Shoestring budgets and large numbers of users—many of whom bring their own devices to campus—make cybersecurity a particularly daunting challenge at both the K-12 and postsecondary level in education. Expert consultants hired to evaluate and secure educational networks also note an additional complication for school administrators: oftentimes the greatest threat to educational network security does not come from shadowy overseas hackers but from the students they service themselves.
Aviram Jenik is the founder of Beyond Security, a Cupertino, California-based cybersecurity company that will probe its client’s security systems for potential vulnerabilities. In an interview with InsideSources, Jenik discussed some of the work he does with higher education institutions and why he thinks cybersafety will only become more important in the coming years.
“Typically when we think about a security threat we think about external ‘bad guys,’” explained Jenik, “with universities and schools it’s a lot more gray.”
Whereas a company can ensure norms among its network users, schools often have less control over what their students do online, and some students have been known to take an adversarial approach to network monitors. This means that educational institutions often have to build sophisticated systems with tiered functionality for different users. In other words, network administrators want to award faculty full permissions to access and change student data, while students need to be cordoned off from having access to sensitive files.
“We want students to be able to see their grades, not change them,” said Jenik.
The transient nature of the education business adds another layer of complexity. Because students come in and out of a school system, typically only staying for a few years, the networks are always changing. Jenik advises his mostly higher education clientele to routinely check their network security, because “the network on Friday may be very different from the network on Monday.”
Dirk Morris is the founder and chief product officer of another cybersecurity company, Untangle, which focuses its business in the education sector on K-12 schools. Untangle has also issued a whitepaper on steps schools can take to better protect themselves. Morris echoed Jenik’s assessment of the vulnerability school systems face, saying that many are at “an unfortunate inflection point” in which they have large user bases but limited funds and staff to manage the challenges their users pose.
Morris and Jenik both explain that most private businesses with a few thousand users will have a dedicated team of dozens of information technology experts, while some schools are fortunate to be able to afford any full-time dedicated cybersecurity staff. And as “smart” appliances, wristwatches, and high-powered cell phones continue to proliferate the market, both see the uneven ratio of network-connected devices to cybersecurity budgets only getting further out of balance for educators.
The best approach, according to Jenik, is for schools to start by making a levelheaded assessment of where their greatest vulnerabilities are and what their highest priorities should be. Not all cyberthreats are the same. Sometimes hackers will hit a network with a denial of service attack that will crash servers, other times they may encrypt a school’s data and hold it hostage with ransomware, and still other attacks are simply designed to steal personally identifiable information.
Therefore, the key steps an organization should take to protect itself varies according to its specific situation, said Jenik. So while it could be disastrous for a bank’s network to go down because of a denial of service assault, a university, while inconvenienced by having to go without service for a few hours, may decide that its efforts are better focused on shoring up unsecured data. Above all, Jenik argues that schools should think about cybersecurity in terms of returns they receive on the investments they put in—meaning they should first train their resources on their most pressing needs, rather than trying to plug every gap they find at once.
While Jenik finds that the universities he works with “are doing a pretty good job given the factors,” he also cautions that many still could be taking more proactive steps. Compared to other information technology professionals, Jenik said that he has found that those working in the education space tend to be particularly mission-driven and are able to do more with less.
In the K-12 landscape, Morris said that the situation is “all over the map,” but in general, schools should be taking the threat of cybersecurity more seriously, and he argued that more money needs to be invested in preventive measures. Schools should be aware, he said, that they are “at the tip of the spear” when it comes to cybersecurity vulnerabilities.