Category: Industries

Six Things to Do Now to Prepare for Remote Learning

The novel Coronavirus has caused widespread school closures with 138 countries closing schools globally, affecting over 1.3 billion students. With little notice, schools must now provide reliable and accessible online learning while ensuring their security controls stay in place.
Based on years of experience enabling remote education, we’ve put together a few ways you can leverage your existing Absolute tools to keep your students, staff, and devices safe during this period.

Maintain visibility of all devices in your fleet. Manage and control all devices from one console. Track and be alerted when missing devices call in.  Report stolen devices to Absolute’s Investigation team, and we’ll work with law enforcement to recover them.
Monitor device utilization. Absolute’s Device Usage report lets you see when, for how long and how frequently your Chromebook, Windows, and Mac devices are used. You can identify students who are not getting the full benefit from their devices or if devices aren’t being used at all.
Know if students or staff are in high-risk areas. With geofencing alerts you can set custom boundaries and be alerted when devices cross them. When students or staff are at risk, you can check in and advise on precautions.
Maintain your district’s security controls. Absolute’s self-healing capability can be extended to AV, encryption, VPN, or any other application that you depend on — so they’re always installed, up-to-date, and working correctly.
Fix vulnerabilities remotely. With Absolute, your IT team can remotely execute scripts to repair, patch, and remediate devices.
Know where your sensitive data is at all times. As teachers, support staff, and administrators work remotely, they might take sensitive data and store it locally. With regular EDD scans, you can maintain compliance with FERPA, HIPAA, and other privacy requirements.

If your district or school has new devices to enroll, you can learn how to set up new policy groups, assign licenses to groups, and activate policies in the console by visiting Absolute’s Learning Hub.
If you need any assistance or support, please contact sdrs@absolute.com

How Canada’s Healthcare Overhaul Led to a 15% Increase in Security Breaches

In 2019, Canada’s healthcare system underwent an overhaul. Taking place in Canada’s most populated province Ontario, the changes have been described as the most significant health system update in 50 years.
Ontario was attempting to merge its health agencies to create local coordination organizations and maximize efficiencies. Combining the systems brought complications however and resulted in a 15% increase in the number of cybersecurity breaches. Hacker’s targeted three Ontario hospitals in October and paralyzed its operations using the Ryuk ransomware – now the most profitable ransomware family in the last six years. Ryuk is a common culprit known for shutting down local governments, school systems, and most recently, oil and gas facilities.
Ryuk Ransomware
Ransomware is commonly used in healthcare due to the sensitive and valuable nature of the information organizations hold. Hackers will often first use ransomware to gather information about a hospital’s finances, to figure out how large of a ransom to ask for. Then, hackers will use the ransomware to lock up a hospital’s information, effectively holding it hostage until a payment is given.
In October, the Canadian Centre for Cyber Security issued a nationwide alert for Ryuk ransomware. One security company stated that almost 50% of all breaches by the ransomware was targeted towards healthcare. One of its hospital clients reported over 3,200 exploit attempts in October alone.
Across healthcare, Ryuk isn’t limited to only Canadian hospitals. Last October, three Alabama hospitals had access to its patient lists blocked. Several hospitals in Australia also had a similar ransomware attack that crippled its systems.
Prevention is the best defense against ransomware
If ransomware has infected your organization’s systems, there’s a good chance that it won’t be easily removed. System administrators have attempted to reimage computers to reset them to their previous configurations before the attack, only to have the ransomware come right back shortly after the systems returned.
Rather than waiting until its too late and being forced to make the choice of paying a hefty ransom or not, a better approach is to start by taking preventative measures to protect your systems.
Typical points of entry for healthcare attacks
Here are a few common points of entry that hackers often try to exploit:

Endpoints via outdated or unpatched applications
Medical Internet of Things (IoT) devices
Unknowing users who click on malicious links on a webpage or in an email

Ways to help prevent ransomware attacks
To secure and manage your sensitive healthcare devices, data and applications, start by staying in control with a resilient connection to all your endpoints.

