Cybersecurity in Education
On this episode of IAM Pulse, we are joined by Michael Sampson, Senior Analyst from Ostermann Research discussing the whitepaper he produced with a sponsorship from BIO-key called, Cybersecurity in Education. We talk about why the education sector is under a plethora of cyber attacks targeting it and the cybersecurity solutions that should be considered to prevent them.
Listen to the podcast:
Transcript:
William Papa
You're listening to, IAM Pulse, a podcast, discussing all things, identity access management from defending against cyber attacks and to enhancing our overall cyber security strategy. This podcast is brought to you by BIO-key International and innovative provider of flexible, secure access management and biometric identity solutions. We're sitting down to talk about the impact of identity access management makes on you and your business.
Kim Johnson
Hello everyone. I'm Kim Johnson, VP of product marketing at bio key international, and welcome to I am pulse, a podcast dedicated to discussing I am topics today. We're talking about cybersecurity and education. How this sector in particular is under siege with a plethora of cyber attacks targeting it and the cybersecurity solutions that should be considered to prevent them. On today's episode. I'm joined by Michael Samson, senior analyst at Osterman research who conducted the research and authored the new white paper, cybersecurity and education. Hi, Michael, and thanks for joining me today.
Michael Sampson
Hey Kim, it's great to be here.
Kim Johnson
Great. And, uh, Michael, before we go into the content, um, let's just provide a brief introduction. Tell us a little bit about the research you conducted and some of the approach that you took to write the white paper.
Michael Sampson
Sure. So I'm the senior analyst at Ostermann research. It's a role that I've been in formally since the 1st of January of this year. I have been working with Mike Osterman writing up research. Uh, I looked it up yesterday since, uh, early 2009 was the fist piece of work that I did with him on unified communications market pairings 2009 to 2012. So that was a while ago and quite a different topic, obviously for this paper in research on cybersecurity and education, Ostermann and research in general does two types of research programs. One is a white paper that writes up a survey and the other is a white paper that tackles a topical area. And this was the second of those types. So there was no survey and thus it was in-depth secondary research to try and figure out what was going on. What are the problems that educational institutions are facing in terms of cybersecurity?
Michael Sampson
What are the trends that we can see from year to year and then looking at their secondary data and the way that we process it and work through it and think about it, to look at what would be needed in the sector to try and resolve those issues. And as you've seen in the white paper, there's over 60 footnotes and that, so the white paper itself as a standalone publication that people can work through, but we've also provided a baseline and a set of resources that others can use to then go and read, look at the issues for themselves and draw their own conclusions.
Kim Johnson
Yeah, that's great. And I was amazed by the number of just even attacks, right? The actual cyber attacks that you referenced just, you probably could have filled a whole white paper full of the bullet points for those. Um, and that's, that's one of the questions I had was what were some of those characteristics that, you know, made the education sector stand out specifically, and that you think are contributing to maybe it being a target for cyber attacks. In other words, why education and why now?
Michael Sampson
Sure. And as a standard survey questionnaire, and I had to look this up and count them yesterday, and obviously we didn't do a survey questionnaire for this research, but we have 17 industry types plus another category when we're doing a survey and using that question. And it's always interesting when an industry makes the top three or top five of a tech industries and the research that we look at or conduct. And then we started to see education coming up in that list as being something that, or an industry that was frequently under a tech. Uh, one of the research studies that we quoted in the paper said that in 2018 education was dead last out of 17 industries for cybersecurity readiness. And, you know, it's a fairly significant place that you don't really want to end up being in terms of why and why now Osterman research industry status reports on healthcare and government. We had healthcare in 2017 and also again in 2020, we did a government scan and 2019. And then actually, we also did a financial services, one in 2020, and I've been wanting to do one on the education market for a while. Uh, but 2021 was the right time to tackle that topic.
