The most wonderful time of the year… for Cybercriminals?

The most wonderful time of the year… for Cybercriminals?

Don Boxley, CEO and Co-Founder, DH2i, on securing educational institutions from cyberattack.

There was a very funny commercial from Staples regarding this being the most wonderful time of the year… It showed a very happy dad shopping for back-to-school supplies, followed by two rather miserable children.

Of course, this time of year isn’t just challenging for some kids – IT professionals in educational institutions tend to find it demanding as well. This is due not only to the massive spike in user traffic but also to the significant uptick in ransomware and other malware attacks.

Unfortunately, educational institutions are becoming more and more popular targets for cyber-criminals. One reason is due to their having a reputation for being easy to hack, and another is because they are a virtual treasure trove of information and applications. Like so many other industries, educational institutions have a great deal of data that is valuable and requires protecting – from Personally Identifiable Information (PII), student records and Protected Health Information (PHI), to financial information, research data, employee data, etc.

And, what happens if an educational institution gets hacked? To start, data access is lost and there is a risk of sensitive data being stolen, sold, and/or leaked. Then, there is the ransom demand which is never an inexpensive proposition. And, even after the ransom is paid, many have learned the hard way that data isn’t returned and/or access unlocked. And this is all before the government and other legal bodies get involved. For those who suffer a data breach, the fines and other penalties can be severe under such key regulations governing data protection in educational institutions such as:

  • FERPA (Family Educational Rights and Privacy Act) – Governs the privacy of student education records
  • HIPAA (Health Insurance Portability and Accountability Act) – Applies to health information in certain contexts
  • GDPR (General Data Protection Regulation) – Applies to institutions dealing with data of EU residents
  • GLBA (Gramm-Leach-Bliley Act) – Protects the security and confidentiality of consumer information

So, let’s back up… Why are educational institutions so acutely vulnerable? This is because schools typically suffer from seriously underfunded cybersecurity departments. Not only are they usually understaffed, but they must rely on outdated, maintenance-intensive technology like Virtual Private Networks (VPNs) that are not equipped to protect against modern threats that today’s sophisticated cyber-criminals can throw at them. Here’s why:

  • VPNs create a single access point, leaving the entire network vulnerable to lateral attacks
  • VPNs depend on physical devices that demand costly, continuous maintenance
  • The necessary physical hardware can become a single point of failure, risking a complete network shutdown

2023’s rough statistics reflect these funding inadequacies… Research from Malwarebytes’ ransomware specialist, Marcelo Rivero, shows that it was the most challenging year on record for ransomware attacks in the education sector, with a 70% surge in attacks.

Software-Defined Perimeter (SDP)

Organizations in virtually every vertical sector are turning away from VPNs and replacing them with software-defined perimeters (SDP), finding that they can provide superior protection against today’s threats. Not only that, they are usually much more affordable and deliver a much greater ROI. Here’s how:

  • SDP offers highly available Zero Trust Network Access (ZTNA) tunnels that establish connections directly at the application level
  • Application-level connections restrict the excessive network access provided by VPNs and remove the risk of lateral attacks
  • Software-defined solutions eliminate the need for physical hardware, significantly reducing maintenance costs and removing unnecessary points of failure throughout network environments

The benefits of SDP are undeniable for enhanced security and. Eventually, even a cost-savings perspective. However, an initial investment is still required, and even modest investments can feel as if they are completely out of reach to notoriously budget-strapped educational institutions.

Funding for K-12 Schools and Higher Education Institutions

Various grant opportunities and funding resources are available to help educational institutions strengthen their cybersecurity efforts. These grants, which can be obtained from federal, state, and private sources, are intended to support K-12 schools and higher education institutions in enhancing their digital infrastructure, implementing cybersecurity measures and safeguarding against cyber threats.