Block TCP port 3389 on the firewall if possible.
Employ content filtering and scanning on mail servers.
Scan incoming and outgoing emails for threats.
Educate employees on how to recognize suspicious links and attachments, even if it seems to be coming from someone they know.
Minimize the number of users with admin privileges who can install software.
Ensure systems and software are updated regularly with up-to-date patches.
Have daily backups of all critical systems with offline and offsite copies.
Disable Remote Desktop Services if not required.
Disable macros for documents received via email.
Respond to incidents quickly with automatic location and deletion of data when needed

Conclusion
In 2020, to stay ahead of hackers and ransomware attacks like Ryuk and others, endpoint resilience is increasingly important. Because you can’t secure what you can’t see, uncompromised visibility into every device, whether it’s on or off the network is the first step. And because security tools inevitably degrade and fail over time, as research has proven, you also need a persistent, self-healing connection that will alert you to potential problems.
To find out how Apria Healthcare uses Absolute to gain visibility into device location and activity, secure patient data and improve access to patient care in the field, check out the case study or read up on Absolute healthcare solutions.

HIPAA Compliance Checklist for 2020

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
In 2018, Anthem, one of the nation’s largest health benefits companies, paid what is still the largest HIPAA fine in history of $16 million in for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals. Earlier this year, we learned hackers compromised two employees’ email accounts at a Michigan healthcare group which exposed patient data and went undetected for six months.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

New Year, New Cybersecurity Goals

This article originally appeared on the VMWare blog.
While the cybersecurity landscape may look daunting as the new year progresses, organizations should focus on building the proper strategies for protecting our valuable data and mitigating the endpoint security risks that 2020 promises to bring. This means taking a critical look at the past 12 months, and identifying the changes a security team can make now, that will be most impactful in the 12 months to follow.
Let’s explore some important enterprise security goals for an organization to consider, as 2020 advances.
Measuring Success within the New Year
One of the big buzz words of 2019 was “Zero Trust” – with the thought that the end user should have as little access to the device they are working on as necessary. We as an industry need to start measuring and scoring the trustworthiness of the products that we install in our environments. Exactly how do these products perform in the real world and not just in a lab? How do we know from day one that we can trust a product to perform in production? It is easy enough to allow security technology to win through traditional commerce, but truly successful products will win because customers decide to invest in renewals, and the poorly performing products will die. I expect that in 2020, we will start looking at the trustworthiness of applications and de-emphasize the focus on being impressed by marketing costs.
Calling a Time-out on Security Spending
When discussing the importance of a time-out on security spending, the following questions are important to consider: “Am I utilizing my security dollars efficiently,” and “How do I ensure that my organization is resilient based on the acquisition of new security?”
Companies have stuck to the same old playbook for years now, and it has one directive: buy more products. This isn’t going to result in the protection that enterprises require to combat hackers. As the new year approaches, businesses need to ensure that what they are already spending money on and deploying in the enterprise is actually working and protecting the environment. Today, organizations can expect to be compromised, but their ability to bounce back from such an attack will matter most to the company, its customers and partners.
This resiliency will also affect how the role of the CIO and CISO will develop within the next few years. CIOs are going to have to prove exactly how existing products are living up to their full potential. If they can’t show how current products will prevent and repair damage due to a cyberattack, then future investments will become even more scrutinized. As a result, we’re going to witness the introduction of protection level agreements guaranteeing that the strategies implemented will protect against certain severity levels of a cyber attack. With this in mind, it will become essential that CIOs and CISOs put a hold on any security spending, and take the time to reevaluate their security landscape to ensure the products they currently use are actually worth the investment.
Overcoming Vulnerabilities within the Education Industry
The most significant challenge for the education industry will rely on the identification and attraction of security professionals into the K-12 field. Budget constraints and advancement opportunities within the education sector for security specialists are generally not a great combination for attracting talented security professionals. Budget constraints may lead to the industry purchasing products that are tailored specifically to education use cases, but fail to follow secure development processes. This causes additional problems for the IT professional in the education system.
With this in mind, the education industry will also need to invest in personal development as 2020 continues. The industry as a whole is grossly under investing in its employees, and its IT department is no exception. Training courses must become a priority, not only to ensure all employees are keeping cybersecurity top of mind, but to help promote IT careers in the education sector. Without this focus, key IT players will soon discover better opportunities within another industry.
Striking a Balance Between Patient Care and Cybersecurity
In 2020, it’s going to be important for the healthcare industry to focus on building significant trust among healthcare professionals and IT security/privacy best practices. The balance of a patient’s life, accessing data quickly but accurately, and privacy concerns can be very conflicting, which puts cybersecurity on the backburner. In the new year, healthcare IT will need to provide greater and more robust security and privacy practices within their environments and better identify who requires certain privileges and access to patient data and systems.
It will also be important for the healthcare industry to better understand their environment and validate that their existing purchases are performing as expected – allowing better budget spend moving forward. Once this foundation is established, there is an opportunity for the industry to build on it, using tools that have already proved their worth and ensure a more seamless experience for the patient.
For more on the state of endpoint security, download the Endpoint Security Trends Report. 

