EdTech Crisis Management: Safeguarding Student Data
CRISIS MANAGEMENT STARTS WITH PREPARATION
In the first six months of 2019, more than 3,800 data breaches were reported in the United States, with eight major breaches exposing more than 3.2 billion records – enough to send your crisis management team into a cold sweat. Even more concerning, since regulators don’t require companies in most industries to publicly report a breach, they aren’t always reported. In fact, an estimated 65 percent of all breaches in the United States have gone unreported this year.
The numbers are frightening, especially when you consider the people associated with the data. In the education market, that may mean students.
Putting a cybersecurity protocol in place is essential. Student data privacy is a priority for administrators, teachers, students and families. While EdTech vendors are not required to prepare schools for cyber threats, they should do their due diligence by leading with safe practices.
As education vendors, we know you’re also handling an ever-increasing volume of student data on behalf of school districts. While school districts are working to keep themselves safe from cyberattacks, vendors also need to establish protocols to ensure they are not vulnerable. If you were to get hacked, your student data could become accessible, and that’s when the lawyers get called.
According to Paul Hager, President and CEO at Information Technology Professionals (ITP), cybersecurity starts at the top. “The leadership team cannot be afraid; they must set the tone by being educated and proactive.”
When talking about student data, every EdTech company can benefit from a proactive cybersecurity strategy. By taking preventative measures and involving every member of your team in your security plan, you’ll show customers that protecting their data is a top priority.
CREATE A CULTURE OF SECURITY
To understand how EdTech companies can better equip themselves to face a security crisis and public fallout, we sat down with Lauren Reid, director of marketing in forensics at Gillware, a data recovery and digital forensics firm.
The first piece of wisdom Reid shared was simple: ransomware is the single largest threat to businesses of all sizes in all industries. Malicious actors plant ransomware, a type of malware, after they’ve gained access to a business’ network. This access is most commonly gained through phishing, compromised login credentials or remote access tools. Once deployed, ransomware encrypts data, files and systems – often crashing the network. From there, the malicious actors demand a sizable ransom payment to recover the data.
And it’s only getting worse. In 2019, business detections of ransomware are up 365 percent from last year.
For those who would like to review their current ransomware response procedure, Gilware’s Ransomware Stress Test is a free self-assessment tool that analyzes your practices, procedures and configurations to evaluate your susceptibility and ability to respond.
When companies understand what they’re up against, they can build better defenses. Knowing that ransomware can happen to anyone, anywhere, and at any time should be a wakeup call that your valuable company and client data face real risks.
MAKE THE CASE FOR CRISIS MANAGEMENT
Everyone in your company has room to improve their online habits, so anyone on your team can get the ball rolling on refining company-wide practices. If leadership is hard to convince, point them to one of the many recent articles indicating cyberattacks are on the climb.
These news articles illustrate the intensity and urgency of school hacking in 2019:
- Hackers’ Latest Target: School Districts – New York Times
- Schools Brace for Cyberattacks – Wall Street Journal
- Report: Schools One of the Biggest Targets for Ransomware – Government Technology
PRACTICE THIRD-PARTY DUE DILIGENCE
Vendors have a responsibility to make sure schools understand risks. EdTech vendors can raise awareness of the threat to student data privacy and offer support to strengthen cybersecurity practices.
A recent report from District Administration found that smaller, less protected schools are at a greater risk of cyberattacks and rank higher on hackers’ hit lists. While larger school districts have more student data to harvest, smaller schools lack the resources to put up strong, resilient cyber barriers, making them easier targets.
According to the same report, many school leaders feel their backup systems are adequately protected, but external validation and testing ensures that a district has prepared for all possible scenarios.
FOLLOW THE NEWS
Be proactive in following news of security breaks. Breaks in which data is compromised or taken are publicly reported and often appear in the national news cycle – not all will, but the biggest breaches tend to make headlines (and chyron lines). If you’re tuned in, you will know when cybersecurity breaches occur and take necessary steps. In the event of a widespread incident, audit your accounts and let your colleagues know so that they can do the same.
One tool to utilize after a breach is HaveIBeenPwned.com, which can tell you if your information has been compromised. If any major provider of yours has a breach, be sure to update your passwords and prompt your team to do the same. It only takes one unsecured password for another breach to occur. And, speaking of passwords, make sure they’re difficult to crack.
CRISIS MANAGEMENT 101: START WITH STRONG PASSWORDS
Establishing complex and unique passwords for every account is one of the first lines of defense. “It’s best if you don’t actually know any of your passwords,” said Reid, who recommends using a password manager, like Passpack or LastPass, to store all of your individual complex passwords of letters, numbers and symbols. This way, your passwords can be unique, much harder to hack, and in general, safer.
Hager echoed this notion. “The key to passwords is length. The longer the password, the harder it is for computers to break in.” Length is a key piece to your password entropy: a predictive measure of how difficult a password would be to crack via common hacking practices.
Hager also cautions against re-using passwords, as 50 percent of people are guilty of using the same password on both personal and work log-ins. When you repeat passwords, you’re setting your networks up for follow-up breaches.
CREATING A SECURE PASSWORD
Another way to set up a robust password that is easy to remember is to use this template: Adjective, subject, verb, number, punctuation. For example, the password StinkyDogsLeaping46@$ is difficult to guess for either a human or a computer. This combination is long enough to have a strong password entropy but easy enough for you to remember.
