Your school network is much more than a series of connected computers and cables. When we talk about your school network and its defence, what we are really talking about is how we can best protect the critical data that resides within it. Schools have sensitive and personal information on students and their family members, teachers and staff. Network protection is essentially about ensuring that your information stays confidential, that the integrity of your network remains intact, and that the data can still be seamlessly retrieved when you need it. Here are 5 network security tips to help you defend your school network better in 2023.
Consider the reach of your network
There is a traditional mindset that a school computer network is retained on the premises, but this is no longer true. The problem schools face is that the network boundary has become increasingly blurred. Any laptop that is taken out of the school grounds and used at home or accessed remotely or on the cloud is also part of the “network”. This also extends to a range of devices that could include smartphones, iPads, tablets and other gadgets. The use of the school network via personal devices has also become more frequent because of virtual learning and remote working environments.
The big challenge for schools in 2023 will continue to be managing remote device security in a hybrid working environment. Part of the solution includes the strong asset management of devices including where they are used and applying commensurate security controls. Only known and registered devices should be trusted with high-level access to critical data.
For example, a teacher’s laptop enrolled in the system, could be considered a trusted device with school-approved software and endpoint protection. Because it has already been screened, it could have automated and streamlined system access. For an untrusted device, such as a personal smartphone, more rigorous security measures should be applied such as Multi-Factor Authentication, or local area network settings that restrict access to the sensitive networks.
Protect your valuables
When we talk about network security, we are really talking about data security. Strong network protection involves several components working together to defend your data, such as firewalls and anti-virus software. However, fundamentally, you need to understand what critical data you have, how it gets there and who has access to it.
Your security controls and access levels must be relative to the value of the data. You wouldn’t install a $50,000 security system for a house with nothing in it. This is an essential data mapping function so you can identify where your most valuable data is, who has access to it and where user-level access needs to be applied. Data mapping can also reveal weaknesses in how the data is being managed.
Schools are also not as regulated as other industries when it comes to cybersecurity, so ensure the highest level of protection by implementing gold-standard, best-practice frameworks such as CIS CSC, NIST CSF and ISO 27001.
Build a cybersecurity-aware culture
People are the weakest link in any network environment, so creating a cybersecurity-aware culture through education and policies can reduce human-based error and risk. Unfortunately, IT departments in schools often have small budgets, are under-resourced and wear many hats. This means they are too busy to develop and execute cybersecurity awareness programs for the staff body.
Schools have no official cybersecurity guidelines and are not subjected to the same data laws, so the emphasis is placed on the IT department to implement cybersecurity solutions. This causes the false belief that cybersecurity is an IT-exclusive problem.
Just like devices, people are assets and need to be managed. Establishing such a culture should be driven top-down from the executive team, and not the IT team. Sometimes it can be difficult to get management to understand the inherent human-introduced risks to the network. In such cases, security assessments can assist with providing clarity on the wider cybersecurity posture and provide context into the human-factor of information security. This will help staff understand that everyone has a responsibility to protect sensitive school data and maintain its integrity.
Smarter passwords, less often
Schools face a unique challenge in that they have small children through to adults using their systems, so how do you create a robust password policy for kids who aren’t that great at spelling yet?
When you come up with password policies, it’s essential to remember the human factor. The classic 8-character password that is frequently reset, ironically, leads to less secure passwords. For example, if a teacher needs to change their password frequently, they will typically use a variation on the first password such as ‘password01’ or ‘password02’. If that original password is compromised, the first thing a hacker is going to do is try is variations of the leaked password.
So, what’s the solution? Both Microsoft and NIST have come out with a revised, best practice for passwords that suggests passphrases are a better solution. Passphrases are a group of unrelated words such as the iconic “Correct Horse Battery Staple”. Moreover, the number of passwords we should be remembering needs to be quite small compared to the number of passwords we require in our daily online lives. We should be remembering our work password and we should be remembering the very strong passphrase in our password manager.
Password managers are just that – they manage our passwords for us in online “vaults”. We only need to remember the master password to gain access to our vault, and then we can use the password manager to come up with truly random passwords that are unique for every login we have.
As adults, we typically don’t have a problem remembering one or two passphrases of 12 or more characters. But for a year 2 student, it’s a different story. Students typically should not have access to sensitive data, especially primary school students. Therefore, if the level of access they have to the network and data is a lot less than teachers, then it doesn’t make much sense to subject those students to the same credential requirements as teachers.
For students, set your password policies as appropriate, and make them change their password at the beginning of the year, or when they graduate into high school (for K-12 schools).
Moving forward, passwordless technology is gaining popularity which includes biometrics such as facial and thumbprint recognition on more devices used within a school. Biometrics should be strongly considered moving into 2023.
Monitor Malicious Activity in Real-Time
Let’s say someone clicks a link in an email and downloads an attachment containing malware, there will most likely be anti-virus software in place that will pick that up. But, if it doesn’t, there need to be other mechanics in place to detect that activity within a reasonable amount of time. This can prevent serious damage to your network and in turn, your organisation.
Secure networks need to have what we know as ‘defence in depth’. You must have multiple layers of security controls so if a hacker was to circumvent one layer, they get hit by another. Simply relying on your firewall and antivirus software isn’t enough, so you’ll need to expand that defence by employing proven tools and further incorporating identity security. This includes having a solid understanding of who has access to the network via user accounts.
As schools typically don’t have the resources to monitor these systems and make sure they are adequately covered, it is possible to cost-effectively outsource that component. Then, if there is suspicious (attempted) login activity, or there is activity on a critical server that has never been seen before, there will be more visibility on these events and anomalies can be detected before they cause damage.
Trust NetStrategy for Network Security
At NetStrategy, we’ve helped nearly 400 schools defend their school networks, minimise cybersecurity risks and maintain continuous operation. Assess your organisation’s cybersecurity resilience by generating your instant report online here.