Apria Healthcare Sees and Secures 8,000 Devices with Absolute

Healthcare technology — which includes everything from medical staff tablets to patient monitoring devices and even prosthetics — is increasingly reliant on an interconnected network. This interconnectedness enables improved patient care, but it also opens the door for added risk. As cyber crime skyrockets across the healthcare industry, one of the nation’s leading home respiratory services and medical equipment providers, Apria Healthcare, recognized the risks early on and implemented Absolute to better secure patient data.
Apria operates more than 300 locations and provides service to 1.8 million patients annually with in-home care and 24/7 clinical services. In order to support home-healthcare — by far the fastest growing healthcare sector due to its potential for improved care at a reduced cost — Apria employees rely heavily on more than 8,000 devices.
Read: Why Data Privacy in Healthcare Matters
Unbreakable Visibility & Control
To ensure the highest levels of security, protect private and corporate information, and ensure HIPAA compliance, Apria needed a way to track their endpoint devices. They wanted a solution that would deliver zero-touch IT asset management, provide self-healing endpoint security, and employ always-on data visibility and protection. They needed intelligence on every device, with the ability to control every endpoint whether it was on or off their corporate network.
With Absolute Persistence®  already installed in the BIOS of their endpoint devices, Apria found unbreakable endpoint visibility and control by simply turning Persistence on. As a result, they now have a reliable, two-way connection to each device and can remotely monitor the status of their devices to avoid a healthcare data breach. They gained critical asset intelligence they could not find with any other security provider.
“Persistence [located] in the BIOS was the number one item that I think really sets Absolute apart from other companies touting that they can do asset tracking better,” said Janet Hunt, Senior Director, IT User Support, at Apria Healthcare. “They really can’t, they don’t have that piece – that persistent piece is so important to me. I am always looking for opportunity and different technologies as they come up, and I haven’t found anything that’s as good as Absolute… nothing can compare.”
With Persistence activated on every device, Apria Healthcare is assured that no matter what happens to a device – whether it is lost, stolen, or breached – no one can turn that Persistence off. The device will continue to report back to Apria, who then has the power to wipe a device clean or shut it down even if the user installs a new OS.
Absolute also provides dashboard status on all devices that updates every 15 minutes. With a complete history of the device, security managers can demonstrate encryption, geolocation, usage, and device history. Absolute provides unprecedented asset intelligence, giving healthcare organizations a crystal-clear understanding of the value every asset is delivering to inform security and purchase decisions.
“If Absolute disappeared, I would retire because I would have no idea where anything was,” said Hunt. “That was the greatest thing about bringing Absolute in: I know where a device is.”
To find out how the Apria Healthcare uses Absolute to secure patient information, gain visibility into device location and activity and improve access to patient care in the field, check out the case study or read up on Absolute healthcare solutions.
 

