The independent school community faces a unique set of challenges when securing their sensitive data, with students, parents, facility, and administrators traversing the network from a variety of different platforms each day. Ankura has had the pleasure of working with independent schools across the country over the past few years. Most of these engagements begin with an assessment across the Three Pillars of Cyber Security, People, Policies, and Technology. While each school environment is unique, there are many similarities in the findings from these assessments.
1. Relying on Cloud Security Defaults Most schools have migrated either entirely or partially to the cloud for more convenient access and reliability. While the cloud platforms such as Google-Suite and Microsoft 365 are a great way to collaborate with peers and share documentation virtually, it is important that the IT leaders understand the security settings that are enabled/disabled by default. In many cases, there are additional security features, such as Multi-factor authentication and Data Loss Prevention, that are available but not yet enabled within the cloud platforms. Ankura observes hundreds of breaches each year that could have been prevented and/or minimized if these security controls were set properly. IT leaders should always assume that the default settings on any new platform is not necessarily the most secure and review these settings for hardening opportunities prior to implementing within their schools.
1. Little to No Documented Policies and Procedures Many of our independent school clients have been in business for 50-100 years. As a result, many policies on device use, data storage, password management, and even physical security are often assumed and not formally documented or acknowledged. It’s important that organizations work to document and communicate to employees and students, the procedures and policies related to the use of school owned data and devices, leaving no room for assumptions that could lead to data exposure.
The top 5 policy areas we recommend for independent schools are:
- Acceptable Use of Assets
- Data Classification and Data Handling
- Third Party Risk Management
- Access Management
- Incident Response Plan/Business Continuity Plan
2. Lack of Vulnerability and Patch Management
3. From a technical standpoint, many independent schools have not invested in vulnerability management tools that allow them to scan their network devices routinely. As a result, patch management is often sub-par. When performing vulnerability scans for school clients, Ankura often finds that many of the identified vulnerabilities are a result of an unapplied patch that was available years prior. Each operating system, software, application, etc. is constantly being updated to provide new features as well as added security measures to the end user. It’s difficult for schools to keep up with these updates unless they have a vulnerability and patch management plan that is frequently implemented. IT leaders should consider having vulnerability scans performs monthly or quarterly to ensure their patch management programs are effective.
4. Lack of a monitoring program In most cases, schools have not yet started to implement a managed detection and response program. This is mainly due to the cost of such a solution. As Schools work to build this into their budgets, here are some things to consider:
- Endpoint Detection and Response Cloud monitoring
- Network Monitoring
- 24/7 response services
5. Administrative Access Controls Independent schools have a unique culture of trust that spreads within IT and Security as well. As a result, many schools have opted to allow all faculty and staff to have local administrative rights on their school devices. While this supports the culture of trust and makes it easier for employees to customize their device to their liking, it poses a threat to the school’s security. Employees with local administrative rights have the ability to:
- Download Software- While most software that would be downloaded is harmless, allowing users to download whatever they need opens up a risk that they will accidentally or maliciously download harmful malware that could spread to the entire school environment.
- Change Security Settings- Controls such as password complexity, automatic lockouts, and cookie settings can all be changed by local administrative users. This makes it difficult for the IT leaders to ensure all systems are configured consistently and are hardened using security best practices.
While these are the top areas independent schools have struggled, there are other pitfalls such as lack of a dedicated security team and limited security monitoring capabilities that affect many school security programs. IT Departments within independent schools are often spread thin with minimal resources for staffing. The primary focus is always to keep devices connected and functional to ensure that students are provided with the resources needed to further their education. It is important for schools to understand that cybersecurity is not just the responsibility of the IT department, but of the entire organization. Departments such as the Business Office, Finance, Development, and Admissions all play a critical role in keeping sensitive data and systems safe and should work as a team with IT to build a strong security program.
3. Map Assessment Findings to Threats Assessment reports can often be overwhelming for organizations. The findings reveal many vulnerabilities, both from a technical and non-technical perspective, and it can be difficult to put these into context for your organization. Using the threat analysis from step 1, the findings of the assessment can be prioritized. For example, if a high threat to your organization is a ransomware attack and your assessment shows that your employees are likely to click on phishing links, security training should be a top initiative going forward. This process enables you to develop a roadmap to address the assessment findings.
4. Remediate High Priority Findings Based on the prioritization in step 3, work to address the most critical vulnerabilities, then shift your focus to the high, medium, and low level vulnerabilities respectively. Many of the vulnerabilities identified from a technical perspective can often be addressed through software and/or firmware patch updates, which makes it easier to remediate a large portion of the findings.
5. Plan for Routine Maintenance Just like you should make routine doctor and dentist appointments, it’s important to schedule regular maintenance to assess and strengthen your organization’s security posture. New technical vulnerabilities are discovered each week, making it crucial that you stay up-to-date on the latest updates. Periodic employee training webinars and seminars can also help your team better identify and report security threats. Policies and procedures should be examined at least annually to identify necessary changes based on emerging technologies, new applications, process changes, etc. Routine maintenance will help your team proactively identify new threats and vulnerabilities before they give way to a data breach. Follow these five steps and you’ll be on your way to a stronger security posture!