Your district auditors and the NYS Comptroller’s Office technology auditors are most likely pestering you about your multi-factor authentication (MFA) strategies and beginning to ding you in their reports for not having a comprehensive plan.
If that wasn’t bad enough, in this round of Cyber insurance renewals many school districts have been beat up by their carriers for lack of a plan. Locally I have heard stories of districts being unable to qualify for meaningful insurance, unable to renew their existing insurance or even being renewed but for 90% less coverage. The costs of this insurance have risen dramatically as well.
2022 is a scarier world than 2021. Everything I see says that 2023 will be even more challenging to protect against Cyber-attacks and data breaches.
The bad guys aren’t bothering to encrypt all your data either. They exfiltrate all your meaningful data first. After they have your data, they encrypt just a bit of each file which is just enough to hold you hostage. Partial encryption is much faster for them to do while avoiding detection. Or they now simply delete your data. You also need to be prepared for the reality that they are probably going to sell/post your data whether or not you pay the ransom, and whether they give you a copy of your data back or not. There was a recent case from Australia where the attackers started posting patient medical data listing very sensitive data like all the patients under psychiatric care
School Districts have already been sued by students and staff who have had their data published.
You need to get in front of this in a way that keeps you more secure, keeps the auditors happy, and keeps meaningful insurance intact.
Implementing MFA is one of the single most effective tools you have in your toolbox to defend against all of these bad actors.
A joint study by Google, New York University, and the University of California San Diego found that using MFA can block up to 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. Microsoft and the FBI have said that approximately 99% of the attacks are thwarted by implementing MFA.
At this point, realistically every one of your users who has a phone is using some form of MFA for one or more items in their lives. My kids are always waiting for the code to appear on mom's phone to download their apps. This is no longer the hardship it was a few years ago.
When thinking about MFA, we have to break it into two categories:
Web MFA: You need to turn on MFA for every web page, cloud folder, server or system regardless of whether it is a discrete website, Google Apps for Education or Microsoft Office 365. Start with email and admin functions and Google Drive or OneDrive for Business Functions and continue from there.
Network MFA: You should have MFA on your VPN connections, your remote control sign-ins, your RDP access, your administrator IDs, your sensitive data users, and even your local workstation logons.
We are very high on Cisco DUO MFA. It is a robust solution that easily handles everything I described. Individual web pages may have their own MFA as well depending upon the vendor.
One really nice thing about Cisco DUO is that one user license can be used over and over for as many MFA scenarios as you need.
For instance, you can implement MFA as a requirement for all RDP connections. Then you can implement the same MFA for Google Apps or Office 365. Then you can implement the same MFA for VMware Horizon View and VPN connections. Then you can implement MFA to only prompt on any workstation or server's console login for any administrator type or sensitive data logins, but not for limited rights user logins.
That way you are having a higher standard for the users that expose the district to the most risk and the masses don't have to be harrassed or managed for this extra level of security.
It is time to get MFA done district-wide for anything you can MFA inside or outside the district.
If you have questions on how to implement this in your district, give us a call.
-Scott Quimby, CISSP