Education Sector Calls for Resilience, Support in the Face of Cyberattacks

This article was originally published in eSchoolMedia.
Nearly 50 school districts and colleges have been pummeled by ransomware and other forms of cyberattacks in recent months. These have ranged in nature from disruptive, as in the case of the Flagstaff two-day closure, to catastrophic, such as in Louisiana where the governor recently declared a state of emergency following “severe, intentional security breaches” on school computer systems. Hefty ransomware demands are paralyzing districts, while also impacting students’ ability to learn and causing panic among faculty, families and children.
At Absolute, we recently released a report on the state of cybersecurity in the education sector—which leveraged data from 3.2 million active devices active in 1200 K-12 organizations across North America—and shows that complex IT environments and digitally savvy students are leaving schools massively exposed. More than 90% of education IT leaders are managing up to five versions of common applications, and 42% have students that are actively circumventing security via rogue VPN or web proxy apps.
Although we’ve closed out October and National Cybersecurity Awareness Month, it’s important to continue to shed light on this ongoing issue and seek answers for schools and their students, who remain some of the most vulnerable victims. While large enterprises receive training and guidance needed to help thwart a data breach, these practices remain almost non-existent within our schools – even though students today are much more tech-savvy than any previous student body. It’s this savviness that is actually proving to be a threat in itself, with students using their own digital know-how to work around any existing school security controls… and in parallel, opening up back doors for hackers to sneak in as well.
Although schools remain the second highest targets of these attacks, little has been done to alleviate these issues. IT leaders in schools simply don’t have the bandwidth to be as prepared as they should be for an inevitable cybersecurity incident, and the immediate response is to spend more money that doesn’t exist within an already limited budget. They are so underprepared and under-resourced that a new law has passed in the US senate, demanding that the federal government ramp up its support for organizations hit by ransomware. No organization could be in greater need than the local elementary school.
Staying calm and maximizing existing defenses are two critical ways to combat a threatening cyberattack. But in order to provide answers and assurances to rightfully concerned parents and faculty, visibility is a non-negotiable. It’s visibility that makes it possible to assert and maintain control. You can ensure the school’s internet safety policies are adhered to and set up alerts to flag any suspicious activity or non-compliant devices. You can take steps to protect highly sensitive student information if a device ends up lost, or in the wrong hands. With full visibility and control, the most effective decisions can be made to limit the extensive damage a cyber attack can cause and will create a more resilient defense system to protect against future attacks.
There were 160 publicly-disclosed security incidents recorded this past summer. The impacts of a data breach can shake normality for any organization, and when it comes to the education sector, schools are being forced to close their doors and wait for the crisis to pass. It is one thing for a hurricane or the next blizzard to cause school closures… it’s another for a cyber attack to disrupt the ability to educate on schedule. The education sector is calling out for assistance, and it’s time to start listening.

