoiding these things, he said, is the difference between having secure accounts and potentially paying upwards of $5 million or $6 million, along with the public fallout. Webb said his system, which services hundreds of school districts, automates the whole process, including the removal of staff members who are no longer working in the district.

“We’ve seen an incident where a large school district had accounts (without provisions in place for when employees) were gone from the district. They had a high degree of (privileges) and the account was breached, and then it was used for a subsequent break into the network, and then an eventual ransomware attack,” Webb said. “And the simple step of just having the controls in place and having the ability (to remove the account) would have likely mitigated that incident.”

Levin said that whether one looks at risks to data, IT assets, people, the schools or the communities they serve, there has been an uptick in both the frequency and severity of cybersecurity incidents.

“Whether that is numbers of individuals who’ve had data breached and in fact had their credit records abused, or tax fraud committed against them, we’ve seen literally millions of dollars scammed out of school districts via sophisticated phishing email campaigns,” he said, adding that even though the attacks are getting more sophisticated, some schools make it unnecessarily easy for them, like a website running known vulnerable software.

While school districts have sought to obtain large cyber insurance policies, some policymakers have shifted requirements over the years as COVID-19 changed the K-12 ecosystem, which has led to more costly premiums, Levin said. He said this change has led school districts to start revisiting their policies and procedures.

“It is a huge task, and it is not one that most school districts are well-equipped to sort of expand to cover issues of cybersecurity, which require their own level of expertise,” Levin said.

But Levin insisted that if schools are trending toward a more digital approach, they should, in turn, adopt practices better suited to protect them — despite the federal laws for minimum standards of cybersecurity practices not changing in nearly a half century.

“I think we are getting to a place where you could start to raise questions about whether school board members and superintendents may have some degree of culpability, whether there is a standard of negligence that people may be asking about if indeed they do not put these protections in place,” Levin said. “(However) school districts are resource-poor, and it is unfair to ask them to take on these issues, district by district, without support and guidance to do so.”