Kim Johnson
Um, so some of the trends that we've even seen right are fueled by the pandemic, um, but just the dynamics of the environment. So things like shifting to online working, um, the remote access kind of challenges that people are having for students and faculty, what were some of those other aspects that you found once you dug into the research that did make it a prime target for those cyber attacks?
Michael Sampson
One of the things that we saw when we did the health care industry study was there was the sense of that ever attack us. We're a, we're a hospital. You know, we focused on the public good that, that never some we asked systems, wow, they didn't have a lot of luck with it. And I guess the same kind of viewpoint as at play in education, you know, well that lead our children out of this, you know, that never attack our children. But the fact does that there are some dynamics and the education sector that make it a great, you know, from a cybercriminals perspective, a great target archives. You have school districts in your country that have the permission and the authorization to act locally. What are the systems that we should put in place? How do we set up and configure the online learning platforms or the school administration systems that we're going to run with the resources and the people that we have.
Michael Sampson
But with that permission of local action comes the responsibility of ensuring that there is appropriate security protections in place. And we found that the right way of saying this in terms of the education sector, was that there was a systematic underinvestment despite the growing reliance on technology, a consistent under investment in cybersecurity protections around, around, um, around the education sector. And when you add to that, the global shortage of cybersecurity staff, uh, which is another topic that we looked at in 2020 at Ostermann research fairly clearly the education, market's not going to pay the highest salaries to anyone who is really good in cyber security. It's going to be a financial services organization, or maybe even the military that when people with those really good skills. And so the education market one is under prepared, but two is also under resourced from a people point of view.
Kim Johnson
Yeah. And we've seen that in just our customers, right. We have a lot of education customers that we serve around even the globe lot and obviously North America. Um, and there was a huge push to bring in cloud services and modernize technology, but the cybersecurity is a little bit of an afterthought and doors and staffed, right. In order to be able to handle it. So we saw a lot of, you know, colleges saying, all right, we're going to go deploy, uh, G suite for all of our students, right. The modern way to do, you know, interactive, online learning and everything else. And what ended up happening is now it's like, Oh my goodness, how do we do student multi-factor authentication? Right. Like how do we secure access to G suite versus before we go unleash it? How do we actually, uh, secure it and, and seen that happen? Um, what
Michael Sampson
I, I don't, I don't, I don't have the data point right at my fingers, but one of the research institutes in your country said that there was a very high proportion of K-12 institutions that did not have dedicated cybersecurity personnel on staff. So there was no one dedicated to this issue. It was a part time maybe if I think about it, maybe if I got time, I'll deal with it as opposed to being key responsibility. And yet you've got, and you've got institutions that are dealing with hundreds or thousands of teachers and faculty and thousands or tens of thousands. And in some cases, hundreds of thousands of students, and yet there's a systematic lack of people who have those skills and mindset.
Kim Johnson
Right. And that the amazing thing that surprises me about education, I think you made a great point where, you know, they're a little bit more, it may not happen to me, or I'm not really a target. I don't have financial information. They're actually one of the industries that's kind of an industry of industries, right? Like they have healthcare implications, they have financial aid implications, they have HR implications, right. They have sensitive personal identifiable information and it's all there and required. So I know, you know, there are universities that have HIPAA requirements just as much as they have to comply to federal privacy regulations. So, um, it is an industry that's been prime target for. And I think where we've seen remote and, and other access points being expanded in the pandemic, that's happened in education as well. Um,
Michael Sampson
Yes. And you use the term industry of industries, and I think that's a good way of describing it because you go from preschool and K-12 through to academic institutions where people go and do their life's work and government and military organizations provide funding for top secret research that's being done. And so there's this complete continuum from K-12 and earlier through to academic and, you know, basically for some, we die out of the institution, you know, we stay here for our entire lives. So, yeah, it's interesting.
Kim Johnson
Yep. And then, um, how about, I know during the drafting and writing of the paper, um, it came up quite a bit on cybersecurity awareness. And so what did you see from like the user population side and level of awareness that maybe they have, or don't have, um, in the education sector?