Achieving Enterprise Resiliency Requires A Cyber-Committed Board

This article was originally published in Forbes. 
Today, 84% of the total value of the Fortune 500 is comprised of intangible assets. This means that for most major businesses, the value of digital assets, data and intellectual property (IP) is five times greater than that of physical assets. And the core DNA of their businesses, the thing that most needs protecting, lives in the virtual.
As those assets increasingly come under attack due to cyber hacking, fraud or negligence, companies find themselves scrambling to deploy more and more security controls — at a time when the forecasted worldwide security spend is expected to spike to nearly $134 billion in 2022. This trend represents an astronomical investment in defending against the rapidly escalating risk, but has yet to yield a deceleration of cyberattacks.
Against this landscape, the role of the board also continues to evolve — with an increasing expectation that board members bring a basic level of cyber competence to their roles. October was National Cybersecurity Awareness Month, so it seemed an appropriate time to share a few guiding principles that I believe are central to building and fostering cyber awareness, engagement and commitment at the board level.
Recognize cyber risk as a business risk
Cyber risk is not an elusive, cryptic puzzle that cannot be clearly measured and articulated. The same thinking that we apply to corporate governance and managing financial, operational or legal risk can and should be applied to cyber risk. From setting the vision and establishing a framework for success to ensuring investment and overseeing auditing controls, these are the things that boards need to be doing in partnership with management — especially from early on in the operation.
Let’s use financial risk as an analogy. Not all board members are deemed financial experts, but they have competency in understanding the company’s financials, which controls are in place, which additional controls are needed and who is auditing the testing of these controls. The same framework should be applied to cyber risk. Where is the real value in the company, and what are the real risks to those assets? These two questions should be your starting point. From there, all of the same questions apply: Which controls are in place? Which additional controls are needed? How are they being tested, and how do we map against the industry? Will cyber risk be a topic across the board, within specific audit meetings, or within some other committee?
Know how to define ‘enough’
Asking the right question, “Are we doing enough?” is critical. But sound cyber competence means also having the ability to answer the question. It requires the ability to define “enough” in the context of that particular business and the appetite for risk, as well as how to know if “enough” is really working. What makes this especially tricky is that there is no one-size-fits-all formula for measuring risk. It’s possible for an organization to spend an infinite amount on cyber protection and never achieve perfection. And this question can quickly start to feel like an unanswerable one.
I know this from my own personal experience. During my time at Citigroup, I had the opportunity to look deeply at online financial fraud. Similar to cyber mitigation, where you know you will never get to zero, it is important to understand what your level of risk tolerance actually is to help determine what success looks like. Given the nature and scope of your business, what is regrettable versus unacceptable? For example, a board would view employees having personal content on enterprise devices very differently from a nation-state attack or misused consumer data.
Boards should be having open discussions with management to determine where the lines need to be drawn, what is most important, what is achievable and in what investment envelope.
Make resiliency the end goal
Resiliency, by definition, is the ability to bounce back. Achieving enterprise resiliency requires not just the ability to mitigate cyber risk, but also to respond, recover and heal quickly from both real as well as perceived damage.
When the call comes that you’ve been compromised, it cannot be the first time you’re having a conversation about how to respond. Talking through things like escalations, communications, disclosures and communication to customers, partners and regulators, is a worthy exercise for the board and management to undertake together. What are the thresholds? How and when will it be communicated to the board? What are the board’s responsibilities in these scenarios? This is another area where external facilitators can play a helpful role.
As we move forward, enterprise resiliency will increasingly become core to a company’s agility in a crisis. Boards will continue to use acute cyber awareness to drive fundamental shifts in how organizations think about cyber risk and bring forward new ways to build successful, resilient enterprise security strategies.
For more on how to achieve enterprise resiliency with Absolute, visit Absolute.com.

5 Steps to Securing Your School’s Devices Over the Holiday Break

Much to the delight of students, faculty and administrators everywhere, holiday break is almost here! But they aren’t the only ones eagerly anticipating end of semester school closings: criminals are also waiting for campus shutdowns so they can take advantage of the valuable technology now commonplace in schools, from K-12 to colleges and universities.
Before taking off for the semester break, follow these easy steps to ensure your school’s devices and students are safe:

Remind users of safe behavior. Students, faculty and staff that take devices with them should be reminded (more than once) not to leave their individual or school-owned laptops or tablets in cars or other places where they can be easily spotted by crooks looking for an easy score. If someone does fall victim to theft or loses a device during the break, be sure to make available clear direction for course of action you expect. Who do they notify and how?
Update device software. Cyber criminals are equally as troublesome this time of year, with holiday phishing emails putting school networks at grave risk for cyberattack. Use the holiday downtime to push updates to device software and patch known vulnerabilities. If this sounds like an overwhelming task, consider relying on automation for help.
Track your devices. If a device does go rogue, you have a very vulnerable attack vector. Key to mitigating this risk is uncompromised visibility and control over the device, whether it’s on or off the network. Being able to quickly locate a missing or stolen device means you can remotely shut down unwanted network access and, if all goes well with law enforcement’s help, even retrieve stolen devices.
Store devices in locked cabinets and/or alarmed areas. It sounds obvious but you’d be surprised how many laptops, tablets, virtual reality headsets, digital cameras and other small-sized tech gadgets can be left lying around. This type of tech is in high demand and easy to swipe so make it harder for the thieves and keep everything under lock and key.
Don’t leave technology in plain sight. While a determined thief will break in regardless, you can prevent your school becoming victimized by someone who otherwise may not have considered pilfering your school’s tech. Remove from view or cover any larger equipment like desktop computers, printers, interactive whiteboards, and other tech that will be left behind.

