Advertisement

How Educational Institutions Can Fortify Security Defenses

By on
Read more about author Don Boxley.

I admit it: I was one of those kids who was genuinely excited when back-to-school time rolled around. I couldn’t wait to get to the store to buy my new notebooks, multicolored folders, pencils, pens, and highlighters. And the thought of seeing my friends who I hadn’t had a chance to see over the summer was the icing on the cake. But much has changed since I went to elementary school. Today, for instance, IT professionals in educational institutions may find this time of year to be less exciting and just a bit more daunting. This is because back-to-school time means a massive spike in user traffic, not to mention a significant uptick in ransomware and other malware attacks. 

Due to their notoriously underfunded IT departments, educational institutions are becoming increasingly popular targets for cyber-criminals. Despite possessing a great deal of valuable information (personally identifiable information, student records, protected health information, financial information, etc.), organizations in this sector generally have fewer professionals dedicated to data security and less-than-optimal security technology. 

If a ransomware attack occurs, even if the exorbitant ransom can be paid, there really isn’t any assurance that the data will be returned and/or not leaked (too many have learned this truth the hard way). In education, government regulations can further intensify the negative impacts of such attacks.  Fines and other penalties can be severe in cases of non-compliance with data security under such regulations as: 

  • FERPA (Family Educational Rights and Privacy Act) – Governs the privacy of student education records
  • GDPR (General Data Protection Regulation) – Applies to institutions dealing with data of EU residents
  • GLBA (Gramm-Leach-Bliley Act) – Protects the security and confidentiality of consumer information
  • HIPAA (Health Insurance Portability and Accountability Act) – Applies to health information in certain contexts

Limited Funding Can Mean A Lack of and/or Outdated Technology

Even if you are the most skilled and experienced IT professional, there is only so much you can do if you lack the technology needed to get the job done. It’s like asking Mario Andretti to win a race, but giving him a car with bicycle wheels on it – ain’t gonna happen. 

Today, IT professionals are being tasked with protecting their organization’s IT infrastructure with outdated, maintenance-intensive technologies like virtual private networks (VPNs), which are not equipped to protect against modern threats that today’s sophisticated cyber-criminals can throw at them. Here’s why:

  • VPNs provide unrestricted access, exposing the entire network to lateral threats
  • VPNs rely on physical devices that require expensive, ongoing maintenance
  • VPN hardware represents a single point of failure, potentially causing a total network outage

In fact, research from Malwarebytes’ ransomware specialist, Marcelo Rivero, backs this up – showing that 2023 was the most challenging year on record for ransomware attacks in the education sector, with a 70% surge in attacks.

Software-Defined Perimeter (SDP)

Organizations in virtually every vertical sector are turning away from VPNs and replacing them with software-defined perimeters (SDP), finding that they can provide superior protection against today’s threats. Not only that, they are usually much more affordable and deliver a much greater ROI. At a high level, here’s how:

  • SDP provides highly reliable Zero Trust Network Access (ZTNA) tunnels that create connections directly at the application layer
  • Application-layer connections limit the broad network access typically granted by VPNs and eliminate the threat of lateral attacks
  • Software-defined solutions remove the dependency on physical hardware, drastically lowering maintenance expenses and eliminating unnecessary failure points in network environments

The advantages of SDP for improved security and eventually cost savings are clear. However, an upfront investment is still necessary, and even relatively small investments can seem entirely unattainable for educational institutions that are typically constrained by tight budgets.

K-12 Schools and Higher Education Institutions Funding Options 

Various grant opportunities and funding resources are available to help educational institutions strengthen their cybersecurity efforts. These grants, which can be obtained from federal, state, and private sources, are intended to support K-12 schools and higher education institutions in enhancing their digital infrastructure, implementing cybersecurity measures, and safeguarding against cyber threats.

These programs include:

