Don’t Fall Victim to Ransomware: Cybersecurity Best Practices to Follow Now

Earlier this year, IT security company Sophos released a report showing that over half of K-12 schools have fallen victim to a cyber attack known as ransomware.

“This means that every single day our schools are under attack from ransomware,” according to cybersecurity expert, Will Knehr.

And this doesn’t even include some of the other major issues schools face from insider threats. Students and faculty with computer access also may encounter malware, phishing attempts and unauthorized disclosure of student data, he said.

In addition to his work with PASS, Knehr is the senior manager of information security and data privacy at i-PRO Americas. He understands the dangers that cybersecurity threats pose to schools across our country.

Ransomware, a type of malware, encrypts data on computers and other devices and prevents access until a ransom is paid. In 2020, Info Security Magazine reported that cybercriminals cost schools over $6 billion annually. Of that, $4 billion went to ransomware alone.

“And that’s only reported crimes,” Knehr said. “The real cost could be double that amount. Schools and hospitals have become favorite targets of hacker groups because schools and hospitals don’t usually have the best security, and they tend to pay the ransom.”

Cybersecurity Threats From Within

According to Knehr, distributed denial of service(DDoS) attacks are the second most common cyber threats schools face. These attacks aim to bring down your school’s network for an indeterminate amount of time.

“A DDoS attack can be as simple as taking down a school server or website for a couple of hours or bringing down an entire network for weeks,” Knehr said. “DDoS attacks have become a favorite amongst students trying to get out of a test or a class, or to gain fame among other students.”

DDoS attacks usually launch through botnets. Botnets are networks of hacker-controlled, internet-connected machines. Hackers flood their victim’s network with more traffic than it can handle, so their botnets can take advantage of unsecured, industrial internet of things (IIoT) devices like security cameras.

11 Cybersecurity Best Practices to Keep Your School Safe

The PASS Guidelines are full of helpful information to help you assess your current safety protocols and keep your school safe from cybercriminals. In addition, Knehr offers these best practices for protecting your school’s network.

1. Train your staff on basic cybersecurity. Statistics show that training staff remains the most cost-effective and single overall most effective control in security.
2. Follow best practices when deploying security systems. Make sure that devices are not directly accessible from the internet, segment networks and use firewalls.
3. Enable multi-factor authentication where possible.
4. Update the firmware and software on security systems regularly.
5. Do not use default passwords on security systems.
6. Enforce the principle of least privilege for security system access. The principle dictates that only authorized personnel should have access to or the ability to modify devices.
7. Turn off un-secure protocols such as HTTP.
8. Purchase security system devices from manufacturers that take security seriously. In addition, they should offer products with robust security features like encryption, third-party certificates and 802.1x integration.
9. Complete system backups often and store those backups in an offsite environment.
10. Sign up for a cyber threat alert page. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) email alerts are fantastic for this.
11. Thoroughly research all vendors and make sure they follow a best-practice model for cybersecurity. The Higher Education Community Vendor Assessment Toolkit (HECVAT) assessment is a great tool.

The last one is crucial, Knehr said.

“Bringing in a cybersecurity consultant can be a great idea, but they should be carefully vetted to make sure they are a good fit for the organization,” he said. “Look for someone who will help strengthen the systems already in place and build an easy-to-follow cybersecurity plan for the school. A complicated overpriced security system does no good if no one at the school understands it or can run it.”

Cybersecurity and On-Premise vs. Cloud-Based Video Storage

Which type of storage is better: on-premise or cloud-based?

Both are great options if done correctly, Knehr said. He weighs the following important factors when considering video storage options.

Security

Knehr recommends having someone with security experience involved with the design, regardless of which type of storage solution you choose. He’s seen many engineers struggle with proper cloud deployment. However, the federal government is moving to the cloud, which they wouldn’t do if it couldn’t be done securely, he said.

Scalability

You want the ability to build on your investment.

“If an organization believes it may be significantly increasing the size of its infrastructure soon, the cloud may be a faster option for growth due to the ability to add additional resources quickly and easily,” Knehr said. ”An on-premise install would have to build out that infrastructure [with servers, racks, cooling systems, uninterruptable power source (UPS), fire suppression]. However, if an organization thinks its infrastructure will remain about the same size, then it may benefit from something on-premise.”

Redundancy/Resiliency

This is focusing on your “system uptime,” as Knehr put it. It’s about the recoverability of an environment after an attack or a natural disaster.

“Cloud environments will almost always have an upper hand in this equation with Azure and AWS both boasting a 99.9% system uptime,” Knehr said. “Most cloud environments have multiple regions or zones that data is backed up to, and can be available in almost any circumstance.”

But this could be overkill for a small school. According to Knehr, smaller schools may be able to build up plenty of resiliency and redundancy in their on-premise networks. They may do so by conducting backups using UPS and generators, and by employing multiple servers.

Cost

This is a big one, especially for schools, as we all know it too well.

“Cost needs to be carefully considered, and so does the “hostage as a service” model that many cloud providers are selling,” Knehr said.

“Hostage as a service” refers to the tactic of some cloud service providers that sell low-cost solutions, but don’t allow customers to change their service if they’re not satisfied. Avoid these types of agreements, Knehr said.

Companies calculate costs annually or as a total cost of ownership.

“People will get sold at a low cost but not realize all the other services and fees that get tacked onto the end,” Knehr said.

Make sure you thoroughly understand the pricing model for cloud-based services. You want to know exactly how much you’re spending before you buy.

Utilize the PASS Guidelines

The upcoming release of our sixth edition PASS Guidelines includes updated cybersecurity best practices. Sign up to receive an alert when we release the new Guidelines.

Contributors: PASS thanks Will Knehr of i-PRO Americas for his contributions to this article.

The Partner Alliance for Safer Schools (PASS) is a nonprofit 501(c)(3) bringing together expertise from the education, public safety, and industry communities to develop and support a coordinated approach to making effective and appropriate decisions with respect to safety and security investments. You can download the complete PASS Guidelines or check out our PASS Safety and Security Checklist for quick tips on how to get started. These resources—as well as whitepapers on various topics including barricade devices, lockdown drills, and more—are available at no cost.