Table of Contents
When the school doors swing open for the start of the new year, so do the digital doors. When discussing cybersecurity for schools, this moment is critical.
A flood of users and personal devices suddenly expands your digital attack surface. The new faces are vulnerable to phishing and other social engineering attacks. Changes made over the summer to devices and new technologies all add to the pressure.
Lumu talked with two experts who have had hands-on experience in handling the start of term with schools: Andy Boell, Cybersecurity Director from Nebraska Cybersecurity Network for Education, and Gabe Stacy, CEO of Acture/CSI, a Managed Service Provider (MSP) in New York.
They emphasized that now is the time to act. Let’s explore their top tips.
Back-to-School Cybersecurity Threats
Andy says, “Schools are a very interesting animal compared to a non-education environment. In a bank or a hospital, for example, you don’t have to allow everybody who comes through the door to connect to your network. At a school you do.”
Gabe echoed that sentiment, “You have all your normal threat vectors, like infostealers and ransomware, but multiplied by the fact you might have 500 people using the network — admins, students, teachers.”
Schools are a prime target for cybercriminals year-round. Lumu’s recent education report showed that threats like phishing, droppers, infostealers, and ransomware all have schools in their sights.
The stakes are high. K-12 data, including health records and financial information, is valuable on the dark web. Ransomware can paralyze a school by locking critical data. These attacks often start with phishing: a single click from a new admin on a fake invoice can be the entry point for a network-wide attack.
Andy says the back to school period is a particular threat. “The first four or five weeks is the busiest time of the year. More users coming onto the network. Any changes during the summer? This is when things break or stop working.”
Gabe adds, “You have to worry about your devices, your network, and your security. There could be a new building on campus. You are giving out new devices. All sorts of things are at play.”
Andy explains that, “These IT tasks take the focus of the security director away from cybersecurity. As a cybercriminal, this is the best time to attack.”
So, what should the priorities be for cybersecurity as students and teachers return to school after the summer?
Cybersecurity Priorities: The End of Summer
When it comes to cybersecurity for schools, the summer vacations are the build-up for the busy back-to-school period. The better prepared you are, the easier this will be. Your plan to start the new term can be divided into tech priorities and people priorities.
Tech Priorities: Securing Your Digital Infrastructure
Back-to-school is about people — but technology is the foundation stone for learning. Before students return, your IT team must harden your network. Address vulnerabilities now to prevent attacks later.
Patch
Update every system. Servers, classroom computers, IoT, everything. Hackers exploit known flaws. Patching closes those doors before hundreds of new users log on.
Gabe says, “Make sure your patches are in order. Get your firmware updates done over the summer. It will keep you safe throughout the year, when you’re probably fighting fires.”
Segment the Network
Isolating student devices and guest networks from sensitive administrative and financial systems can help contain a breach. Be sure to organize this before students and staff return.
Andy says, “Schools are unique as you need to educate everybody. That means you have to let everybody onto the network, and that may include hackers or bad guys. Network segmentation is essential. It stops people who are using the network from getting to sensitive areas.”
Do Maintenance on Returning Devices
Andy says, “Many teachers take laptops home over the summer. The protections that it has during the school year, it may not have had during the summer. Every year a handful of those devices come back with a virus or some type of nasty software on there that has to be removed.”
It’s a good idea to start this process before the term starts, so communicate with the staff and ask them to bring in their laptops early.
Reinforce Access Controls
Require Multi-Factor Authentication (MFA). It protects accounts even when a password is stolen. Use the principle of least privilege: give staff access only to the data they need for their job. Nothing more.
Create your rollout plan for this now. Enforcing these rules is much harder once the school year is underway.
Human Priorities: Building a Cybersecurity-Aware Community
Your people are your most important defense. Back-to-school is the time to build a human firewall. Train your staff and students to spot threats before they cause damage.
Train Teachers, Staff, and Students
As you hand out devices and onboard new employees, this is your time to connect. Andy says, “There is no legal requirement to train staff and students, but it is important that we do.”
A shared approach makes training more effective and cost-efficient. Andy advises, “Don’t go it alone. Ask for help and connect with other schools nearby. See what you can work on together. If several schools are using the same technology, vendors might be open to the idea of coming in and providing free training.”
Remember, whether it’s a student learning about safe browsing or a teacher understanding phishing risks, ongoing awareness and training is key.
Use the Resources
For many staff, being in charge of tech or cybersecurity for a school is new and some start with little or no cybersecurity knowledge. It can feel overwhelming at first, but, Andy says, “take advantage of the tools and resources you have available to you. There have been many others in this position across the USA and there is help out there and online.”
Ask for Help
By working with partners, such as MSPs, other schools, and your own staff, you can build a community that understands its role in keeping the entire campus secure.
Gabe poses the question, “Where should schools get advice? Ask an MSP, like us. People come to us because we’re trusted. We have talented engineers that know the products and can help with decision making.”
Andy adds, “If you ask, maybe your service provider can come out and help on the day you hand out the laptops, for example. It’s all about delegating amongst the staff and asking for help.”
Stay Vigilant
Andy says that there is often a peak in attacks at this time of the year. This is a very busy period, so good planning and delegating tasks is essential so that the security team, or the security person, doesn’t take their eye off the ball.
Cybersecurity for Schools: The New Term Begins
The new school year is a critical time for your digital defense. Threats like ransomware and phishing target student data and disrupt learning.
Your approach must be proactive. Secure your technology with patch management and network segmentation. Build your human firewall with ongoing training.
Protecting your school requires a clear plan. Lumu can help you defend against these risks. Contact us to learn more.
