The IT systems that support educational institutions have become more essential than ever during the 2020 lockdown. It has enabled students, teachers and admin staff to keep working and communicating with each other while safely remaining at home.
But, in facilitating remote access to the vital systems which hold sensitive data – including grades, contact details, medical and financial information – it’s important to mitigate the vulnerabilities this creates and hackers seek to prey on.
There’s little doubt that institutions have been placed under a great deal of pressure during the pandemic, as they have been forced to move online at rapid pace. This has stretched limited IT resources and cyber criminals have been circling like sharks smelling blood in the water.
Cyber-attacks have increased massively in recent months, with schools and colleges a particular target. In June alone, there were 4.7 million malware incidents in the education sector worldwide.
With so many looking to carry on as usual from the comfort of their homes, hackers have been seeking to attack our means of remote access – our portals and cloud-based services. The hope being that, in the rush to get schools and colleges online, the desire for convenience has been prioritised ahead of security and endpoint protocols have been left weak.
Brute force attacks have doubled
It’s no surprise that brute force attacks, which seek to expose weak passwords, have doubled during the pandemic to 100,000 attacks per day. When you consider that recent data breach research showed that one in every 142 passwords is ‘123456’, weak passwords are a real area for concern – especially when you also consider that anyone profiling and spying on an organisation can quickly learn usernames and emails. They can also automate their attacks to attempt many logins against multiple systems simultaneously.
So, how can schools protect themselves? Well, the good news is small changes can make a big difference – making it much harder for hackers to compromise your system. Users should always be educated and trained not to use easily guessable passwords. But, take note: a single password is always going to be a weak link no matter what you do.
You might also like: Going online to develop and support new teachers
Endpoint security measures
Putting additional endpoint security in place, therefore, is highly advisable – and there are five initial options you can take here:
- Multi-factor authentication
If schools and colleges only do one thing, they should implement multi-factor authentication (MFA). This will introduce an additional layer of protection that will help to deter most unsophisticated attacks. Do this for all your internet-facing systems – VPN portals, cloud services and so on.
- Limited login attempts
Another key addition would be to implement login protection systems designed to deter those brute force attacks. Systems that allow only a limited number of login attempts before locking the account are especially effective. By limiting to three login attempts, and adding increasing delays between incorrect login attempts, you create a significant barrier that’s much harder to penetrate.
Of course, while we want to make life more complicated for attackers, we still want to limit the complexity for users – be that students, teachers or admin staff. So, you may also want to consider introducing single-sign-on (SSO). If users need 10 different passwords for various applications, this can be a nuisance and encourage people to be lax when it comes to choosing the passwords they need to remember. Therefore, you may want to provide one access portal for all those apps regardless of whether you’re on-premise or operating remotely – and focus on making protection particularly strong at that point of access.
- Device registration
Whenever you have people signing in remotely from home, you will also need to consider the device they’re using and mitigate the risk they pose. If you have a bring your own device (BOYD) policy and device registration you can use a management solution that will help validate security on a user’s personal home machine, without compromising their privacy.
- Conditional access
A conditional access system can add extra rules to protect logins to your systems and data. Over and above who can login, you can also validate against extra conditions such as location, and – for example – prevent access from countries your users don’t routinely travel to. You’re also able to check a variety of other risk-elements, and in conjunction with your device-management solutions (e.g. MDM/EMM), ensure that devices are flagged as security-compliant. If the conditions are not met, the access being attempted can be denied.
With a high turnover of students every year, you cannot rely on all users taking the necessary steps to protect a school or college’s network. You should encourage this of course, but by implementing the right endpoint systems, you can add additional layers of protection that will reduce vulnerabilities and guard against common threats, such as a brute force attack.