}

6 Things You Can do to Prevent Breaches

If You're Havin' Data Problems, We Feel Bad For You
99 Problems and a Breach Ain't One

When it comes to data breaches and hacking, Hollywood has conditioned us to envision the most ambitious targets of international mega-corporations' intellectual property, government intelligence, or massive theft from financial institutions. But your school district has some pretty important Personally Identifiable Information (PII) stored for students and staff– and it likely requires less to access than Tom Cruise suspended from the server-room ceiling.

The stats show that education breaches are on the rise – and no wonder, with all the social security numbers, bank accounts, health information, and plenty of other safeguarded data contained in school systems these days. Much of that information is readily available between a school district's SIS, HR, accounting, nutrition, and more systems. Implementing more technology to improve school experiences equates to more (potentially sensitive) data stored within digital environment.

Fast Facts on Data Breaches within Education:

  • The average data breach costs $225 per compromised record. Within the U.S. education sector, data breaches cost $245 per compromised record (worldwide education sector average is $200 per record) (Ponemon's 2017 and 2018 Cost of a Data Breach Study)
  • While it does not experience the same reputational damage following data breaches as commercial entities, it typically takes far longer for breaches to be identified and contained within the education sector. Worldwide averages for education sector response times are 221 days to identify a breach and 83 days to contain it, whereas the financial industry typically identifies a breach in 155 days and contains it within 34. The longer a data breach goes unnoticed, the higher the cost and damage. (Ponemon's 2017 and 2018 Cost of a Data Breach Study)
  • Education is the third highest industry targeted for data breaches (https://blog.gemalto.com/security/2018/04/13/data-breach-stats-for-2017-full-year-results-are-in/).

Because data breaches can happen in so many ways, no one-size-fits-all solution exists. Just last year, Washington State University fell victim to a storage unit burglary that saw a hard drive containing 1 million individuals' sensitive information go missing. No amount of digital security could have stopped that one. Security requires a holistic and multifaceted approach to be successful. Here are 6 processes your school district can enact to help beef up barriers against those bit-burglars.

1. Staff Training

Run your district's staff through a quick refresher course at the start of every year to keep security fresh in their minds. These kind of trainings are admittedly dull and just like everything else in life, we all like to think "data breaches will never happen to me." It takes only a few minutes to cover the most important details – treat any device (e.g. desktop, laptop, phone) capable of accessing school district systems with the respect it deserves, protect your passwords without writing reminders where others can easily find them (kids are kids...), and be extra leery of any fishy-looking phishing or other scam emails. Incorporate some breach statistics to convey just how serious of a threat exists and what the financial ramifications are.

2. Phishing Simulations

Many security issues are the results of human error and simply clicking on the wrong thing. When breach attempts look a lot more like emails asking to "Please Resubmit Purchase Order" than screensavers from the Matrix, they are a lot easier to fall for. These types of "spear-phishing" attempts, or highly targeted phishing efforts, tend to lead toward more breaches because they target specific personnel with emails that may reference a department or regular job function to look similar to everything else in your inbox on a given day.

Incorporate a free or paid phishing simulator to periodically test users' ability to detect phishing emails by sending some yourself. Alerts and reports are provided for whenever anyone mistakenly clicks on or responds to one of these messages. Using one of these simulators, you can put your users through active training to help them learn to be more secure. Remember to remind staff to double-check any time they cannot be 100% positive an email is legitimate. If something looks even a little off or out of the ordinary from a sender you know or can contact, pick up the phone and call them to verify. For the extra minute, it just is not worth the risk.

3. Student Training

Develop or assist a teacher in developing a simple lesson plan to help cover digital security. Despite kids seeming like tech-wizards by the time they enter school these days, they are no less vulnerable to data breach attempts. Further, digital security is certainly a valuable life skill to impart and the whole point of school is to provide an education to prepare students for the world that awaits them as they grow older. From that perspective, ensuring that students review basic digital and identity security once a year should be a no-brainer.

4. Evaluate Accounts

How often does your IT Team evaluate accounts? It can certainly be a laborious process, but evaluating all of the activated accounts within your school district's environment can have a massive effect on shoring up security and minimizing digital bloat. Are there orphaned accounts floating around within your systems that former students and staff still have the ability to access? Are there review processes for determining and updating what different users should be able to access, such as during job or grade changes?

The best time of year to do this may be as you update everyone's accounts from the previous year. However, IT departments across all of education get slammed every summer while preparing for the start of the new academic year. If the time to sit down and evaluate accounts seems to continually elude you, try to chip away at it between other processes, schedule it as a larger project during less demanding months, or around specific events (e.g. performance review, role/position change).

5. Review User Account Lifecycle Processes

What is the standard process for deactivating user accounts once a student has graduated, transferred, or been expelled? What about for a teacher who retires, takes a position elsewhere, or is fired? These types of departures – whether involving immediate security concerns or not – are the largest contributors to orphaned accounts hanging around in your systems. Manually managing or automating account deactivation is a crucial step within user account lifecycles. Review and optimize your deactivation processes to determine how fast and comprehensive they are when it comes to quickly restricting accounts – particularly in preparation for malicious individuals who wish to cause damage. Rapid responses can prove invaluable. Enjoy the peace of mind that comes from knowing your process cleans everything up.

6. Implementing a Secure SSO Portal

Using a single entry point for the majority of your systems and applications makes everything easier for everyone involved – users only need to remember one set of credentials and administrators can protect resources behind more restrictions without reducing easy access. Configurable security settings (e.g. date and time restrictions) allow admins to control their environment even as it extends to the cloud with staff, student, and even parent users requiring access from home. Applications and systems containing sensitive information can be made inaccessible from anywhere other than school grounds to prevent any risks. Secure portals should also maintain logs of user activity to help determine when and how any investigated access events occurred.

Risky Business: Overcoming Onboarding Exposure (Explicitly, Perilous Passwords)

Few everyday technology interactions get on people’s nerves quite as much as the dreaded “Password Expired” notification. It is bad enough having to remember all of your passwords before having to change it up with a new value or a slightly different version of an older one – “Was it Brutus#341, Brutu$452?, or Brutus3#$!?”

Read more