Michael Sampson
Well, there were, there were some studies that we found that said there was quite a low level of cybersecurity awareness. It was a research study done out of Mississippi where one of the school districts ran a simulated phishing example within the, uh, uh, or instance within the skull. And then they tracked the results of that. They found that 83% of the targeted teachers opened the message, 48% click to the link and 20 into their credentials. And those numbers sound pretty high. To me. It would seem as though there was a, a lack of understanding of the red flags that would be present in a phishing message. And the research study, the people who wrote it up said, you know, we included some very deliberate red flags. And, um, there was another example that isn't in this paper, but one of my friends here in New Zealand is in a senior leadership role and, and her skull.
Michael Sampson
And she knew nothing about the [inaudible] if a scam, because she said to me, at the end of one day, when I met her at a, at a different Mason, or we had this issue at school today where I got this email, I think it was from the new principal asking that I give them some iTunes gift cards really quickly because he needed them. And he was in a meeting and he couldn't do it himself. And I kept getting these prompts. Can you help me? Can you help me on this? But their awareness and her as a senior leader with the authorization to go and buy those things was not something that they've talked about or taught at the school. And so she was vulnerable. The people that she talked to at the school was vulnerable.
Michael Sampson
And if you then expand that across the entire industry, we have, we have a bit of a serious issue. Um, when there are some other examples of things like teachers preferring free or low cost apps, and while free is a good price point. Initially there are longer term consequences if they are malicious apps or apps that, uh, have vulnerabilities in them. When we saw very early in the pandemic, this idea of zoom bombing, where particularly in the education sector classes were moved online, but they were not passed with sit on those sessions. And so anyone could join. There was even another example that I came across. I think it was an August of last year when we, one of the schools, school districts and, um, and your country. And sorry, I keep saying your country because I'm based in New Zealand, not in another,
Kim Johnson
We didn't say that at the beginning, did we,
Michael Sampson
Uh, in, in your country ran a community learning event by zoom and deliberately included no password in order to make it openly available. So anyone could come, but unfortunately they received some comments and messages in that forum that were not helpful. And so that entire event had to be canceled. So there's this dilemma of wanting to provide a public good to provide teaching and learning opportunities to children and using applications and approaches that have some fairly big weaknesses. And then because of lack of understanding,
Kim Johnson
Right. And in like finance, that's where we see the chief information security officer step in, or the, you know, the it security ops team, uh, stepping in. And so if that's not there and in fact, like even seeing it teams, staffing cut and just basic, you know, it functions, um, you know, you really have kind of that perfect storm. We talked about as to like why there's more attacks and what the issues are that that's coming after this industry. Um,
Michael Sampson
Is it a perfect storm is a really good way of describing it. If you have unpreparedness and huge opportunity to creating disruption and great ease of making a tech, you know, from a cyber criminals point of view, why would you not? Right.
Kim Johnson
Right. And I had a student, uh, or like, uh, uh, I went out for dinner with my friends and they're all moms. Right. And they all have kind of these use cases and scenarios. And they're like, you know, my kid has a Chromebook, I don't understand the issue. And then to explain to them that everything's an attack point and, you know, they think I'm a conspiracy theorist in some respects, but it's true. I think that, yeah, there's that lack of understanding that if it's connected and it's online, it has the potential to be, uh, an attack factor. Um, and we're seeing that more and more just in how people think of cyber, but yeah, I don't think parents and their children necessarily have gotten to that point where we're not, you know, we're not as aware as we should be of those challenges. So, yeah.
Michael Sampson
Funny, one of the, one of the comments I made in the white paper was to the effect that we are entrusting the cybersecurity protections of our school districts, the people who are still learning to read and write and how you explain multifactor authentication to a six-year-old or a seven-year-old and why it's important that that's a pretty hard task. That's a, it's a hard thing to do, right? So we have to have things built in from the ground, from the ground level, from the heart we labeled from the approaches, they were from the systems level that are able to mitigate some of those challenges of dealing with very young people.
