The coronavirus is a crisis for schools, businesses, and individuals all over the country. Within a matter of weeks, our world is changing and everyone is pulling together to try to solve a variety of problems. For many school districts, this has meant moving to remote learning and working while school buildings are closed. During this unprecedented movement, K-12 IT teams—and their stakeholders—need to be aware of the most concerning remote learning cybersecurity risks they’re likely to run into.
School leaders and vendors are coming together to provide remote learning resources to help administrators, teachers, parents, and students continue the educational process from home. These resources often include cloud apps like Google G Suite, Microsoft 365, Zoom, and other EdTech SaaS.
However, it is disturbing that so few resources are available to secure sensitive student and staff information during this transition. Remote learning environments are ripe for both cybercriminal activity and accidental data exposure. School districts need to address the three most critical risks caused by this unprecedented situation.
Controlling access is a remote learning cybersecurity risk that will challenge most K-12 IT departments because so many are relying on firewalls instead of cloud application security.
Remote learning increases the number of individuals who are accessing systems from outside the school network. Controlling this access compounds the cybersecurity issues schools are already facing. Doug Levin, founder and president of the K-12 Cybersecurity Resource Center recently described this remote learning cybersecurity risk well in EdWeek:
“With more teachers and students online, particularly if they’re doing it from less controlled environments outside of the school, the attack surface of the school community is increased. In many cases, all it takes is for one person to make a mistake in a school community for a school district network to get infected, or a data breach to happen.”
The situation is indeed critical. Traditional next-gen firewalls and web content filters are virtually useless outside of the school network. This type of open environment makes it impossible for IT to tell the difference between authorized and unauthorized access.
This leads to the threat of account takeovers in district G Suite and Microsoft 365 environments. It’s a risk that districts have always faced and is notoriously difficult to detect. But both the threat and difficulty of detection is amplified in a new, unsecured remote learning environment. This is because accounts are being accessed from hundreds, if not thousands, of different locations and devices.
Access control is difficult—if not impossible—for IT teams to manage without the right cloud security tool in place. As a result, cloud account takeovers are much easier to accomplish in a remote learning environment.
It’s also much easier to get phishing and lateral phishing email attacks past existing filters in an environment that isn’t controlled. Lateral phishing, where emails from cyber criminals look like they come from a trusted source in the school community, can cause untold problems. It can take months to determine where malicious content came from and where it circulated.
They say you can’t manage what you don’t measure. Well, you also can’t measure what you can’t see.
Your IT department probably uses a firewall to monitor activity when students and staff are accessing resources within the district’s network. However, when users are accessing and creating information in cloud apps like G Suite and Microsoft 365, system admins lose this visibility without the right tools. This risk is inherent in any cloud computing environment, but it gets worse in remote learning.
Without the visibility to see who is accessing what information, data leaks happen. It could be an internal, authorized user that accidentally publicly shares personally identifiable information. Or it could be a hacker who has gained access to sensitive information through an account takeover. Either way, no district wants to be in a position of publicly sharing student and staff personally identifiable information.
Remote learning or not, districts also need to remain compliant with FERPA and HIPAA regulations. This can be a particularly sensitive topic during tax season when employee W-2s are of particular interest to criminals.
As teachers, parents, and students scramble to find ways to keep remote learning both effective and engaging, there may be a tendency to try out more learning apps than ever before. In response to the coronavirus crisis, there has been a veritable explosion in free remote learning resources for schools.
While it’s wonderful to see the community coming together to support schools, there are significant EdTech security risks involved in this trend. These risks mainly revolve around infrastructure (or architecture) security and OAuth risks. OAuth connections make it easy to log in to different SaaS resources using the login credentials of school Google or Microsoft accounts. But these connections can be exploited.
Cybercriminals have developed ways to abuse the OAuth capability. They can easily create what looks like a website with a fun application, and then tempt visitors to the website to use their school credentials to login. That doesn’t give the hacker your password, but it does give them an access token that they can use to login to your district systems. Using that token bypasses password requirements and any two-factor authentication that you may have in place.
This attack is tricky for you because identifying an OAuth attack is especially difficult. The user may not remember using their school credentials, and traditional protections such as firewalls and MTAs can’t see the attack. Again, this is because the traditional protections only guard the perimeter, not your data.
You can start with a K-12 remote learning checklist. The checklist will lead you through how to set up remote learning security. For example, it’s quick and easy to set up multi-factor authentication, and now would be an excellent time to make it mandatory. It’s also a good time to reset all your system passwords. At a minimum, you can use your system’s “require a strong password” feature to make sure your users get the most protection possible from a password.
Another issue to address is the state of your existing technology. Run an audit of your district’s cybersecurity infrastructure to identify potential gaps. You need a multi-layered cybersecurity infrastructure to have the right components to protect your data. Right now, no single solution can do everything.
If your audit identifies gaps in your cybersecurity tech stack, it means that you don’t have the tools and platforms you need to manage cybersecurity effectively. You don’t need the 300+ products provided by 57 vendors that are used in the business world. You can focus on your district’s specific requirements to simplify your tech stack. Prioritize the cybersecurity essentials you need based on your district’s needs, budget, and your capacity to manage those essentials.
This may sound funny, but in the coming weeks, you may find that things in your world slow down a bit. If your district isn’t planning to move to remote learning and is extending spring break, your burdens may become lower. If this is true for you, it could be an excellent time to establish or reassess your district’s cybersecurity framework.
People across the globe will remember the coronavirus disaster for many years to come. Hopefully, we can prevent the added pain of cyberattacks on our K-12 school districts. Could your district be in jeopardy due to remote learning? Download our Remote Learning Security Checklist to make sure you’re doing all you can to manage the risks.