And 4 Basic First Steps You Can Take To Assess Your District’s Cloud Risk
Well, we’ve wrapped up Cybersecurity Awareness Month already. But, truly, that went by way too fast! Do you feel like your district is better protected or prepared than you were on October 1? If not, (1) you are not alone, and (2) you should conduct a cloud risk assessment.
Together, this begs the question: Are technology leaders assessing their district’s cloud risks properly?
Unfortunately, it seems that district leadership doesn’t care about cybersecurity until something bad happens. But a cloud application risk assessment can help your district identify your security gaps and prioritize how to start protecting them before there’s an incident.
The 5 Top Cloud Risks
To be clear, cloud risks aren’t just about “keeping the bad guys out.” Though, that’s certainly a big part of it.
Most of your cloud data risk, however, is coming from the inside. Authorized user behavior that exposes your data is still far more common than infiltration of your systems by a hacker. These insider DLP risks can be accidental or malicious, but they can still be harmful. And they have real regulatory compliance implications. Further, it’s often more difficult to detect an insider data breach, particularly if your district is using Google Workspace and/or Microsoft 365 vs. local servers to store and share sensitive information.
1. Inappropriate Exposure of Sensitive Data
You’re familiar with the regulations you need to abide by. The Family Educational Rights and Privacy Act (FERPA) demands the protection of students’ private education records. You’re not allowed to share those records unless you have written consent from a student over 18 or the student’s parents.
HIPPA rules also apply to schools that aren’t covered by FERPA but are HIPAA-covered entities. The Children’s Online Privacy Protection Rule (COPPA) and the Children’s Internet Protection Act (CIPA) apply to schools when an operator of a website, online service, or application is being used in the schools. Many district leaders don’t recognize that this includes cloud applications from companies like Google and Microsoft.
Additionally, many states are enacting their own data privacy laws to strengthen data security, data breach incident reporting, and prevent unauthorized and/or unneeded sharing of private student data. Therefore, ignoring your responsibility to protect student data can result in severe repercussions for your district.
It’s much easier for teachers and staff to expose files containing sensitive and protected data in cloud computing, compared to on-prem.
I can tell you, as we are offering free cloud content and behavior audits for schools, we’re seeing a shocking number of incidents where teachers and staff are sharing highly sensitive files via global link shares. There have even been incidents of sharing personally identifiable information to their personal Gmail accounts! Many, many instances of teachers and staff sending their social security numbers and/or credit card numbers via emails as well. These are all concerning cloud risks that make your district’s information ripe for the taking.
“We had an incident occur when a teacher improperly shared about 100 different Drive files with their personal Google account. Before, finding all those files and breaking the sharing would have been a nightmare. With ManagedMethods, I was able to break all the shares in about five to ten minutes. That is just one thing that I really love about it.” —IT Leader in Virginia
These types of incidents rarely happen with malicious intent, but they can be just as dangerous as a hacker penetrating your system. The data is still unprotected and open to anyone who might be looking for this type of valuable information.
2. Vendors and 3rd Party Apps
Schools are a hotbed of 3rd party apps, and the shift to hybrid learning didn’t slow that trend down by any measure. The EdTech industry is growing, and teachers, staff, and students are taking full advantage of it. Unfortunately, there are a host of EdTech security risks that your IT teams need to manage.
The problem comes in when districts don’t have strict rules about the permissions 3rd party apps can be assigned, an effective process to evaluate the privacy and security practices of those vendors before approval, and a reliable way to determine when unapproved apps are active in your domain.
A cloud risk assessment can get you visibility into what 3rd party apps are connected to your domain, what permissions they have, who is using them, and more.
It’s not much consolation, but school districts aren’t alone. Research from Ponemon Institute and SecureLink reported that 51% of the organizations they studied didn’t do security checks before giving vendors access to their data. And, over half of those who participated said that the data breaches they experienced were the result of giving too much access to 3rd parties.
Further, for the second year in a row, the State of K-12 Cybersecurity: Year in Review report found that at least 75% of the data breach incidents that were publicly reported in 2020 were a result of incidents involving school district vendors and 3rd parties!
3. Account Takeovers
Account takeovers happen when a hacker takes over one of your authorized user accounts.
Once that happens, they can use that access to get into other accounts and other areas of your system, and they can do a devastating amount of damage. The situation is even more complex because if you don’t have the right safeguards, an account takeover can be almost impossible to detect—particularly in cloud apps.
The most common account takeovers occur when someone shared their password or used a password that was easy to guess. They can also happen when users use the same password over and over again, and that password was compromised in a different data breach.
