Research Hub > Prevent Insider Cyberattacks in K-12 Districts

October 07, 2022

Article
8 min

8 Precautions to Prevent Insider Cyberattacks in K-12 Districts

Whether the threat comes from within the schoolhouse or outside of it, these are the safeguards K-12 institutions need to implement.

The dark web is overflowing with student and teacher data collected nefariously from schools. Classes across the US are disrupted daily due to cybersecurity breaches. For school IT Leaders, attempting to hamper the efforts of external bad actors is usually top of mind. And rightfully so. In 2021, 56% of K-12 schools surveyed by digital security firm Sophos reported being hit by some type of ransomware.
 
But assuming that threats are always originating outside of the school is a mistake. While it is critical to deflect external attacks, it’s not uncommon for rogue or neglectful students and staff to topple a school district from within, whether done with intention or not.

What is an Insider Attack?

The Government Accountability Office includes “Insiders” as one of five different threat actors. Insiders are individuals with authorized access to an information system or enterprise who have the potential to cause harm, wittingly or unwittingly, through destruction, disclosure, or modification of data.

If an insider hacks into a district’s server they could potentially intercept Personally Identifiable Information (PII), including grades; teacher’s home addresses; dates of birth and social security numbers; 504 plans and medical files—both those regulated and unregulated by HIPAA; and even bank accounts.

According to the Ponemon Institute’s 2022 Cost of Insider Threats Global Report with Proofpoint, over a 12-month period, 26% of incidents were relating to criminal insiders. The report also found that the annual cost of a data breach in education & research could cost $9.45 Million.

Because laws like FERPA, CIPA and COPPA protect student and staff’s PII, if some of this information is made public, schools and districts could be responsible for paying fines or be named in lawsuits. Recovering from the financial burden of a cyberattack can be daunting. Cybersecurity Liability Insurance can prevent a school from shutting down permanently, but before it can be purchased an institution must first begin the process of enhancing its cyber security posture. 

What does Cybersecurity Insurance Cover?

Cybersecurity Liability Insurance, which covers the costs schools face, has been a huge benefit to schools seeking to lessen the financial impact they carry after an attack. But like any insurance, it’s better to take precautions to prevent an attack than to rely on insurance for a bailout. Additionally, even though insurance may cover the costs of ransom for data, it will not prevent a school’s reputation from being damaged when parents learn through the media or elsewhere that their children’s PII has been made accessible by a third party without their prior consent.

Additionally, the costs of cybersecurity liability insurance have been rising precipitously as not only demand increases but as incidents occur more frequently. Here are eight ways CISOs can pre-empt bad actors by readying their schools for attempts from within, and also meet the requirements for cybersecurity liability insurance.

1) Add Multifactor Authentication

MFA is a security system that requires a user to enter a combination of two or more credentials (i.e. a password and a code emailed or texted to a mobile phone) to verify a user’s identity in order to gain access to a physical space, a device, a network or data. The majority of elementary students do not own mobile phones or email addresses outside of the school’s network so this precaution is generally more useful for staff with privileged roles such as educators and administrators who regularly login to databases containing PII. Cisco Duo will provide more visibility into all badged devices and also enforce identity policies.

2) Enforce Identity Access Management

More than 80% of all attacks involve credentials use or misuse in the network, according to CDW partner Crowdstrike. The Zero Trust framework asserts that any user has the potential to be a threat, whether purposely or by accident. Enforcing Identify Access Management means configuring your district’s security posture to authenticate users and only grant them access once they have been validated based on a number of factors including Single Sign-On (see below), MFA, location, behavior analysis, and device hygiene, among many other things. Validation is not a singular event. IAM architecture can train Artificial Intelligence and Machine Learning programs to continuously monitor and vet users based on numerous identity attributes. Setting up IAM in your district will prevent a student user from logging into documents that only administrators are authenticated to access.

3) Inventory Endpoint Devices

Staying abreast of a configured device’s location is a critical factor in protecting a school district from an insider threat. The average school district owns tens of thousands of notebooks and tablets, thousands of printers and Wi-Fi access points, and hundreds of Bluetooth enabled peripherals like smart displays, projectors and mobile phones. And that number not only increased over the pandemic, but device sprawl increased as well. Data collected by CDW security partner, Absolute, for its 2021/22 annual Endpoint Risk Report: Education Edition shows that by the spring of 2021 some devices purchased by districts in 2020 were never delivered to the end user and in one district 47% of devices had wandered more than 25 miles from the school district. Knowing which endpoints are real and in the custody of an active authenticated user will also help you know which devices are trustworthy.