Kim Johnson
And I think we talked about it too. Um, and we'll talk about a little bit later too, is that the convenience factor, right. We see that all the time. And that was one of my big kind of aspects of this paper was that as much as you want to put in the more security controls for people like that, especially people that don't understand why it's being enforced in the first place. If it doesn't come with something easy to do, or an easy approach, um, convenience as we call it, then it's, it's essentially going to fail, right. We've seen passwords shared and transmitted and, you know, written down for decades. Um, and so as soon as you start doing those things, without giving any explanation or out or alternatives, uh, it can go, it can go awry. So to speak.
Michael Sampson
Yes. I've just moved from a Mac book pro with a fingerprint reader on it to a Mac mini without one. And I'm missing that little fingerprint reader for doing some of the things I really thought about that when I bought the Mac mini. Um, but yeah, th th that decrease in convenience means that I now have to type my password more often than I used to have to do it. Um, which maybe isn't a problem to me, but I notice the lack of that.
Kim Johnson
Yeah. And that's, that's probably, you know, in my book, it's threaten number one is us, you know, people are always, um, and some of the research too, um, you know, not to go through, like I said, I think there's pages you could have included of all the attacks we've been seeing. I continually see them, but what are some of those kind of highlights or things that you think for statistics wise really stood out, uh, either the type of attack, a specific attack that you, you documented, or just kind of percentage increases on some of these things,
Michael Sampson
There are a whole lot of numbers in the paper. Um, I mean, some of the case studies, maybe if I start with a couple of case studies, um, I mean, we came across instances of, of school districts. I mean, there was one called Scott County schools that lost $3.7 million in a business email compromise attack a couple of years ago when they, the vendor was compromised and an email was sent through saying, please make payment through to us in this, in this different account. It was either that, or someone just made up an email address and pretended to be that vendor. But somehow they were able to divert 3.7 million, which is a fair whack of cash for a school district. And it only came to light a couple of weeks later when the real vendor said, Hey, where's our money. And, you know, when you're, when you're waiting for 3.7, you know, that would be a fair question to ask.
Michael Sampson
Um, we saw things like ransomware attacks increasing, or doubling from 2019 to 2020. We saw the increase in the average rent, some requests or payments going up to something like, uh, 450,000 American, uh, which again is a very significant number for a school district to have to suddenly find one of the ones that really interested me was the Microsoft numbers from both the middle of last year. And then again, in February of this year, we're looking at the malware attempts against Microsoft three 65. They found that just over 60% and both of those months were against education institutions. And those are big numbers to try and deal with. And of course, when you've got thousands of schools and institutions and school districts across your country, and even across my country here, that attack surface is very broad and wide. And, and everyone is under, um, is under threat.
Michael Sampson
Uh, it's, it's not a statistic, but one of the attacks I came across that just seemed plain mean and unfair was the rent summing of the bus shuttling system for one of the public school districts and the inability to then bring thousands of children to school and then let them get home again in a safe way. There's no wonder that a school district has to be able to suddenly respond to that if, if that happens. And so there's know this idea of education being a sector that is ripe for causing massive disruption, and that that's a prime example of how are we going to get 10,000 students home because we can't tell our bus company how to do that. What do we do? I mean, it's a little bit different too. They've rent some their online learning platform that's annoying, but when you've got thousands or tens of thousands of students at school who now kind of get on that, that's a real problem.
Kim Johnson
Yeah. And that, it's my there's two subjects in there that I, um, have researched in my past. And I've been pretty involved in third-party risk, which you mentioned with the supplier that you go and pay either is a fake supplier. Um, or your supplier actually causes a breach, right? Where the vendor of your school is the one that actually is the one that had the incident and therefore gains access to systems. And we're seeing that in every industry, because outsourcing is happening in every industry. Um, and so I think that's just fascinating in the sense that we always said, like, you're only as secure as your weakest link. And, you know, to think that things aren't outsourced nowadays is, is pretty crazy. Most businesses are outsourcing, um, to a wide number, if not hundreds of vendors, uh, to support their business. So I would assume education is the same and hearing something like that, even from being, you know, kind of tricked to think it's one of your vendors means you have an agreement with a $3.7 million vendor, and they're probably buying something pretty, you know, uh, important to your business.
