Recent high-profile breaches underscore the risk of exposing sensitive information to millions of users’ data, reminding us that our education system, as part of our nation’s critical infrastructure, is a prime target for attackers. Just as personal hygiene prevents illness and promotes health, cyber hygiene helps prevent data breaches, identity theft, and other forms of cybercrime. Working in education, we handle sensitive Personally Identifiable Information (PII) on a regular basis. We have an important responsibility to uphold and promote the highest data security standards: our customers and their students depend on it. Along with formalized standards like NIST and ISO, we also use the most up-to-date information available regarding recent breaches and other cyber incidents to guide best practices.
How can you maintain cyber hygiene standards within your school or district?
Two-Factor Authentication (2FA) adds an additional layer of security to your online accounts by requiring a second form of verification beyond just your password. This could be a code sent to your phone, a fingerprint scan, or even a physical token. Although use of 2FA has historically been viewed as supplemental in nature for enhanced security, it is now recognized as a fundamental practice of access control. Implementing 2FA is a critical component of any cybersecurity program, as modern tools and information available to attackers has made passwords alone insufficient for preserving long-term protection. Aeries currently already offers 2FA as an easily enabled feature; we continue to promote and strongly recommend the adoption of it for users who have yet to enable it in their environment. We also welcome and encourage feedback from our users regarding their experience in implementing 2FA.
Regular permissions audits are critical and involve reviewing and adjusting the permissions and access rights of users within your organization. This not only ensures that only authorized individuals have access to sensitive information, but also that any unnecessary or outdated permissions are revoked. A common symptom of irregular or neglected auditing is “privilege creep” – the gradual accumulation of unneeded permissions. Privilege creep often occurs over time as users change roles and their access needs change. It is critical that regular audits of systems and audits to user’s need-based permissions are updated at the same time their workflows change.
Long and simple passphrases are now being recommended instead of highly complex passwords. At Aeries, we refer heavily on The National Institute of Standards and Technology (NIST)’s standards to ensure best practices. They suggest that passphrases should:
- Be between 16-64 characters
- Include capitalization, spaces, and punctuation
- Be a combination of memorable but unrelated words (ex. “Luk3Skyw@lker Saxophone Donuts Skateboard Beehive.”)
- NOT be common phrases or easily guessable information
- NOT be reused from one account to another
Avoiding prolonged or unnecessary data archiving is an essential component to minimizing the impact when a breach occurs. “It’s not if a breach happens, but when a breach happens” — that is the mindset of those who remain vigilant in protecting data and ensuring they recognize the constant threat of a breach and its consequences. Collecting unnecessary data and retaining data longer than mandatory creates a stockpile of data that attackers will leverage when a breach occurs. Implementing and conducting regular audits of data retention requirements, policies, and data destruction practices ensures that the only data retained in your systems is data that is essential for operations or compliance purposes. Data found during your audits that does not comply with your data retention policies should be reviewed by a dedicated data retention group and should be disposed of in accordance with documented data destruction procedures.
Recognizing and countering social engineering attacks requires consistent training. Social engineering relies on manipulating human psychology to gain unauthorized access to systems and data. With the advances in AI, social engineering is becoming exponentially more frequent and pervasive – capable of reaching nearly all users in a very convincing fashion. Recent successful breaches have shown that social engineering tactics are one of the most effective used by attackers. The greatest defense against them is educating employees and ensuring that vendors and partners are doing all they can to ensure their employees are educated as well. It is critical that every user, contractor, or partner be aware of common tactics used in social engineering (ex. phishing, smishing, impersonation, phony password reset requests, etc.) and how to recognize and respond to them. Regular training and awareness programs are the principal tools used to help in mitigating these risks.
Aeries is committed to upholding and continuously improving the cybersecurity posture of our critical infrastructure that supports our nation’s education systems. We understand and listen to the schools, parents, students, and staff that are counting on us to stay informed and vigilant. Please join us in helping to secure the privacy of our users and the data we have all been entrusted to protect. We encourage you to continue providing your staff members with the professional development, resources, and reminders they need to promote the best cyber hygiene possible.
To learn more about how to protect your students’ data, read the NIST Digital Identity Guidelines or the CISA Guidance on Phishing and Social Engineering.