4) Enhance Web Security

One of the top requirements of Cybersecurity Liability Insurance is to have a robust antivirus solution. Without one, students could be exposed to problematic content. The Children’s Internet Protection Act (CIPA) of 2000 requires libraries and K-12 schools to use web filters and other measures to protect children by limiting their access to the obscene or harmful parts of the Internet. CDW-G can consult with institutions and guide them to partner solutions like GoGuardian, which can protect, limit and provide network visibility, while also reducing an institution’s liability. A content filter can also prevent students or staff from inadvertently opening the door for external attackers.

5) Schedule Regular Staff Trainings

As more cybersecurity initiatives are deployed, staff may become frustrated with the pace of learning and implementing additional measures. Cybersecurity Awareness Training can not only assist with keeping educators aware of pitfalls, but also it can help them understand what is at stake and how their actions or inactions can cause a breach and derail their student’s learning. Keeping staff engaged can take many different forms. Keep in mind that exercises that require engagement are more memorable than periodic communications by email or posters. Additionally, it is important to train staff based on their roles. For example, high-level administrators are likely targeted by phishing attempts more often than the general population at a district. Spot testing leaders with fake phishing campaigns will remind them to be continuously vigilant.

6) Deploy EDR/MDR Protocols

Endpoint Detection Response or Managed Detection Response, which provides more oversight of a district’s networks via reporting, can make it easier to dissect event threats from a dashboard with support from a third party. Additionally, EDR/MDR, which is often required for Cyber Security Insurance, can provide remote quarantining of suspicious devices. MDR solutions offered by CDW via its partners like Crowdstrike or Cybereason can provide cloud, data and endpoint security via machine learning, extended monitoring and supplemental expert support. Support staffing can be especially comforting to districts struggling to find skilled security experts to monitor large networks with hundreds of thousands of endpoints.

7) Upgrade Gateways / Firewalls

Firewalls and gateway appliances, which both provide multi-layered protection against spyware, may seem counterproductive when trying to block an insider threat, since they typically target external threats.  But they can be one of the most useful deterrents to insider schemes because they can silo data and devices, thereby preventing staff and students from accessing data that they aren’t credentialed to see. Some Gateway appliances even offer event threat detection that hunts down threats to various endpoints from printers to mobile phones, analyzes user behaviors, and blocks users from infected applications and websites. Some gateways like those made by Cisco, Fortinet or Sonicwall can toggle specific features of a website (like chat, video or streaming) on and off remotely.

8) Conduct Vulnerability Assessments and Penetration Tests

Not all hackers are the same. Once your automated tools present a potential vulnerability to you, how do you know if it is real? That’s where red team hackers come in to conduct penetration tests, or simulated attacks to validate whether a threat is real. If a vulnerability is detected, these experts can also consult to determine if the vulnerability has been exploited and if not, assess via a CDW Security Mediation Workshop what your security operations center should do to close it. Consider that it can take on average 216 days to identify a malicious insider data breach by the initial attack vector, and 68 days to contain it, according to IBM/Ponemon Institute’s Cost of Data Breach Report 2022. Investing in cybersecurity experts like those at CDW, can also help reduce the time it takes to detect and fix a breach.

Take Your First Step to Avoid an Insider Threat

In summary, the question is not if you will be breached but when, and more importantly by whom? While it takes just one person to open the door to a cyberattack, preventing a cybersecurity event is not a one-person project. Establishing a Zero Trust environment, taking inventory of your endpoints, upgrading firewalls, training staff and enhancing web security are the first steps to building a more secure environment for users. But investing in Managed Detection Response from a third party like CDW and our partners will give you enhanced tools, a robust view of your entire security posture, help you deploy training campaigns, provide networking solutions, and offer threat hunting tools and teams. All of these tactics will make your district more likely to be eligible for Cybersecurity Liability Insurance and less likely to be the target of an insider threat.