The Emotional Toll of Data Security in the Business Office
#Business
Mike Bianco, CISSP
by
Mike Bianco, CISSP
|
Mike Bianco, CISSP Vice President of Data & Information Security |
|
|
|
 |
First, criminals are deliberately attacking a group of children. No two ways around that.
Then, the accusations fly at the folks in districts just doing their jobs (and who probably got their data snatched too).
Finally, the ripple effects of compromised data follow people (kids!) for the rest of their lives.
Emotions run high because schools care deeply about the welfare of students, but understaffed and underfunded IT teams struggle to keep up with the volume and intensity of criminal cyberattacks. After all, when your whole job is to just to rip off information from unsuspecting schoolchildren, you’re always fresh as a daisy.
How can K12 business offices compete with that? Lean on the team of helpers you deserve (and pay for).
Your vendor is here to support you
Vendors should be part of not only the planning but, if you have an incident, vendors should be involved. Your edtech vendors provide support for business continuity and disaster recovery.Odds are, your system has more security features than you realize. Your support teams can help ensure you’re using every feature available to secure your data—and help you rest easy.
4 Essential Security Features for Your Business Office
Be proactive so your reactions can be swift
Here’s a way to shift your mindset: Think about logging in to your own bank account online. You’ll expect to receive a code to prove it’s really you asking to log in—that multifactor confirmation is essential for “the bank of your school” (your ERP) as well.Any edtech vendor can advise security contacts of the features already available to protect the system from unauthorized access. Plus, other services will do the work of scanning your network from an external standpoint, looking for weaknesses before bad actors can exploit them. This process works both on premises and in the cloud and the data discovered helps both the district and their vendors improve.
Many districts elect to move critical data to the cloud to protect super-sensitive student and financial records from falling into the clutches of criminals all over the world. Cloud hosting is more secure due to redundancy, encryption, 24/7 monitoring, advanced security measures, and regular updates—features not feasible with a limited budget and staffing for school districts.
Accept that you’re a target, and prepare accordingly
It's unfortunate to know that schools are considered a soft target for bad actors, but accepting this truth can empower your teams to prepare for if and when a data breach occurs. The days and weeks that follow are not only filled with hard work of recovering data, getting systems back on track, and resuming business, but also speculation and bad press. By accepting ahead of time that this may happen in your district, your communications can be confident, clear, and concise.Business office staff are often targeted in phishing scams. A fraudulent link arrives in an email that uses specific, sophisticated social engineering designed to get users to click, which gives the sender access to the business officer’s inbox and email credentials. Keep in mind, this person was targeted specifically because of the level of access their credentials will allow an attacker to gain in a financial system. From there a domino effect using updated credentials result in the attacker gaining access to sensitive systems and locking the employee out of their access to the financial system. Business grinds to an expensive halt.
Most commonly attackers will choose to infiltrate payroll systems and change ACH account information from correct employee accounts to their own, stealing folks’ paychecks. Districts find out when staff report not being paid. Nightmare fuel.
We’re all in this together
Turning the tides back to smooth, confident sailing for the business office looks like having frank and empowering conversations and training. It’s a great start to reach out to vendor teams and ensure you’re taking advantage of every security feature possible. In the previous business email compromise example, a rogue MFA alert may have tipped off a savvy business officer before an attacker could strip their original password and create their own.A confident approach to cybersecurity is within reach. Let us know how we can help.
|
|
Mike Bianco, CISSP Vice President of Data & Information Security |
|
|
|
|
|
|
|