  • Cybersecurity and Infrastructure Security Agency (CISA) Resources – “CISA offers an array of free resources and tools, such as technical assistance, exercises, cybersecurity assessments, free training, and more…”
  • Cybersecurity Education Training Assistance Program (CETAP) – “The Cybersecurity Education and Training Assistance Program (CETAP) equips K-12 teachers across the country with cybersecurity curricula and education tools that focus on growing and educating the next generation of the cyber-literate workforce…”
  • DHS Grants – “The Department of Homeland Security (DHS) provides grants to state, local, tribal, and territorial jurisdictions that can be used for training, exercises, planning, personnel, and equipment to prepare for many threats and hazards…”
  • E-Rate: Universal Service Program for Schools and Libraries – “The FCC’s E-Rate program makes telecommunications and information services more affordable for schools and libraries. With funding from the Universal Service Fund (fcc.gov/general/universal-service-fund), E-Rate provides discounts for telecommunications, Internet access, and internal connections to eligible schools and libraries…”
  • Elementary and Secondary School Emergency Relief (ESSER) Funds – “The Elementary and Secondary School Emergency Relief Fund (ESSER) was established as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in March 2020. CARES provided direct funding to states and districts to address the impact COVID-19 has had, and continues to have, on elementary and secondary schools across the nation…”
  • National Science Foundation (NSF) Grants – “The U.S. National Science Foundation offers hundreds of funding opportunities — including grants, cooperative agreements, and fellowships – that support research and education across science and engineering…”
  • Private Grants and Foundations – Examples include the Bill & Melinda Gates Foundation and the Michael and Susan Dell Foundation.
  • State and Local Cybersecurity Grant Program (SLCGP) – “The State and Local Cybersecurity Grant Program provides funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments…”
  • State Grants and Funding Programs – “The federal government awards hundreds of billions of dollars in grants to state and local governments each year. These grants help finance a broad range of services, including health care, education, social services, infrastructure, and public safety…”

Strategies to Improve Your Chances for Success 

  • Identify Needs – Evaluate your institution’s specific cybersecurity requirements and vulnerabilities to understand the types of funding needed
  • Research Opportunities – Regularly visit the websites of federal agencies (such as the U.S. Department of Education, DHS, and CISA), state education departments, and private foundations to find available grants
  • Partner with Local Entities – Explore partnerships with local governments or higher education institutions to gain access to additional funding opportunities
  • Prepare a Strong Proposal – Create a detailed proposal that clearly outlines your cybersecurity needs, the actions you plan to take, and how the funding will be utilized to reduce risks and enhance security

Also, Grants.gov is a U.S. government website that serves as a centralized platform for finding and applying for federal grants across various agencies, as well as providing advice and guidance for application success.

School Security Assessment Tool (SSAT)

If you work at a K-12 institution and want a free tool to assess your organization’s current cybersecurity strategy, check out the free School Security Assessment Tool (SSAT). Created by the Cybersecurity & Infrastructure Security Agency, this tool helps your organization to see how it measures up with best practices. The tool also provides recommendations on where and how to improve your overall approach. You can access this valuable tool right here.

Once you have the budget and/or funding, what should you do?

Modernize Your Security with SDP

The ideal software-defined perimeter (SDP) solution should focus on enhancing security, simplifying network management, and improving the performance of applications across distributed environments, such as hybrid or multi-cloud deployments. Key features should include:

  • Application-Level Micro-Tunneling – lightweight, application-specific tunnels that only allow access to specific applications or services
  • High Availability and Fault Tolerance – built-in features for high availability and fault tolerance, ensuring that critical applications and services remain accessible even in the event of network failures or disruptions
  • Multi-Cloud and Hybrid Support – designed for flexibility, supporting secure connectivity across on-premises, hybrid, and multi-cloud environments, allowing organizations to connect resources across different data centers, cloud providers, and edge locations securely
  • No VPN Needed – SDP does not require persistent tunnels or open ports, which can be exploited by attackers; it uses outbound-only connections that are less vulnerable to attack
  • Simplified Management and Deployment – easy to deploy and manage, with a centralized console that provides visibility and control over all network connections and resources
  • Zero Trust Network Access (ZTNA) – a zero-trust security model, which assumes that no user or device, whether inside or outside the network, should be trusted by default

If you get your organization’s network security up to snuff, what other innovative technologies can be particularly beneficial to the education sector? 

SQL Server Containers Provide Unparalleled Scalability and Optimize Resource Utilization

Emerging SQL Server container technology should also be on the radar of IT professionals operating in the education industry. IT teams need to look for solutions that make it easier to scale with the massive range of seasonal demands waged on their data environments. New SQL Server container solutions fit this bill by allowing organizations to spin up totally customizable, highly available SQL Server Availability Groups (AGs) in Kubernetes (K8s) in seconds. In addition, these new solutions can provide the ability to create cross-platform hybrid AGs containing instances and containers.

Put another way, SQL Server container technology allows you to move your organization’s most critical SQL Server workloads to a flexible, containerized environment while maintaining continuous uptime. For the education sector, it offers the agility to scale your SQL Server environment in real time to meet seasonal demand, ensuring optimal resource utilization. As a result, your organization can enjoy cost savings and free up man-hours to allocate to other business-critical requirements.