In the recent 2023 State EdTech Trends survey and report, cybersecurity is touted as a top priority for educational institutions, and for good reason. Over the last few years, cyber attacks against schools and universities have steadily increased. In late 2022, a ransomware attack took down multiple systems of the Los Angeles Unified School District, the nation's second-biggest K-12 system, and caused technical disruptions for days following the attack.
However, protecting educational institutions from cybercrime isn’t easy. Especially when there’s so little budget. In fact, one study found that K-12 schools on average spend just 8% of their IT budgets on cybersecurity. Most likely because the majority of spend is going toward improving and upgrading digital infrastructure. Schools are increasingly adopting tablets, SMART boards, and other IoT devices to improve learning, inadvertently expanding their attack surface at the same time.
But there are other reasons why protecting schools and universities can be a challenging job for IT and security teams. The good news is that even though the IT environments of educational institutions are unique, there is a solution that can help.
Why strengthening cybersecurity posture in schools is such a challenge
Compared to other types of organizations, learning institutions have a constantly changing user base, which leads to security gaps if not addressed. Students change “departments” every summer. Imagine being a CISO at a company with thousands of employees that experience 100% turnover annually, with zero budget, and very few of the employees care about keeping their devices secure.
On top of that, the environment is totally heterogenous. Assets may be dispersed across different offices, campuses, or even student or employee homes. IT and security leaders are responsible for securing student laptops, lab machines, research data, IoT devices, servers, and cloud computing systems. They’re also tasked with managing a massive mix of BYOD policies, third-party licenses, and data that ranges from homework to highly sensitive R&D to Personally Identifiable Information (PII).
All of these challenges, however, can be alleviated with a cybersecurity asset management strategy in place. Let’s explore how.
How cybersecurity asset management can help
The first step to strengthening the security posture of schools and universities is gaining a strong understanding of exactly what devices and digital infrastructure the school owns and controls compared to what students, faculty, and administrators are actually using regularly. This gives schools comprehensive asset visibility, which will help IT and security leaders identify security gaps.
This starts with a credible, always up-to-date asset inventory. For IT leaders, especially, having a record of all unique assets lets them see installed software and agent versions, hard drive capacity and utilization, operating system versions, and more. Having this information makes it easier to identify common IT and security risks, like:
- Whether certain assets have experienced significant downtime, which can impact learning outcomes for students.
- If machines are running unsupported operating systems (especially important as more schools move away from legacy technologies).
- Which devices, software, or other assets have vulnerabilities – and which ones need to be patched and remediated first.
A cybersecurity asset management solution can also help schools identify security gaps, including unmanaged devices or cloud misconfigurations. With rapid digital transformation taking place in educational institutions across the country, the probability of incorrectly configuring cloud access permissions and settings increases. But a cybersecurity asset management solution can help discover cloud instances that aren’t being protected and/or are publicly accessible, driving more comprehensive visibility of the IT environment.
Understanding what areas of your tech stack might be vulnerable to attack is the first step in strengthening your cybersecurity posture. With an accurate and reliable asset inventory, IT and security leaders at educational institutions can then explore:
- Ownership: Understand who is responsible for what to create a comprehensive security program that mitigates risk.
- Permissions: Uncover who has access to what assets and what gaps exist in your security coverage.
- Priorities: Determine what elements of your tech stack are most crucial and need to be visible.
- Monitoring: Develop parameters and indicators that notify when an asset is being attacked or when data is being accessed, along with an emergency response plan.
IT complexity for educational institutions is only going to increase with time. Controlling and managing it requires an approach that automatically and continuously discovers assets in your environment, something only a cybersecurity asset management solution like Axonius can provide.
The federal government lends its support
Additional support for schools is also on its way. Governments and policymakers have recognized the importance of improving cybersecurity in education and are working hard to combat cybercrime in education by creating resources for victims.
For instance, EdWeek shared that the White House and the U.S. Department of Education recently announced the launch of a Government Coordinating Council (GCC). This will facilitate collaboration between governments and school districts to unify schools’ cybersecurity strategies. The GCC is also a key first step in the Department’s strategy to help school districts prepare for, respond to, and recover from cybersecurity attacks.
On the local level, some state legislatures, including Texas and Montana, have allocated millions towards strengthening their districts’ cybersecurity. They’re not alone – the Federal Communications Commission (FCC) has proposed a pilot program that could provide up to $200M over the course of three years, aiming to reinforce cyber defense in K-12 schools and libraries.
Learn more at EDUCAUSE Annual Conference
Nearly every education institution in the U.S. faces cybersecurity challenges. Not only do schools possess a vast amount of PII, making them an attractive target for cyber criminals, but they also have very few resources to adequately improve their defenses. But by focusing on foundational security elements, such as improving visibility into all assets, schools can better secure their attack surface.