Kim Johnson
Um, and then the other thing you hit on with the school buses, you know, the, the future that we see in terms of attacks and, and what these, you know, cyber criminals, so to speak are trying to do is like you said, massive disruption, they're trying to, to get, you know, money and assets, but it's also sometimes just for the pure fact of being able to take out the electricity, right. To see if that's, you know, disruptive enough or impacting our kids transportation. And so for every organization and every school and institution, I would say should do an inventory of what's critical to your school, what what's critical to have your school running. Is it G suite, or is it like you said, the bus systems, is it, you know, other other systems that are out there that are absolutely critical? So those are both great examples of,
Michael Sampson
Yeah. It's not an education sector specific example, but there've been a couple of instances, one in your country. And one, one in the middle East where water supplies have been compromised or almost compromised with increased levels of acidity, which would cause massive disruption and a wave of sickness across our local area. And you know, that we didn't dive into cyber-physical compromise within this research, but the bus scheduling system, I guess, is an example of that, but yes, you're right. Electricity grid, um, water supply, um, even if we move to a future of autonomous vehicles, I mean, that, that also is going to be a problem let's cause massive disruption by now getting all of these cars to stop in the middle of the highway and not move.
Kim Johnson
Yeah. And that's, um, you know, not to go too far off subject, but that was how, uh, even back when with Russia versus Ukraine, that's how they systematically took down a lot of the Ukrainian systems. They went after their treasury, the day of tax returns. Right. So there's, there's a massive way to do it, um, in, in terms of just disruption. And now that we're all online, you know, our kids apply on online, our students, our faculty, faculty, teachers, everybody, the disruption factor goes up. Um, in terms of that.
Michael Sampson
Yeah. And one of the examples that was repeated several times, that's in this research as the timing of ransomware events that are timed to cause massive disruption, you know, the day before school is due to start for the year, your school district gets encrypted. Or there was an example. We, uh, the day before Thanksgiving weekend, where everyone is, you know, in normal times when everyone is ready to get on a plane and go and spend the weekend with their family, you know, the school district is compromised and you have it staff that are already stressed and at breaking point who are now asked to stay over Thanksgiving and worked co you know, work to bring about a, a resolution to this, that that's not a recipe for a happy set of campus really.
Kim Johnson
Right, right. And actually rev another good point. Right. So the, uh, the other thing we've seen is the transition to cloud. So cloud services are great. The rapid adoption, although cybersecurity needs to be thought of also keeping things on premise has problems for a lot of our colleges and another customers where they might keep something like their authentication server or a security solution on prem, they're managing it. And when the power goes out, when there's a fiber cut and you know, it's offline, et cetera, if that happens during peak times, you're driving into the office. If you're working remote, you're going in, you know, there's a lot of, um, overhead on the it to be able to manage that and, and ma and handle it. And also if a ransomware attack happens, it's going to continue to go laterally and move across the institution just because there's no,
Michael Sampson
You click the button. So I think we're going to have to start that part again. You cut out on this connection, I'm sure you said something fabulous. I'm sure I did. You were saying something about cloud services.
Kim Johnson
Oh yeah. Um, so we've also seen the move to that same issue in cloud services versus on-prem. Um, so, you know, one of the things you said was that they have to go in, or it's peak times, or it's a burden on it. And that's the other thing education struggled in a little bit is keeping things on premise on server. And so if it gets offline, if it gets power outages, right. That lean it team has to go in and manage it. Um, so it causes a lot of overhead and a lot of issues for them also, similar to what I would assume is massive disruption of those attacks. Right. They encrypt everything, including your security systems.
Michael Sampson
Yes.
