After the experience of remote teaching and learning during the pandemic, security employees taking stock realized the pandemic had exposed many vulnerabilities in school districts’ security infrastructure. Remote instruction, often requiring more devices distributed among young students who are not known for their careful guarding of passwords, is an ongoing cybersecurity liability.
In a period of increased threat today, school districts are looking for ways to bolster their defenses against ransomware, data breaches through school vendors or suppliers and a host of other threat vectors. Strong multi-factor (MFA) authentication tools, which are phishing-resistant to keep credentials from being stolen, go a long way in protecting schools from these ongoing threats. But how do you even get started with a roadmap for implementing MFA? Make sure you lay the groundwork by including these steps in your project:
1. Create a strategic plan and business justification for the extra cost of MFA rollouts
Public education employees understand that budgeting is a complicated and long-tail process, usually relying on school board approval. Ensure that a security upgrade’s cost will be well received by asking IT teams to first evaluate the risk profiles of all systems and applications. It’s not a small undertaking – but it will be worth it to elevate the importance of securing data to system owners and communicate the risks of not taking action quickly. Be inclusive in engaging stakeholders, from the front line user to the superintendent of the entire district – early buy-in will lead to smoother budget approval.
2. Identify federal or state grants that can help fund the MFA rollout
There are many grant opportunities that touch on cybersecurity issues or education, but it may take some searching to find the one that applies specifically to your school’s situation. Most grant applications require that you demonstrate you are moving toward federal standards on phishing-resistant MFA, or at least have a plan for how to get there. Make sure you have documented your efforts fully and have a well-defined strategy before applying for federal or state grants.
3. Keep it simple, but robust. Pick products that leverage your current infrastructure and don’t confuse your users
The key goal for an upgrade is to unify your identity infrastructure, reducing the “attack surface” (ways the bad guys can get in).
But you also want your users to feel included and looked after in the upgrade process. Assess risks honestly – some of the legacy technologies your users might find easy and familiar, like older model cell phones or one-time-password (OTP), text-based authentication are too easily phished. A technology that uses FIDO-based credentials such as the YubiKey from Yubico is the best way to reduce phishing risks.
There’s a tendency in education to go for the “grand rollout” across an entire district because it may be tied to limited budgetary approval windows. Resist the temptation – if you start with one app to get more sophisticated power users on board, it may be easier to roll it out across the entire infrastructure in a phased plan over several years.
4. Communicate with stakeholders and make them feel heard
IT departments in schools often suffer from siloing, which ends up as a liability for MFA rollouts. Choosing the right technology and forming a strategic plan is only a start – without communication, early and often, with your end users a successful rollout is in jeopardy. Pre-rollout meetings between the IT department, faculty reps (perhaps even union reps), administrators and communications departments can help manage expectations and signal what kind of changes teachers can expect. In those meetings you can explain functionality and business value, but leave time to describe how the day-to-day routine at schools will be changed for the better, too. Engagement with as many stakeholders as you can include can make the difference between a culture of resistance and one that accepts the security changes as a benefit.
If you keep these four steps in mind as you travel the road to an MFA upgrade, chances are good that you can protect your district and gain the trust of your stakeholders at the same time. In the meantime you can stay updated on threats and technology trends by sharing information through MS-ISAC or other public reporting groups that provide valuable information.