Breaches of education information systems are on the rise. The reason for this is because of the wealth of data that school districts and colleges possess: Social Security numbers, bank accounts, health information and other personal information required for school records.

In many (most) cases, this information is available across a school’s student information system (SIS), human resources, accounting, and other systems. Thus, a breach of one system likely allows access to each of the other systems. In sum, this is not a great thing for the parties in this equation: students, staff, and the IT professionals who manage the technology in which this data is stored.

For some perspective about why this is an important conversation to have, let’s consider the following:

According to Ponemon's 2017 and 2018 “Cost of a Data Breach” studies, the average data breach costs $225 per compromised record. Within U.S. education, data breaches cost $245 per compromised record. Worldwide, the average education breach cost is $200 per record.

Worldwide response times for educational entities to identify a breach are 221 days and 83 days to contain it. For comparison, those in the financial sector typically detect a breach in 155 days and contain it within 34 days.

The takeaway here is that the longer it takes one to identify the threat, the higher the cost and damage of the breach.

Education and those protecting its data can’t afford to ignore the threat of breaches, as the education sector is the third most targeted industry for data breaches.

Data breaches are unique for each circumstance. No one-size-fits-all solution exists. In one example, a ransomware attack last fall in West Virginia knocked out the entire school system offline: all student iPads were affected; some remote desktop connections were lost; the entire management system used previously was lost in the attack. A full system rebuild was necessary, with IT workers physically pulling out hard drives for every computer in the schools to check and reinstall them. Servers were wiped clean.

Separately, in Watertown, Connecticut, on Nov. 1, computers throughout its five public schools were infected with ransomware. The district’s three-person IT team and an outside consultant have been working seven days a week since to rectify the breach. Computer desktops, presentation software, smart boards, and the computer labs have all been restored.

In Texas, Manor Independent School District is out $2.3 million from a phishing scam. Investigators say the phishing email was sent to multiple people at the school district, and it was a single person that responded.

Another attack was reported by California’s Pittsburgh UFSD, which was hit by a ransomware incident since before Christmas. In a note from the superintendent posted to its website: “We will be teaching and learning like ‘back in the day’… without laptops and internet. Our schools have access to student information, and our phones are working. We still are not able to receive email, so please call your child's school if needed. At this time, we do not have any indication that personal data/information has been compromised. We are continuing to investigate and work with a cybersecurity team and experts.”

The list goes on. Each of these examples were collected across two weeks from January 2020. It's not hard to find examples of schools under attack by hackers.

Security of education data systems requires a holistic and multifaceted approach. There are several steps to take, some of which follow. Here are five processes you can take to ensure proper barriers are in place from those who would ravage the information housed within a school district.

1. Training staff

The first and simplest point of action is to run district staff through a course at the start of each year to make security a priority. These sessions take only a few minutes to cover the essential security information, such as treating all devices as capable of accessing school district data, protecting passwords (without writing reminders where others can easily find them), and exercising caution when using emails and the dangers they may contain. Ensure that the sessions portray the actual seriousness of the threats that exist on a daily basis and what the ramifications of not being diligent can be.

2. Threat simulations

Most breaches are the result of human error — many because of clicking on a link within a nefarious email. Many breach attempt messages are designed to look like legitimate messages and are thusly easier to fall for than might be expected. This is an example of spear-phishing. They tend to cause breaches because they target specific personnel within the organization through emails that may reference a department and look similar to everything else in your inbox on a given day.

To mitigate against this, test staff. Consider using free or paid phishing simulators to periodically test users’ ability to detect phishing emails. Alerts and reports are provided for whenever anyone mistakenly clicks on or responds to one of these messages.

Using one of these simulators allows you to put your users through active training to help them learn to be more secure. If something about a message looks a little off, verify it before responding.

3. Evaluate accounts

To keep threats at bay, you’ve got to evaluate the accounts within your current stable. By assessing all of the activated accounts within your school district's environment, you can have a tremendous effect on shoring up security and minimizing digital bloat.

Look for orphaned accounts within your systems — those of former students and staff that individuals may still have the ability to access. Review your processes to determine which accounts people should have access to and update that access as appropriate, such as during job or grade changes. Consider doing this regularly — perhaps as you update user accounts from the previous year.

4. Review user account life cycles

To effectively manage data repositories and access to them, determine the process for deactivating user accounts once a student has graduated, transferred, or matriculated. Consider the same approach for staff who retire, take a position elsewhere, or move on. If you don’t do this, most of these accounts become orphaned.

Automating account deactivation is a crucial step within user account life cycles. Optimize your deactivation processes to determine how fast and comprehensive they are when it comes to restricting accounts. Rapid responses can prove invaluable and create peace of mind that comes from knowing your processes dictate when and how accounts and access to information are cleaned up.

5. Implementing a secure single sign-on portal

A single entry point — one set of access credentials input at an initial prompt to gain access to the systems — for the majority of your data and information systems can make user access easier for all parties. Specifically, users must only remember one set of credentials for access while administrators protect resources without reducing access.

Likewise, applications and systems containing sensitive information can be made inaccessible from anywhere other than school grounds to prevent risks. Implement solutions to maintain logs of user activity to help determine when and how any investigated access events occurred.

School districts, it is easy to argue, possess some critical and valuable personally identifiable PII stored within their technology systems. Because of this, district leaders must take security issues seriously and make a plan to do so.