Are your school district IoT devices secure?
The rise of mobile technologies and the Internet of Things (IoT) has had an enormous impact on K-12 schools, both inside and outside the classroom. Connected devices are seemingly everywhere, from interactive whiteboards to connected security cameras, from web-based systems managing equipment to IoT-enabled GPS tracking systems monitoring the location and movement of school buses.
Importantly, each one of those connected devices poses a security risk. And, once the vulnerabilities of a single device are breached, the connectivity of the devices allows malicious actors to move laterally through a school district’s devices, posing an imminent threat to safety and security.
This post provides some of the best practices to ensure the security of a school district’s IoT devices and infrastructure. But, to get to the best practices, let’s first start at the most logical point, and that’s at the beginning.
What is IoT?
The Internet of Things, as defined by Oracle, is the “network of physical objects—’things’—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.” SoftBank Group, an internet services company, predicts there will be over one trillion devices connected on the IoT by 2025, or about 100 devices per person.
So, the IoT is huge in scope, and that compounds a growing problem. Even as the IoT continues with exponential growth, thought leaders in the space, like Forrester, opine that most security teams have zero visibility into the tangled web of IoT devices.
The Growing Threat of IoT Security Vulnerabilities
A great many of the security risks with IoT devices are the result of manufacturers prioritizing time to market over more robust security features. Essentially, manufacturers are shipping devices with firmware and software that aren’t “fully baked.” Compounding the lack of accountability from some manufacturers, there’s also an overall lack of regulatory oversight that would require more robust security measures.
Unsecure IoT devices make ideal starting points for malicious hackers looking to enter a digital ecosystem. At many school districts, there’s a gap, and it needs to be addressed. As recently reported by Comparitech, a cybersecurity and online privacy product review website, global ransomware attacks against K-12 and higher education institutions— breaching over 6.7 million personal records—are estimated to cost over $53 billion in downtime between 2018 and mid-September 2023.
To take full advantage of a school district’s IoT-driven network, IT teams should integrate the seven best practices outlined below.
7 Best Practices to Securing a School District’s IoT Infrastructure
1—Fully vet prospective vendors to ensure security prioritization
When making a short-list of potential vendors, ensure security is a line item in your evaluation criteria. Those with weak security—poor reputations in the market—should be eliminated before they even make your short list.
Vendors with strong reputations in security will be more expensive. They should be; you get what you pay for (refer, again, to that $53 billion amount mentioned above). As the saying goes, “an ounce of prevention is worth a pound of cure.”
An important consideration, however, is the need to accommodate “bring your own device” (BYOD) initiatives in school districts. Because teachers, staff, and students will be using devices that might not be fully evaluated by the IT team, you can’t rely solely on fully vetting vendors.
2—Divide the network into subsegments
Network segmentation is a tactic where a school district logically divides its larger network into smaller, relatively self-sufficient sub-networks, comprised of related clusters of IoT devices and systems, that require minimal connectivity with one another. This tactic minimizes risk, and in the instance of vulnerabilities and imminent threats, your IT team can isolate any compromised sub-network, so the full network remains healthy and operational.
3—Encrypt network connections
Virtual private networks (VPNs) are a common method for school districts to securely connect staff, teachers, and students, particularly with remote, distance learning applications. VPNs, while a great starting point, do have some vulnerabilities. Because VPNs essentially extend a district’s network, if the remote user is on an insecure network—a student on an insecure home network, for example—there is greater potential for malicious attackers to create an opening in which to further leverage.
There are options to VPNs, and if your school district is large and complex, it might warrant full evaluation of alternatives.
4— Deploy endpoint security
For BYOD environments like school districts, endpoint security applies encryption to approved, personally owned devices that are connected to the district’s network, providing the IT team awareness of personal devices and any real-time threats they pose.
Endpoint security delivers your IT team better visibility into the IoT-connected ecosystem and deploys additional security requirements among endpoint devices. As such, it is an ideal security layer for any large school district that networks many IoT devices.
5—Require Rigorous and Ongoing Authentication by Users
Passwords, of course, have been the de rigueur security protection since the very beginning. But simple passwords aren’t enough, and requiring frequent changes and complex passwords are relatively common approaches. Adding two-factor authentication—for instance, texting a code to users after they enter their passwords—strengthens security more.
Passwords, however, are only applicable to a network’s IoT devices in individual users’ hands. For automated processes with unmanned IoT devices, password requirements present significant bottlenecks.
6—Deploy monitoring systems
Monitoring systems allow school districts to oversee and protect their complex networks of IoT devices in both a centralized and strategic manner. Tracking device status, device health, and data flows empower your IT team to identify irregularities and prevent unauthorized access. Moreover, these systems deliver automated alerts and notification that help prevent and mitigate the damage of any attacks.
7—Facilitate ongoing training of district staff
Within the school district, only the IT team can be counted on to be security experts. However, the non-experts, staff and teachers have a tremendous impact on a district’s vulnerability. As such, extensive training is a “no brainer.” Continued, ongoing training should be created and delivered to train district personnel on how identify imminent threats and limit risk exposure on devices
Connected devices positively impact a school district’s ability to fulfill its mission both more effectively and efficiently. However, they also provide nefarious, malicious actors a potential entry point into the entire network. Those risks require district IT teams to institute comprehensive security measures.
At the same time, district IT leaders must ensure their security protocols do not limit the effectiveness of what their IoT networks are designed to achieve. Examine the best practices above and determine which combination of them provides the best synergistic value to your district and its stakeholders.