Discussions

The independent school community faces its own particular set of challenges when securing sensitive data. Schools must support students of varying ages and technical needs, parents, facility personnel, and administrators traversing the network from a variety of different platforms each day. While each school environment is unique, schools face common pitfalls that can lead to security incidents.

Below are the top cybersecurity missteps that many independent schools face when securing their environments.


1. Relying on Cloud Security Defaults Most schools have migrated either entirely or partially to the cloud for more convenient access and reliability. While cloud platforms such as Google Workspace and Google for Education and Microsoft 365 are great ways to collaborate with peers and share documentation virtually, it is important that the IT leaders understand the security settings that are enabled or disabled by default. In many cases, additional security features, such as multifactor authentication and data loss prevention, are available but not yet enabled within the cloud platforms. Ankura observes hundreds of breaches each year that could have been prevented or minimized if these security controls were set properly. IT leaders should always assume that the default settings on any new platform is not necessarily the most secure and review these settings for hardening opportunities prior to implementing within their schools.

2. Little to No Documented Policies and Procedures Many independent school clients have been in business for 50 to 100-plus years. As a result, many policies on device use, data storage, password management, and even physical security are often assumed and not formally documented or acknowledged. It’s important that organizations work to document and communicate to employees/students the procedures and policies related to the use of school-owned data and devices, leaving no room for assumptions that could lead to data exposure. Some of the more critical policies to have documented are:
• Acceptable Use of Assets
• Incident Response Plans and Business Continuity Plans
• Data Classification and Management
• Password Management
• Information Exchange

3. Employees Lack Security Training Independent school networks host a variety of different users from a wide span of technical backgrounds. We often find that there’s a lack of training about cybersecurity threats and that users do not have the guidance needed to protect their school from common tactics like ransomware, phishing, vishing (voice phishing), etc. When conducting mock-phishing exercises, Ankura observes a 23%–25% click rate on average. It takes only one click on a malicious link or attachment to potentially compromise an entire network, so educating users on how to detect phishing emails is key to safe access points guarding your school’s data.

Some key phishing tips are:
• Look for spelling and grammatical errors.
• Check the sender email address for discrepancies.
• Ask yourself: “Would this person normally send me this email?” and “Does this sound like this person wrote this?”
• IT can configure emails to be flagged if sent from an external source.
• ALWAYS verbally verify an email request’s legitimacy before sharing sensitive data and/or changing financial processes (i.e., wire instructions).

4. Infrequent Vulnerability Scanning and Patch Management From a technical standpoint, many independent schools have not invested in vulnerability management tools that allow them to scan their network devices routinely. As a result, patch management is often sub-par. When performing vulnerability scans for school clients, Ankura finds that many of the identified vulnerabilities are a result of an unapplied patch that was available years prior. Each operating system, software, application, etc., is constantly being updated to provide new features as well as added security measures to the end user. It’s difficult for schools to keep up with these updates unless they have a vulnerability and patch management plan that is frequently implemented. IT leaders should consider having vulnerability scans performed monthly or quarterly to ensure their patch management programs are effective. 5. Allowing End Users to Have Local Administrative Rights Independent schools have a unique culture of trust that spreads within IT and security as well. As a result, many schools have opted to allow all faculty and staff to have local administrative rights on their school devices. While this supports the culture of trust and makes it easier for employees to customize their device to their liking, it poses a threat to the school’s security. 

Employees with local administrative rights have the ability to:

• Download software. While most software that would be downloaded is harmless, allowing users to download whatever they need opens a risk that they will accidentally or maliciously download harmful malware that could spread to the entire school environment.

• Change security settings. Controls such as password complexity, automatic lockouts, and cookie settings can all be changed by local administrative users. This makes it difficult for the IT leaders to ensure all systems are configured consistently and are hardened using security best practices.

While these are the top areas independent schools have struggled with, there are other pitfalls such as lacking a dedicated security team and limited security monitoring capabilities that affect many school security programs. IT departments within independent schools are often spread thin, with minimal resources for staffing. The primary focus is always to keep devices connected and functional to ensure that students are provided with the resources needed to further their education. It is important for schools to understand that cybersecurity is not just the responsibility of the IT department, but of the entire organization. Departments such as the business, finance, development, and admissions offices all play a critical role in keeping sensitive data and systems safe. These offices should work as a team with IT to build a strong security program.

Do you have a cybersecurity team at your school? Who is involved? Let us know in the comments below!

Sign in to comment. New to ATLIS? Sign up for a free account.

Cross-posted from Access Points magazine.

Matt Flora is senior director, cybersecurity risk and advisory, at Ankura Consulting.