Technology in our schools enable modern learning paths and brings a new level of innovation to the classroom. But it must be protected. You can safeguard your investment – not to mention your students, teachers and administration along with their  data – with the Absolute platform. In the event of loss or theft, you can remotely detect and remediate devices to prevent potential security issues and ensure compliance.
To learn how Klein Independent School District in Klein, Texas tracks, manages, repairs and recovers devices in their 1:1 computing program, download the case study.

Building your Case for School Technology Budgets

By 2025, technology spend in K-12 is forecasted to reach $342 billion. But with school districts around the nation continuing to face serious budget crises, technology in the classroom must be fought for despite its innovative learning properties.
There’s no arguing the cost of rolling out Edtech programs like one-to-one computing and similar initiatives requires significant investment in devices, applications, bandwidth and more. The expectation for every school board then is a demonstrable return. To ensure sustainable student technology programs, administrators must be able to show the positive effects of their technology investments. ROI matters.
The best indicator of ROI is almost always found within learning outcomes but getting to the data that proves technology is escalating scores in this area isn’t always easy.
Data-driven Insights
With a one-device-for-every-student program, an important metric to monitor is device use. But use should go far beyond simple distribution figures including how are devices being used. Are they being to their full potential on campus or are they left idle? What does student web activity look like? How many times does a device leave the classroom? Are devices being used at home and for how long?
In our recent study of 3.2 million anonymized K-12 endpoint devices, Cybersecurity and Education State of the Digital District in 2020, we found devices are actually too-often underutilized. 21 percent were used for <1 hour per day and 60 percent of devices weren’t used by students at home.
For more on device use in schools, read: Cybercriminals Take Aim at K-12
With this and similar such district-wide data, administrators can assess student groups or even individual users and make more informed decisions on improving academic performance.
This kind of analytical information comes only with full visibility of the devices in your endpoint inventory, however. With this kind of insight, you should also have extensive control over those devices, no matter whether they are on or off the district network. Where are they, what are they running, and are their security applications working as they should?
Endpoint Visibility, Control & Resilience
Full visibility and control over these devices will mitigate risk, improve operational efficiency, ensure internet safety policies are adhered to and, when done right, demonstrate compliance so that future discounts from such organizations as e-Rate and Student Support and Academic Enrichment (SSAE) are possible.
Full visibility and control over your device population also provides you with another very powerful capability – endpoint resilience. Making the most of the devices you have, both in and out of the classroom, will improve learning outcomes. Making the most of the tools you have on those devices will tell you whether or not they are working as they should or if they are exposing your district to cyber risk.
For more on how to prove classroom technology ROI and mitigate the risk that technology inevitably brings to students, educators and staff, watch our latest episode of Cybersecurity Insights, K-12 Education 1:1 Programs. And while you’re at it, be sure to subscribe to the Cybersecurity Insights playlist on YouTube.

