The bell rings and school’s out for the summer. Students and staff have been looking forward to a well-deserved break, but cybersecurity for schools can’t stop.
Of course, IT staff need vacations too, but criminals are ready to take advantage of any gaps in security and lack of monitoring during the summer. This is also the time of the year to renew equipment, update the security stack, do essential training, and prepare devices for the return back to school. Often without a dedicated team, the workload can be overwhelming.
This blog will offer practical advice on how to manage the responsibility of cybersecurity in schools over the summer.
Protecting Student Data During Summer Break
Cybersecurity for schools is a unique challenge. There are multiple endpoints such as desktops, laptops, and IoT devices like smoke sensors, cameras, and smartboards. There needs to be remote access and cloud systems available for students, teachers, and management.
This creates a perfect summer storm. As tech staff take vacations and tasks pile up, criminals look for easy targets.
For this blog post we talked with two experts in looking after schools’ tech calendars: Andy Boell, Cybersecurity Director from Nebraska Cybersecurity Network for Education, and Gabe Stacy, CEO of Acture/CSI, a Managed Service Provider (MSP) in New York.
Both experts highlight that schools face unique challenges. Andy says the biggest challenge for schools and school districts is manpower. He tells us that “many tech leads are teachers, librarians, or coaches who are roped into the role. Even a dedicated tech team is often kept busy fixing printers or projectors — more immediate priorities for a student’s education.”
Gabe adds, “Some schools, given the nature of education, prefer usability over security. But when you open yourself up on that spectrum you invite different challenges.”
Andy and Gabe suggest a list of steps to ensure that your school stays protected over the summer and beyond.
School Cybersecurity Priorities Before Summer Break
Part of a successful summer period is approaching it with the right mindset and preparation. Unfortunately, the time leading up to the break is often the busiest of the year.
Andy points out that “Major events like a football game, prom dances, or standardized testing periods create immense operational pressure”. There are many additional users and intense peak times. The tech director will be likely to have to focus on keeping devices and the network running.
This is a very popular time for cyberattacks. Andy says, “The intense focus on operations pulls the security director’s attention away from attacks. This is the best time to attack.”
This also takes time away from key summer prep, which can leave security gaps when school is out. For this reason, it’s important to plan ahead before it is too late. Try to be methodical.
Receive Devices & Check Inventory
A well-planned and careful inventory check will help schedule repairs or replacements.
Andy says that in his experience, depending on the school, the tech team may need to collect in Chromebooks or other student devices. You should list all devices on the network. This includes IoT devices like smartboards and security cameras (often the easiest way for an attacker to get into the school’s network). This list helps you plan updates and security checks for the equipment.
A detailed inventory helps you plan security and discuss this with the board and outside experts. This includes Managed Service Providers who can help schools with their cybersecurity needs. Andy adds that “MSPs sometimes offer special deals for schools, so it is worth reaching out to them.”
School Cybersecurity Priorities During Summer Break
This is when many tech teams lose focus. Students go on vacation, and so do staff, including the IT team.
Three rules will help you stay secure: always have security on call, do security housekeeping, and review your security tools.
Plan for Absence
Andy reminds us, “Adversaries don’t take a summer break, but school tech teams often do, leading to reduced monitoring.”
Andy says that he has one essential rule when giving advice about cybersecurity for schools: “Have a person as backup. When you are gone, someone should be able to step in. This could be a deal with a nearby school. Or teach someone how to do it. You learn the process even better when you teach it. Plus you get someone to help when you are away.”
Do Security Housekeeping
Andy says, “Use this quiet time for crucial security tasks that are too disruptive during the school year.” See this time as a gift to do all the security work you can’t do when school is in session.
Gabe also stresses, “It is essential to prioritise maintenance. Make sure your patches are in order. Get the updates done over the summer.” Remember this could include IoT devices.
You will need to do housekeeping with the data and student accounts:
- Clean up old accounts
Deactivate access for students and teachers who have left. This stops orphaned accounts from being exploited. - Manage data storage
Review and execute a data destruction plan for information you no longer need. If you must keep it, back it up to a secure, offline drive.
Gabe adds, “These are good summer projects. Do this well and they will keep you safe throughout the rest of the year, when you’re probably fighting fires.”
Update Your Security Stack and Procedures
Summer is the time to update security tools and plans. This avoids disrupting classes. It is always better to improve security before an attack takes place than to react to a disaster.
Gabe says that technologies change. For example Endpoint Detection and Response (EDR), which was considered a miracle defense a few years ago, today has to be looked at in a different light. “We’ve seen EDR evasion a couple of times. It’s pretty scary. What worked five years ago, best of breed, it’s time to circle back and look again. Of course this might mean more investment, so look for advice.”
Seek guidance from partners like other schools, MSPs, or education networks. Use a proven guide like the CIS Controls instead of reinventing the wheel. The goal is to improve your security over time.
Gabe suggests, “Ask your MSP. People come to us because we’re trusted. We have talented engineers that can help with decision making.”
Andy suggests using a proven security framework. “Don’t try to reinvent the wheel. Use a practical, proven guide. The CIS Controls are a great start. They don’t need a PhD like the NIST framework.” He advises using resources from K12-SIX and CISA to build your plan.
Start with the basics. Andy says, “You need network segmentation, email protection, and a solid firewall. Then you should move to a little more advanced tools like EDR and implement a zero-trust model.”
However, defenses can be beaten. “This is where products like Lumu fit in,” says Andy. “The network visibility, automation, and personalized intelligence in the Lumu platform can make a big difference. For example, it can detect polymorphic malware that evades traditional defenses by changing how it appears.”
Put Cybersecurity Top of The List This Summer
The summer break doesn’t have to be a source of anxiety. Use it as a time for cleanup, planning, and upgrades. You can turn a high-risk period into your biggest security advantage.
A little preparation now will ensure a safer, smoother, and more resilient back-to-school season. Use this blog to make yourself a cybersecurity summer break checklist and check off your to-dos one by one.
Take advantage of the summer to talk with Lumu — we can help you build a stronger, more professional security stack. Get in touch with us directly to find out about special offers for education and how we can help you this summer.