Kim Johnson
Um, and then, so I know some of the other attacks I thought were pretty interesting. There was like, multi-factor authentication, resistant fishing. Um, you know, we've seen now, I think you actually sent me the article, which is fantastic about, um, hackers going after our authentication methods. Right. So even if you put in multi-factor, or even if you put in a type of authentication, uh they're now going after those methods, so $16, right. Was for the SMS, um, text messaging takeover. Uh, we also see my favorite example is that if you email a code to somebody, but the phishing scam has worked, you're now emailing the bad guy. Right. Um, there's a lot of things I saw that I thought were interesting and kind of, you could expect that to happen, but it's hard to prevent them, I think, is, is what I've seen throughout the paper.
Michael Sampson
Yeah. I mean, one of the comments that we, that we as Ostermann and research have made for several years as their multifactor of indication is on a good bit of best continuum. And while having an SMS code is better than not having anything at all, or an email prompt is better than not having anything at all. Those are the weakest forms and it's good, but yeah, there's better. And, and based options that you could be going through and the SIM card hijacking attack, where someone calls up the call center and says, I lost my phone. Can you reassure my son card? I mean, we've seen that one enough times to know that that's a problem or the one that has just recently hit the news, is that the ability, although I think they've closed this, attack it at this point where someone was able to pay $16 and read the vert or re transfer someone's text messages to their own device without their knowledge of that at all.
Michael Sampson
Uh, and I agree with you about the code by email. It just seems like the, almost the worst possible way of doing it, particularly if that person has then used their email address for their Amazon, um, account and their, you know, accounts that all these other places that we can then start compromising all of these other things. Um, and while we didn't, well, I didn't come across specific examples in the education sector of where those, those forms of multifactor authentication had been compromised specifically in education. There's enough examples out there in the general market where I would avoid SMS, I would avoid email, uh, the authenticator apps maybe, but there have been examples where those two have been compromised and specific targeted examples, the strongest forms of identity and authentication that we can use, uh, the better ones to go for. And if we're taking a group of people that have had no multifactor of indication and we're training and introducing them to that, I think it's better to start with the stronger ones that offer the strongest form of, um, of security as, as we could possibly do. You guys, you guys have a story in it and that situation don't you.
Kim Johnson
Yeah, yeah, for sure. And I think that's where, um, you know, I've been at this talking about security and usability balancing or security inconvenience balancing, I think now it's called like, um, empathy, digital empathy or something. Um, and so, yeah, it is a mix of having flexible options, right. That, but that the user can control, right? So if a, if a student forgets their hardware token, right. If that's something that you gave them, their mobile phone doesn't work that day, what's their alternative, right. And making sure that your policies and everything else have an alternative. Um, and then in terms of stronger authentication, there are methods that are a lot easier. Um, and so biometrics is obviously one that we do support and provide and pitch as the most secure and convenient method out there. And studies are, are starting to show it as widely adopted and starting to meet those needs.
