July 21, 2022
Though it’s the middle of summer educational institutions always on high alert and are constantly thinking about how to better guard the physical well-being of their students. For some that means more restricted access and metal detectors, for others it’s AI-enhanced surveillance technology and gun detection systems.
Besides physical threats, students, teachers and even parents are also increasingly vulnerable to virtual ones — cyber attacks that compromise personal information, often for the purposes of identity theft and ransom demands.
“I don’t see much, if anything, around physical security improvements,” says Mishaal Khan, Mindsight Cybersecurity Practice Lead. “I was hoping that with technology like contact tracing, it would integrate into better physical access controls, but that whole thing died down faster than it came up.”
According to Khan, there needs to be a much more holistic approach to security in general. Cyber and physical, he explains, “are still quite siloed.” Moreover, attacks in both of those realms are becoming disturbingly more frequent—albeit with far different consequences.
Cyber attacks, in fact, are near-constant. Bombarded with everything from malware and phishing attacks to ones that exploit outdated software and employ clever social engineering techniques, schools have long been “soft” targets for criminals who hide behind keyboards.
At a recent hearing of the Senate Health, Education, Labor and Pensions Committee, where participants and politicians discussed cyber threats in healthcare and education, Amy McLaughlin, Cybersecurity Program Director with the Consortium of School Networking, ticked off a number of ways in which cyber attacks negatively impact school districts, teachers and students. They included “lost instructional time, damage to schools’ reputations, high financial costs of cyber incidents, rising cybersecurity insurance costs, financial and credit hardships for students and employees from the loss of their personal data, and rising mental health impacts, including increases in anxiety and depression.”
The cautionary example McLaughlin used was a stark one. On the first day of classes this year, Miami-Dade County Public Schools in Florida “saw their networks overwhelmed by denial of service attacks. K-12 schools and districts experienced significant challenges in protecting themselves from cyber-attacks. Most districts see cybersecurity as a technical issue and it isn’t. It is an issue that requires everybody in an organization to understand and be part of the solution and understand their role in protecting the organization.”
On the brighter side, Khan says he’s seeing “an uptick in school districts performing security risk assessments and trying to remediate some of their critical vulnerabilities.” They still have a long way to go, he adds, but “they’re much better than they were two or three years ago.”
“Awareness is driving security adoption, and we need to work more on that.”
Nonetheless, Khan says, budgets still aren’t what they should be across the board. As a result, countless schools can’t even afford to implement or enhance basic security measures let alone install state-of-the-art systems like the one at this $259 million high school outside Boston. And though the situation has gradually improved, throwing more money at the problem doesn’t necessarily yield the desired results.
As McLaughlin stressed at the Senate hearing, “digital equity is a significant challenge as cybersecurity issues disproportionately impact our school districts who have less funding available to support and secure their technologies, and the addition of IoT devices to networks demand additional protections the districts are unable to fund and unprepared to deliver.”
The lack of ramifications only makes matters worse, Khan says. On the cyber security front in particular, he explains, “There is no accountability when a school database gets hacked and students’ and parents’ personal information is leaked to the public. This has a direct effect on identity theft, scams and online harassment. It is my opinion that without strict accountability, the situation will not change. This is true in the public or private sector. Without restrictions, fines and laws in place that enhance security, there is no fear of consequences or incentive to do better.”
But that’s not an excuse to give up. As summer break approaches, Khan says, it’s a perfect time for school districts to patch, upgrade or replace outdated systems. Although budgets remain fairly low, he says, schools “are finding ways to take advantage of educational discounts from vendors or government funding to upgrade some of their systems.”
On the subject of physical security, Rand researchers came up with several tech recommendations for students as well as developers and vendors. They include the following:
- Before investing in a new technology, ensure that the technology is affordable and can be integrated into existing systems and upgraded in the future.
- Focus on developing improvements to two-way communication technologies, tip lines, and “all-in-one” apps, including training modules, violence alerts, prevention information and suggested responses after an event.
- Test technology solutions in real-world settings.
The key is marrying both forms of security so that one operates in tandem with the other rather than independently. And while that’s likely a long way off, there’s no time to waste.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.