The new government focus on K–12 schools takes cybersecurity “out of the realm of being an IT problem to being a leadership problem,” says CoSN Cybersecurity Program Director Amy McLaughlin. “It helps reinforce the message that this is a systemic challenge. It’s an organizational challenge. It’s not just a technology challenge.”
Even districts with advanced cybersecurity technologies already in place need to focus on the building blocks of good cyber hygiene, as defined by the National Cybersecurity Alliance’s four priorities for Cybersecurity Awareness Month. They are: multifactor authentication, strong passwords, software updates and phishing prevention.
Multifactor Authentication’s Extra Layer of Security Stops Hackers
As a multistep login process that requires more than just a password to gain access to applications and systems, MFA is a key safeguard for K–12 schools.
Without it, bad actors can steal credentials through methods such as phishing or through third-party companies and applications. Those credentials give them access to school systems and data. MFA “prevents the cyberattackers, in most cases, from being able to use a stolen username and password,” says Mardock.
For K–12 staff, MFA’s extra step — such as asking users to respond to a text message — offers “an additional safety net,” says McLaughlin. “It adds one extra layer that makes it that much harder for an adversary to get into an account and compromise it.”
Strong Passwords Keep K–12 Accounts and Networks Secure
IT leaders generally know that complex, hard-to-guess passwords are a deterrent to bad actors.
Cyberattackers “go after the easy targets first, and those are the people with simple passwords: something with 1-2-3-4 or their last name in it,” says IEEE Fellow Karen Panetta, dean of graduate education at Tufts University School of Engineering and author of Count Girls In, a book about mentoring K–12 girls in STEM fields.
Lately, the thinking is changing regarding what constitutes a “strong” password. Twelve characters with upper- and lower-case letters, numbers and special characters? That’s just a mess.
Faced with these over-complex requirements, “I’ve seen people with passwords on sticky notes on their name tags. When you lose your name tags and your passwords, then we have all your information,” McLaughlin says.
RELATED: Build a culture of cybersecurity awareness in K–12 schools.
The National Institute of Standards and Technology now encourages the use of passphrases, and McLaughlin calls this a great strategy for K–12 users. “‘Drink More Coffee!’ is a password that’s easy to remember and easy to type,” she says.
Software Updates Protect School Technology from Vulnerabilities
Software vendors continually put out updates to patch known vulnerabilities, and it’s crucial that K–12 IT administrators keep up with these changes.
When software makers alert users to a vulnerability, “they’re also notifying the cyberattackers, and the attackers capitalize on the fact that people are not proactive, that they don’t act quickly,” Panetta says.
With bad actors leveraging automated attack tools, outdated software assets present an immediate security risk. When software isn’t up to date, “the cyberattackers can use little robots to go out and find the vulnerable servers and attack them. It doesn’t even require a human anymore,” Mardock adds.