For years, the evolution of education has intertwined with digital technology, requiring educators to build and maintain a resilient digital infrastructure that supports learning, regardless of geographical location. Digital platforms play a vital role in modern education, making cybersecurity and data privacy paramount to the success and security of our modern education sector.
CISA and the U.S. Department of Education’s recently published K-12 Digital Infrastructure Brief highlights key tenets of a secure educational digital infrastructure, as well as meaningful actions that practitioners and vendors alike can take to drive the security of our K-12 schools.
Sophos aims to help our K-12 partners strategically approach cybersecurity risks and build a more defensible and resilient digital infrastructure, which can be framed around the five core functions of version 1.1 of NIST’s Cyber Security Framework.
Properly identifying an organization’s digital footprint and third-party dependencies is a critical part to managing cybersecurity risk. By identifying assets and critical systems, practitioners can remediate unpatched or underpatched services, mitigate exploitable vulnerabilities, and manage vendors and third-party risks as early on as the procurement process.
Sophos, with the collaboration of our partner Tenable and professional services team, is proud to offer vulnerability scans to provide actionable vulnerability information and remediation suggestions that can help improve an organization’s security posture.
Additionally, we offer best practices for reviewing supplier access and application privileges, while also proactively monitoring supplier security bulletins to minimize supply chain attacks or security disruptions here.
It’s been said before, and will be said again, but basic security precautions can make all the difference. Deploying multifactor authentication, requiring minimum password lengths, and using password managers are simple but critical steps that can be taken to better protect our K-12 environments.
Basic cybersecurity training should be a prerequisite for staff and students, as it is key to preventing some of the most successful attack vectors, phishing attacks and password theft. Additionally, by training students in online safety, digital privacy, and how to deal with cyberbullying and harassment, we can empower them to better navigate the digital world.
Sophos has seen success reducing the largest attack surface – an organization’s end users – through the use of our training tool Phish Threat, allowing administrators to simulate hundreds of realistic and challenging phishing attacks in a just few clicks.
Cybersecurity is a team sport: let’s play together. CISA highly recommends that K-12 bodies join organizations such as MS-IASC and REN-ISAC, where users can receive threat intelligence, detection, and response assistance, as well as webinars around critical issues, and cybersecurity advisories and notifications. The Department of Education and CISA offer free cybersecurity programs, trainings, and tools.
For more in-depth protection and updates, Sophos offers managed detection and response services, which consist of an instant security operations center, 24/7 threat detection and response, expert-led threat hunting, and full-scale incident response – all available to be customized to your specific needs.
If an incident does occur, it can be overwhelming, time consuming, and costly, but there are also legal reporting requirements that practitioners in the education space need to consider as well.
After CIRCIA was signed into law in March 2022, CISA was called on to establish a mandate under which critical infrastructure entities must report certain cyber incidents to CISA within 72 hours of reasonable belief of occurrence, and report ransom payments within 24 hours of payment. Education was first identified as critical infrastructure in 2006, and most recently reaffirmed as such in the fiscal year 2021 National Defense Authorization Act.
Sophos is capable of full-scale incident response, but also wants to enable practitioners before an incident occurs. Our new Incident Response Retainer guarantees credit toward full remediation in the event of an incident, but also guides organizations to proactively improve their security posture through vulnerability scans, existing deployment health checks, and incident response handling guides and preparation sheets.
Building resilience means preparing for the inevitable cyber incidents. By ensuring that incidents and errors have limited and transient impacts, educational institutions can swiftly recover and continue their operations, minimizing disruptions to learning and administration.
The highest impact success item for schools affected by an incident is practicing restoring systems from backups. This ensures minimal data loss, and when practiced, allows for normal operations to be up and running again as soon as possible.
To build a future-proof digital infrastructure, K-12 requires technology that is safe, accessible, resilient, sustainable, and capable of adapting to evolving technological landscapes. District leaders, tech leaders, educators, students, families, and state leaders must collectively contribute to the establishment and maintenance of a secure educational environment. Furthermore, students need to be empowered to navigate the digital world safely.
We are constantly working to improve accessibility features to accommodate diverse users, as well as regularly undertaking third-party risk assessments, aligning with NIST Cybersecurity Framework and ISO 27001 controls. We also know security is a team sport, and welcome researchers to our bug bounty program to keep our products and customers safe.
Sophos commits to contributing to this secure environment by prioritizing “Secure by Design” principles, with software and systems built with security at our core. We believe security should come as a default, not an add on, and we look forward to continuing to protect and enable the millions of students and more we already serve today.
To learn more and discuss how Sophos can help you, contact your Sophos representative or request a call-back from our security specialists.