A newer form of account takeover that is gaining in popularity uses 3rd party app permissions for malicious deeds. For example, an app that a user has approved access to read, write, and send emails can be used by cybercriminals to send phishing emails. These phishing emails won’t be detected by most threat protection filters, particularly those that only operate at the perimeter, because they are being sent from inside your trusted domain, by a seemingly authorized user.
4. Phishing and Lateral Phishing
A phishing attack can be mounted by a cybercriminal who has some of your email addresses on file. A malicious link is included in the email body or an attachment, and when the recipient takes the bait, they have gained some level of access or have downloaded malware.
Lateral phishing happens after an account takeover has occurred. The account starts sending phishing emails to the contacts in the legitimate user account(s) that has been compromised.
The recipients, believing the email came from someone who is trusted, are much more likely to click the link and/or download the file. And the hacker is one step closer to meeting their goal of getting enough access to start giving you headaches and sleepless nights.
“ManagedMethods caught a dozen phishing attempts and disabled a couple of accounts that had logged in from overseas just this morning. I’m grateful that I have ManagedMethods to catch and remediate these attacks quickly. The Login Analyzer is particularly helpful because we’re able to see where logins are coming from. There’s no way our small team could stay on top of it all while also supporting our students, faculty, and staff.” —Network Administrator in Florida
5. Malware and Ransomware
Ransomware is a form of malware, and both pose a significant risk to your student and data security. Either type of code can get in your cloud, and no next gen firewall or content filtering is going to stop it.
Hackers are interested in attacking cloud-based systems because so many schools are using cloud applications. And, they know two things are true. First, the cloud is where the data is that they use to make money. And, second, they know that school districts aren’t doing a very good job of protecting their cloud domains.
4 Basic First Steps to Assess Your Cloud Risk
So, how do you know if your cloud apps—and the data stored in them—are at risk? Here are the first four things you need to do during a cloud risk assessment to find out.
1. Check Security and Access Configurations
Over 90% of schools are using Google Workspace and/or Microsoft 365 as their primary data center. Both provide good basic security and secure cloud access settings that you can control out-of-the-box.
2. Inventory Your Cloud Applications
Even if you’ve been trying to keep track of 3rd party apps, conduct an inventory of the apps that are connected to your domain. You may be surprised by what you find. For each application, determine:
- Is the app authorized for use by your district (and/or others)?
- Who is using the app and what is the educational purpose?
- What level of access permissions are granted, are they appropriate?
If you don’t have a formal process for evaluating 3rd party vendors for cybersecurity, our free EdTech Vendor Security & Compliance Evaluation Checklist might help.
3. Conduct a Phishing and Malware Audit
You need to find out if the tools you’re using to filter out phishing emails are sufficient.
Even though we work with hundreds of district IT teams and know how powerful ManagedMethods’ phishing and malware protection technology is, I’m still somehow surprised how often we hear how we’ve helped customers thwart an attack that got through their Microsoft, Google, and other 3rd party threat protection filters.
“Phishing emails get past Google and Microsoft’s native filters. ManagedMethods is really good about flagging those emails that are able to get through, identifying if anyone in our domain has interacted with them, and quarantining or deleting those emails directly from anyone’s inbox.” —CISO in New Hampshire
Run an audit to see if your tools have missed something. You want to detect these threats at your perimeter. But, we all know that attacks can get through. You need a way to find those that are already in your cloud environment.
“The amount of phishing emails that get through our other filters was a reality check. We simply couldn’t keep up with them in Microsoft, but ManagedMethods gives us that information and makes it fast and easy to follow-up on.” —CTO in Illinois
4. Complete a User Behavior Assessment
User behavior analysis focuses on monitoring user behavior for anomalous activity. It contributes to an overall zero-trust cybersecurity strategy that many school districts are moving toward.
Look for unusual login locations and inexplicable user behavior. A cloud behavior security audit will find and alert you to these seven most common cloud security threats in your domain (and, trust me, we’ve seen all of them when running audits with school districts):
- Account takeovers
- Login attempts from unusual locations
- Sudden spikes in user activity
- Lateral phishing
- Changing admin privileges
- Unusual and/or inappropriate file sharing and downloading
- Risky or unauthorized OAuth permissions
Where to Go from Here?
The K-12 cloud risks you’re not aware of can, and do, hurt you and others. School leaders have needed to shut down classes for days and spend untold money, time, and resources to recover.
A cloud risk assessment will be a real eye-opening experience for you, but it’s an awakening that is definitely needed today.
“In Google Admin Console, it’s tough to dig into the logins and user details to determine what’s going on with an account. Using ManagedMethods’ Login Analyzer, we can quickly see account login locations and the activity history of that account. Previously, suspicious login tracking was time-consuming. Now, we can analyze potential incidents quickly without needing to bother the end-user.” —Infrastructure Engineer in Wisconsin