These programs include:

Cybersecurity and Infrastructure Security Agency (CISA) Resources – “CISA offers an array of free resources and tools, such as technical assistance, exercises, cybersecurity assessments, free training, and more…”

Cybersecurity Education Training Assistance Program (CETAP) – “The Cybersecurity Education and Training Assistance Program (CETAP) equips K-12 teachers across the country with cybersecurity curricula and education tools that focus on growing and educating the next generation of the cyber-literate workforce…”

DHS Grants – “The Department of Homeland Security (DHS) provides grants to state, local, tribal, and territorial jurisdictions that can be used for training, exercises, planning, personnel, and equipment to prepare for many threats and hazards…”

E-Rate: Universal Service Program for Schools and Libraries – “The FCC’s E-Rate program makes telecommunications and information services more affordable for schools and libraries. With funding from the Universal Service Fund (fcc.gov/general/universal-service-fund), E-Rate provides discounts for telecommunications, Internet access, and internal connections to eligible schools and libraries…”

Elementary and Secondary School Emergency Relief (ESSER) Funds – “The Elementary and Secondary School Emergency Relief Fund (ESSER) was established as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in March 2020. CARES provided direct funding to states and districts to address the impact COVID-19 has had, and continues to have, on elementary and secondary schools across the nation…”

National Science Foundation (NSF) Grants – “The US National Science Foundation offers hundreds of funding opportunities — including grants, cooperative agreements, and fellowships – that support research and education across science and engineering…”

Private Grants and Foundations – Examples include the Bill & Melinda Gates Foundation and the Michael and Susan Dell Foundation.

State and Local Cybersecurity Grant Program (SLCGP) – “The State and Local Cybersecurity Grant Program provides funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments…”

State Grants and Funding Programs – “The federal government awards hundreds of billions of dollars in grants to state and local governments each year. These grants help finance a broad range of services, including health care, education, social services, infrastructure, and public safety…”

How to Increase Your Odds 

Identify Needs – Evaluate your institution’s specific cybersecurity requirements and vulnerabilities to understand the types of funding needed

Research Opportunities – Regularly visit the websites of federal agencies (such as the U.S. Department of Education, DHS, and CISA), state education departments, and private foundations to find available grants

Partner with Local Entities – Explore partnerships with local governments or higher education institutions to gain access to additional funding opportunities

Prepare a Strong Proposal – Create a detailed proposal that clearly outlines your cybersecurity needs, the actions you plan to take, and how the funding will be utilized to reduce risks and enhance security

Websites like Grants.gov can also provide advice and step-by-step guidance for each of these steps.

Free Cybersecurity Assessment Tool

If you work at a K-12 institution and want a free tool to assess your organization’s current cybersecurity strategy, check out the free School Security Assessment Tool (SSAT). Created by the Cybersecurity & Infrastructure Security Agency, this tool helps your organization to see how it measures up with best practices. The tool also provides recommendations on where and how to improve your overall approach. You can access this valuable tool right here: https://www.cisa.gov/school-security-assessment-tool/.

Now that you have the budget and/or funding, what should you do?

Modernize Your Security with SDP

The ideal software-defined perimeter (SDP) solution should focus on enhancing security, simplifying network management, and improving the performance of applications across distributed environments, such as hybrid or multi-cloud deployments.

Key features should include:

Application-Level Micro-Tunneling – lightweight, application-specific tunnels that only allow access to specific applications or services

High Availability and Fault Tolerance – built-in features for high availability and fault tolerance, ensuring that critical applications and services remain accessible even in the event of network failures or disruptions

Multi-Cloud and Hybrid Support – designed for flexibility, supporting secure connectivity across on-premises, hybrid, and multi-cloud environments – allowing organizations to connect resources across different data centers, cloud providers, and edge locations securely

No VPN Needed – SDP does not require persistent tunnels or open ports, which can be exploited by attackers – it uses outbound-only connections that are less vulnerable to attack

Simplified Management and Deployment – easy to deploy and manage, with a centralized console that provides visibility and control over all network connections and resources

Zero Trust Network Access (ZTNA) – a zero-trust security model, which assumes that no user or device, whether inside or outside the network, should be trusted by default

 Ready to kick it up a notch?

SQL Server Containers Unlock Unmatched Scalability and Resource Utilization

 Along with critically necessary security enhancements, emerging SQL Server container technology also needs to be on the radar of IT professionals operating in the education industry. IT teams need to look for solutions that enable them to spin up totally customizable, highly available SQL Server Availability Groups (AGs) in Kubernetes (K8s) in seconds. In addition, the solution should provide the ability to create cross-platform hybrid AGs containing instances and containers.

 Put simply, SQL Server container technology allows you to move your organization’s most critical SQL Server workloads to a flexible, containerized environment while maintaining continuous uptime. For the education sector, it offers the agility to scale your SQL Server environment in real-time to meet seasonal demand, ensuring optimal resource utilization. As a result, your organization can capture cost savings and free up man-hours to allocate to other pressing needs.

Browse our latest issue

Intelligent CISO

View Magazine Archive