The world has certainly changed since I was a child. I am willing to bet that if you are over 30, you likely have a similar opinion.
The idea of someone coming into our school with a gun would never have crossed our minds. If we were inside the building, we were safe.
But today, even if our school buildings are fortresses of safety with locks, cameras, and bullet-proof windows, our children are still at risk from cyber criminals.
As technology has rapidly expanded and infiltrated not only our daily lives but our mere existence, the educational environment has grown exponentially. Technology has become critical for teaching and learning due to the extreme impact of a global pandemic and the overnight transition to remote classes. With this dependence on our IT systems came cybersecurity vulnerabilities.
Before COVID-19, the two areas that cyber criminals rarely attacked were schools and healthcare. However, that changed simply because of the dependence on IT. Cyber criminals know that a school will have to pay a ransom to continue teaching. Plus, the opportunities are exponentially greater because there are so many more entry points available.
In addition to facilitating the education component for which schools are responsible, technology is also important for physical protection (with cameras, door locks, and communications) and the administration of the business of operating the school (scheduling, communications with parents, record-keeping, staff salaries/insurance, etc.)
Not only can a cyber attack impact learning, but it can also impact physical security and result in the loss of data (names, addresses, birth dates, social security numbers, and banking information).
With so much at stake, the importance of cyber security in schools has been elevated.
However, just because it is more important does not mean it receives the attention it deserves. Remote learning (i.e., more potential entry points), limited budgets, a small number of IT staff (or none at all), and the tremendous amount of student and staff data all make school systems very attractive targets for cyber attack.
Recently, school systems have started looking at using third-party vendors (Managed Security Service Providers) to take on the role of virtual Chief Information Security Officer (vCISO). With the economies of scale, such an arrangement can provide to several schools within a district, and the risk can be mitigated. In addition, implementing the security controls that an MSSP can provide will improve the chance of being approved for a cyber insurance policy and a reduced rate.
Lastly, school superintendents and IT staff should not wait for guidance from state or federal agencies. In fact, a GAO report from 2021 found that the last-published version of the Education Facilities Sector-Specific Plan was in 2010 and was focused primarily on physical threats with very little emphasis on cyber threats.
I would say that the world has changed quite a bit in twelve years. Take the initiative and protect your schools now. And if you are a parent, ask your school what they’re doing to protect your children online.