Schools Under Cyber Siege Need a Path to Resilience

Originally published in THE Journal.
Just as the school year kicked off, families on opposite sides of the U.S. faced temporary school closures. Mother Nature was responsible for some. But not all. While several southeastern states dealt with the effects of Hurricane Dorian, across the country, one Arizona city encountered a very different type of scare. Cybercriminals waged a ransomware attack on the Flagstaff Unified School District, forcing a two-day shut down for 15 schools serving almost 10,000 students.
Flagstaff is far from alone. In July and August, 2019, the number of publicly disclosed security incidents in K-12 schools reached 160 — exceeding the total of all incidents experienced in 2018 by an incredible 30 percent. Nearly 50 school districts and colleges have been hit with ransomware so far in 2019 ranging in nature from disruptive, as in the case of the Flagstaff two-day closure, to catastrophic, which describes the scene in Louisiana when the governor recently declared a state of emergency following “severe, intentional security breaches” on school computer systems.
The Education Sector is Facing a Crisis
It’s one thing for impassible roads to hit pause on a school schedule. It’s an entirely different and unacceptable scenario when cyber extortion not only gets in the way of educating our youth but puts data pertaining to their health, academics and social development at risk of exposure and compromise — not to mention the public funds that are flushed away to ransom payments and cleanup efforts. Yet here we are, co-existing with cybercrime as the new normal and witnessing escalating ransomware attacks turn schools into the second-largest victims of all sectors.
The pace of growth of the “digital school district” continues to climb given the many benefits technology brings to students and educators. Funding for educational technology has increased by 62 percent in the last three years, and the new U.S. Digital Equity Act proposes to commit federal dollars to bring even more tech to the classroom. And while the many benefits of the digital classroom are clear, this rapid growth, combined with complexity and the continued restricted budgets for management, make our schools and our students increasingly vulnerable.
When Complexity and Risk Plague Today’s Digital Classroom, Resilience Matters
Technology is no doubt an asset, though we need to acknowledge not just the risks to student safety and privacy it poses, but also the complexity that IT folks have to wrangle. Education IT leaders once responsible for a few hundred devices, a few dozen apps and a single network have now found themselves managing tens of thousands of devices (as 82 percent of schools now provide students with them), hundreds of apps, and a distributed set of users accessing unknown networks — all with limited resources and budget in most cases. Meanwhile, by clicking on one bad link on a school-issued device, a student can become a conduit for a ransomware attack.
As endpoint and environmental complexities increase, and risk alongside them, it’s no surprise that 68 percent of education IT leaders in the U.S. list cybersecurity as their top priority. In tandem, several state governments, including Louisiana, Texas and North Dakota, have stepped up their efforts to safeguard schools against cyberattacks with various measures such as cyber policy mandates, cyber commission formation and state IT department oversight for schools.
For policymakers, educational institutions and their IT leaders, and even concerned parents, collaborative cybersecurity efforts should rally around the concept of resilience, or the ability to bounce back. Here are three steps to get on the path to cyber resiliency:

Battle the false sense of security. Millions of dollars of public funds are invested in applying security controls in schools — giving parents and educators a false sense of security. Many of these controls are fragile or by-passable — meaning that without consistent monitoring, you may be more exposed than you think. Make the most of the tools you already have and spend your budget on more impactful projects. Ask the question, “Are the controls we already have in place functioning at all times?”. Security controls cannot protect you when they are taken offline by wiley students, or bypassed. Foundational device controls include, at a minimum, anti-malware, encryption, authorized VPN, patch/client management, and web-filtering/firewalling on the client — and all need to be based on a platform that enable visibility and resilience for IT.
Strengthen your immune system. In the complex world of endpoint security, increased security spending does not equate to increased safety any more than taking more vitamins guarantees you will never get the flu. In fact, every additional security tool, while adding protection, also increases the complexity on the endpoint and therefore the probability of failure as agents. A recent Absolute study reveals that schools that have encryption in place experience agent failures on an average of nine devices per day — almost half of which never recover, leaving students and staff at risk of potential data breaches. In order to protect your students, your data and your investment, ensure you have fundamental controls activated to gain a persistent connection to each device — on or off the school network. It’s only then that you can repair or replace critical apps that have been disabled or removed.
Make cybersecurity the air students breathe. Creating a culture of online security and open communication about online threats is not just good practice, it’s an ethical responsibility. Turn it into a game; teach students what attackers do, test them on practical examples, and give each of them a sense of achievement when they win. Yammering on about ransomware crippling the school or how awful an attack would be for their district is unlikely to stop an 11-year-old trying to circumvent security policies. Let them know what villains may try to do, and challenge them to step up and help stop them. Provide a means for them to report suspicious online behavior without fear of punishment. Make them the hero of the cyber resilience story.

The pace of ransomware attacks on schools in 2019 suggests another victim will feel imminent pain and, as such, the urgency to heed these steps cannot be overstated. It’s a tricky balance but doable to enable the digital classroom to thrive, while also protecting student safety and privacy.

Loading

Categories