IT is the hero of the COVID school closures. Without your expertise and effort, students would not have had access to education. Your desire to get more funding for IT investments is now backed up by concrete use cases that everyone can understand because they lived them.
Now you have to figure out how to implement technologies like cloud transitioning, secure remote access and cloud app security, while addressing top priorities and sponsoring a culture of security within your school.
Secure remote access
In the shift to remote learning, security was implemented expediently with the best intentions of properly fortifying secure remote access later.
But in the meantime, the new attack surface — more extensive and less defined than ever — remains unsecure.
Today, education comprises almost 60% of ransomware attacks globally. DDoS and video classroom hijacking are also on the rise. Unfortunately, the UK’s National Cyber Security Centre recently noted that just 40% of primary and 64% of secondary schools had undertaken all of its 10 Steps to Cybersecurity Guidance.
That’s why security should be as automated as possible. It should be a zero-trust system that continuously monitors the behaviour of the entities it’s hosting.
Zero-trust assumes every user/device on the network could be malicious. So instead of protecting the entire attack surface or managing large numbers of remote users, zero-trust identifies the most critical assets and treats them as a ‘protect surface’, which is much smaller than the attack surface and clearly defined.
Key elements of a zero-trust defense are strong identities, access controls, multi-factor authentication, trusted endpoints and network segmentation.
IT’s shift to securing thousands of micro-schools located in people’s living rooms, on devices potentially shared with unauthorised users, thrust the limitations of legacy infrastructures running traditional software into sharp focus. Schools went from lagging in cloud adoption to being among the biggest adopters nearly overnight. IT managers are trying to migrate critical apps and services to the cloud, often without much experience.
Fortunately, a phased rollout of small- and medium-sized migrations is manageable. These short-term wins build confidence among decision-makers that will be useful when budgets are allocated. This is probably the approach you’re already taking.
However, there’s one aspect of cloud migration that should be well-thought-out beforehand: security. You need to be acutely aware of the line between what you and cloud providers are obligated to secure.
That can be challenging, particularly in hybrid cloud environments that mingle legacy assets with cloud services. Knowing where data is located in a workload at any given moment, who or what is accessing resources, whether all policies are up to date/without conflict, and compliance status requires automated cloud discovery, dynamic policy enforcement and advanced threat protection.
Get the free whitepaper: Dawn of a new era in education
Cloud app security for remote learning
The application layer — where 84% of attacks occur — is designed to grant privileged access to data, allowing malicious actors who gain entry to sweep up confidential information in a consumable format. The three most common vulnerabilities on the application layer are:
There’s no guarantee the apps you allow to connect to your network are free of vulnerabilities, like inappropriate access controls, inadequate privilege checking, data leakage and more. And apps may also host compromised accounts. Even if an app isn’t susceptible to malicious activities, it may not comply with your district’s data security policy.
Shadow IT is knocking schools out of compliance because there’s no way to know precisely what’s on the network, what it’s doing with the data it handles, and whether it’s full of security holes.
Social engineering and poor security awareness
Users assume their actions are safe because they’re using products from a gold-standard vendor like G Suite or Dropbox. But these products can be compromised by account takeovers, phishing attacks and misuse by well-intentioned insiders.
Schools need the ability to automatically discover applications, classify them, and block or unblock policies/controls. Securing applications shouldn’t impact productivity or carry a high TCO.
Building a culture of security in schools
The single most important thing a school can do is foster a security mindset.
Administrators must recognise they’re no longer running a purely academic institution, but a technology-based educational organisation. This means directing more budget to cybersecurity and communicating the importance of security hygiene.
Teachers and administrators should be prevented from connecting to shadow SaaS from school infrastructure. Schools should have a stringent process for vetting preferred software — but the vetting process needs to be swift, or users will find a way around it.
Regular security awareness training should be implemented. However, not all users will be compliant, so deploy a secure VPN to prevent data leakage and set up controls that stop sensitive data from being exfiltrated.
Security is always in session with SonicWall
SonicWall knows the needs of schools. We work with you to ensure the network you’re providing to home classrooms is secure from end-to-end at a price you can afford. We offer a broad array of products and services, including firewalls, remote access, wireless access points and turnkey Security as-a-Service solutions with a low total cost of ownership. Whether your school has chosen an asynchronous or synchronous learning model, you can keep your school safe and ready when the next threat type emerges.
Find out more about SonicWall solutions for schools
Join us for the live webinar on 27 April. Presented by University Business, Education Technology and SonicWall, where we’ll take a closer look at current cybersecurity trends in education: