The education industry isn’t just in the business of teaching students, it’s also responsible for a lot of data, primarily personally identifiable information (PII), making these organizations a major target for threat actors.
In March of 2023, Minneapolis Public Schools saw ransomware group Medusa publish current and former students “former student records, parent contacts, home addresses and IDs with pictures.”
Unfortunately, this instance isn’t an outlier. According to the Verizon 2023 Data Breach Investigations Report, the education sector saw 497 incidents, 238 with confirmed data disclosure. IBM reported that , in 2023, customer and employee PII was the most common, and costliest, data compromised across industries.
Educational institutions contain PII for students, their parents or guardians, faculty and staff, and may also have student medical records or other valuable data stored within their network. But, for many reasons, these organizations are struggling to stay on top of evolving cyber threats.
However, this struggle doesn’t need to be endless or accepted as a permanent risk. There are multiple, actionable steps these organizations can take to better protect student identities and personal data.
Cybersecurity Struggles K-12 Organizations Face
K-12 organizations know that student data is valuable and needs to be protected, but knowing and acting are different, and these institutions continually find themselves struggling to enhance their cybersecurity strategies.
Common challenges K-12 organizations face include:
1. A lack of funding for cybersecurity initiatives. It’s no secret that schools — especially publicly funded ones — are spread thin when it comes to their yearly budgets. With only so much money to go around, and a lack of certainty of how much funding will be in place in the future, cybersecurity can often take a backseat to more pressing matters. That means less money to invest in identity-focused solutions or proactive tools.
2. Strained resources. IT teams at schools are often small in headcount and can easily get stuck in a cycle of reacting to problems as they arise instead of working on proactive measures that can harden an environment. In addition, these IT teams often have competing responsibilities, and it’s possible that no personnel may focus solely on cybersecurity.
3. Limited hours of coverage. Threat actors don’t stop working when the clock hits 5 p.m., but education IT employees often do. Not only does this expose the network to off-hour threats, but in the modern age of hybrid learning, an organization’s network could be active at all hours. From teachers grading papers to students working on assignments, there’s risk created within the environment 24×7.
4. Issues around security awareness education. Education-based networks are identity-focused, with faculty and students constantly logging into various applications, sometimes from different locations. Considering that credential theft is rising, identity-based attacks are increasing, and phishing is prolific, users need to know how they can act as a line of defense against threat actors. Deploying robust, consistent security education for faculty and staff, however, is easier said than done considering how much competing attention there is for eyeballs and time in an educational organization.
5. Constant cyber threats. As mentioned above, educational institutions are consistently targeted by threat actors, and it can be difficult for the already strained IT departments to keep up with alerts, vulnerability remediation, and the many tasks required to improve an environment’s security posture. The sheer volume of threats means it’s only a matter of time before a hacker finds a weakness in the perimeter and launches an attack.
These compounding challenges create a risk-heavy landscape for K-12, and other educational institutions. But these are all challenges schools can mitigate to both harden their own environment and ensure the protection of their student, faculty, and community data.
How Educational Organizations Can Protect Student Data
A strong cybersecurity strategy should feature a multi-pronged approach that combines the proactive with the reactive.
For educational institutions, this means accepting the risk inherent with their budget and resource constraints, while working toward implementing solutions and strategies that will harden their defenses where possible. This doesn’t mean throwing all the budget at a shiny new tool, nor does it mean making every IT employee a cybersecurity expert. Instead, it means tackling problems from multiple angles and prioritizing protection for what’s most exposed on the attack surface — their student, faculty, staff, and community data.
Schools can better protect this valuable data by:
- Instituting strong identity security. Identities are the backbone of many educational organizations, as well as a common attack vector for threat actors who need credentials and privileged access to conduct a data breach. Through access controls, such as multi-factor authentication (MFA), and around-the-clock monitoring for suspicious user activity, organizations will reduce identity-based threats and limit the attack surface.
- Implementing a vulnerability management program. This should include routine vulnerability remediation. As educational organizations digitize to meet new learning needs, vulnerabilities will increase. External exploits are found to be the root cause in the majority of incident s, so by staying on top of remediation, organizations are closing that widely exploited point of compromise.
- Understanding how current laws and regulations apply to your organization. While there are no current federal cybersecurity laws that apply to educational organizations. K-12 schools must adhere to the Family Educational Rights and Privacy Act (FERPA) and Children’s Internet Protection Act (CIPA), both of which involve protecting students’ data online. In addition, 42 states have passed student privacy laws.
- Conducting security awareness training. Creating a security culture takes everyone in an organization, and schools are full of individuals who may not be thinking about security in their daily lives. By implementing security awareness training — particularly a solution that utilizes micro-learning and is focused on educational organizations — these schools can help empower their users while creating a full culture of security.
- Investing in an incident response retainer and cyber insurance. Part of a strong cybersecurity strategy is transferring risk and cost to an external partner. By obtaining an incident response retainer and cyber insurance, not only will your organization be obligated to implement certain security controls that will harden the environment, but you are also offsetting the cost and resources needed if an incident occurs.
- Building a human-first security partnership. The resource issue and cybersecurity skills gap are not a problem that will be solved tomorrow. Not only do schools need 24×7 monitoring and other safeguards in place, but they also need hands-on-keyboards to investigate alerts, respond to incidents, and improve their security posture. Working with an outside security provider will reduce alert fatigue and help small IT teams prioritize tasks while ensuring full-time coverage.
Learn how Arctic Wolf works with Eden Prairie Schools to enhance their security and protect their valuable data.
Explore how your K-12 organization can secure cybersecurity funding to better secure student identities.
Arctic Wolf is proud to be part of multiple K-12 purchasing cooperatives, including NASPO ValuePoint, the National Cooperative Purchasing Alliance (NCPA), OMNIA Partners, and more.