As mentioned, it is wise to use completely unique passwords for each of your accounts. According to EdTech Focus on K-12, 83 percent of Internet users reuse passwords on multiple websites. If you recycle one password across channels, a single hack can quickly multiply.
If you learn of a data break that could affect your company information or personal accounts, prioritize changing your password or setting up two-factor authentication (2FA). Basically, 2FA requires an additional form of verification, like a four-digit code sent to your phone or the correct answer to a security question. From a hacker’s perspective, that’s two codes to break, with more room for error and detection, making you less of a target.
But what happens when a breach occurs? Time to follow your crisis management plan.
DEVELOP A CRISIS MANAGEMENT PROTOCOL
Reid stressed that every business needs to have an incident response plan in place. One crucial component of a response plan is a breakdown of whom to contact and when to contact them in the event of an incident, both internally and externally.
If you don’t have a PR plan in place for emergencies, work with a professional to proactively prepare for a potential PR nightmare. Your team needs to know how to communicate a breach (or any crisis) to your audience effectively and efficiently.
PREPARING A PUBLIC RELATIONS CRISIS STRATEGY
Establish and document points of contact for the internal technical team, executive leadership, public relations, in-house or external legal counsel, and the cyber insurance provider. All these teams must work together to minimize the damage of a digital breach. Following the outlined chain of command prevents the incident from spiraling out of control and allows the business to manage it appropriately.
It’s important to rehearse your protocol with your entire team. By conducting a practice round, you can assess performance, identify areas for improvement and develop the confidence that you are ready for the real thing.
Drawing from Gillware’s role in incident response, Reid outlined five essential steps for any protocol:
1. Contact your insurance broker. (Business owners: Get cybersecurity insurance if you don’t already have it!)
Cybersecurity insurance is an affordable solution that can save you thousands in ransom charges and reputation damages. NetDilligence, a cyber risk assessment and data breach services company, estimates that only 20-25 percent of businesses have cyber liability insurance. If an incident occurs, always contact your insurance representative first.
2. Isolate and stop the attack.
After alerting your insurance company, it’s time to play defense. To prevent a cyberattack from escalating into a data breach, find out how the attack is happening. Once you know the methods a hacker used to gain access to your system, you can close off entry channels. It’s important to note in this section that you do not want to pay a ransom, especially if you are a school tech team. According to cybersecurity provider Paranet Solutions, paying a ransom is only a short-term solution, leaving your business vulnerable to future break-in attempts, as hackers know you’re willing to pay for your data.
3. Run an audit.
When your system is secure, you’ll want to assess any losses. It’s possible that while you were distracted closing one entry point, the hacker stole data from another. Conduct an audit of information and cross-compare with your latest system backup to see if anything else was taken.
4. Remediate the break.
Now that the hacker is out of the equation, it’s time to problem-solve. You’ve located an area of weakness the hacker was able to leverage, but are there others? What can you do to protect yourself in the near- and long-term future? Your system is vulnerable, so it’s important to act rapidly and be thorough in locating and resolving digital weak spots.
5. File the incident.
Under law, companies are required to report a system break-in to their customers if data has been compromised. However, if no data was risked, no action is required. This is different when handling data for European citizens because of GDPR. General Data Protection Regulation (GDPR) means vendors/companies are legally obligated to publicly report the incident if any European system or individual is involved, regardless of data status.
Side note: If you’re not sure if your business is GDPR compliant, check out ITP’s GDPR White Paper for a full breakdown. Here’s a fun fact – if you work with even a single European citizen, you must be compliant. This includes people with dual citizenship.
6. Inform the public. (If necessary.)
The final step is informing the public (if you’re required) of the breach. From a PR best practices perspective, you must have your talking points dialed in when you release this information. One slip of the tongue can cause a reputational downward spiral.
Per Hager, “getting out ahead of a crisis and being proactive in communications with people that might be impacted is important. Be straightforward and clear about what has been impacted and what hasn’t.”
We would absolutely agree with Hager’s call for transparency. There’s nothing worse than a cover-up, especially with student data involved. After resolving an incident, the work isn’t done, especially if a public announcement was made. While the story plays out, actively listen to the news and voices in your industry. If you see negative coverage, jump in to correct the narrative.
CYBERSECURITY TOOLS FOR EDUCATION BUSINESSES
Ultimately, acquiring and maintaining a proactive cybersecurity culture doesn’t happen overnight. Our experts from Gillware and ITP provided some of their most helpful programs and plug-ins to help spur your protocol into action. Share these tools with your team, and watch safe daily habits blossom.
- KnowBe4: Provides security awareness training to help manage the IT security problems of social engineering, spear phishing and ransomware attacks.
- Mimecast: Offers comprehensive email security via an integrated cloud platform, auto-checking all links. Even if your staff clicks a bad link, Mimecast is there to help keep your network safe.
- Have I Been Pwned: Website that allows Internet users to check whether their personal data has been compromised by data breaches.
Ultimately, your team and your data will never be 100 percent safe in today’s world of digital instability. With more hackers and breaches than ever before, the best way to handle an attack is to proactively prepare for it. Like a tornado, hurricane or earthquake, a hacker can strike at any time. Your team needs to be ready to respond if and when that happens.
About the Author
Lauren West is a Senior Account Executive at C. Blohm Associates, Inc. CB&A partners with companies worldwide to deliver integrated education marketing campaigns that work. As a senior account executive, Lauren leads client accounts and oversees marketing, PR, content and social campaigns, ensuring projects are on-time, on-budget and achieve maximum ROI.