Kim Johnson
I think you mentioned a great example before, right? Where, what was it, your Mac pro or Mac book pro maybe had the fingerprint reader and now it doesn't. Um, and if you're to it, if there are people that don't have it yet, it is a very secure and community methods. You have nothing to carry. You have nothing to remember. You can do it with passwordless, right. So you get rid of that secret. You have to remember all the time, um, and can simply authenticate via something that you are, um, I think biometrics, you know, from history has some things to it that people are still thinking about, is it private, right? Is it, um, can someone steal my fingerprint, all those things that are mentioned, but we've now gotten to a point where it's on devices we use and love and know. And so it's a great option and a great alternative for, um, students, faculty, and others. So we do see at least in higher ed, the, the faculty and staff multifactor is easier to solve as always, right, like issuing something to, uh, somebody that's part of your organization is pretty easy telling students what they should use gets a little bit more complicated, but it is absolutely doable with the mobile biometrics and other technology that exists. So
Michael Sampson
He's got a, a more expensive class of Android device, or a later model of an iPhone is already going to be used to a fingerprint reader or a facial scan as a way of getting into those devices. And therefore the idea of biometrics as a way of doing things is, is, um, spreading across groups of people. Um, just because technology in general is moving forward. And, you know, you've got the, the apples and the Googles of the world saying, how do we make this so incredibly simple? I mean, I should be looking at my device in order to read it. Therefore, why can't I just read, read that person's face, but your, your point about theft of, uh, facial scan or theft of a fingerprint, those, those, uh, those are issues and concerns, which need to one be study. And I'm sure there are good answers to those things, but also to be talked about and security awareness training so that people understand where that fingerprint is actually stored and what's involved in compromising it. And so on mean, it's a bit more obvious if someone walks around with a finger around their, you know, on a chain around the neck, I borrowed this one. Um,
Kim Johnson
Haven't done us any justice, right? The movie has unfortunately, one of my favorite movies, demolition, man. I mentioned it and everything. And it's interesting cause until working at bio ki and, um, having more of the biometric approach central to our offerings, it took me a minute to get over that, to be honest, right? Well, you know, that's the common objection is someone steals a fingerprint. Um, and the part that you're that most people are missing, I will say is you don't store your fingerprint. You store an encrypted hash algorithm of a fingerprint, first of all. And on top that it's also, you have to be present and place the finger on the scanner. It's not as easy as people think to just spoof or, you know, fake something like that. Whereas the interesting part is the convenience ones, the ones on our iPhone, the touch ID, right, that everybody's in love with and that they know it's a great convenience factor.
Kim Johnson
It actually, isn't nearly as secure as true biometric MFA. And the reason being is you can go onto your phone and you enroll your own fingerprint. And you've now said, yes, I'm authorized on this phone with this finger fingerprint, the admin of the school, the guy that sets the security policy that wasn't authorized. It's not an authorized use of an enrolled fingerprint. So it doesn't sit locally with a or centrally with a server. It sits within the phone. So what's stopping me from, let's say having, you know, um, my kid or a friend or a family member, or the guy that I want and doing my job to enroll their fingerprint on my phone. And then they're basically into the phone app too. So there's some interests with conceptions and, and, you know, sides of biometrics. I don't think everybody's explored yet. And to be honest, in the, in the education space, it's just coming into conversations.
Kim Johnson
Um, it's just starting to come out as security and convenience combined, and that you can also, you know, do that together. So there's a lot to it that, um, even for myself and I am for close to a decade now, if not over, um, I still learn something new, I think about biometrics every day. So there's a lot, there's a lot there. Um, and then I know Michael, you brought up another good point, the, uh, security awareness training. So I think that actually is a huge part of it, um, right. In terms of educating people as to why what's the purpose of this, why are they having to do it because user adoption side of it tends to be part of the issue, um, with at least getting multi-factor, whatever method you choose out there. So,
Michael Sampson
Yeah, I agree. It's pretty important. Um, and th there are some situations where I push the NT convenience approach. You know, there, there are some systems where I force myself and in, in past, in previous lives where I've been in an it security role, you know, I've said to people, you will authenticate with an MFA code using this approach every single time you access that system, no excuses, you know, you can't click that button that says, trust this device, or don't ask me again. Um, you must do it every time because it's that important that we get this right. And secure. Yeah.
Kim Johnson
Yeah. And I think that's the balance right. Is, um, and I, I definitely push, you know, uh, in our conversation and continue to that. I, I'm just a strong believer you can't MFA or any of those methods, unless you give them some convenience. Um, there has to be a way to self-service their own accounts, even if you don't want them to reset a password, at least let them unlock something if they can do it, um, or something like single sign on. Right. We see that kind of the MFA and single sign on approach is the one two punch for, for, um, making sure that they only have to do that really strong authentication once and then are allowed in other applications. So we've seen that more and more education. I'd say that actually is one of the top projects right now is figuring out MFA right.
Kim Johnson
Deploying it, but then also getting single sign on, into all their applications. So how do they get into their learning management system? How do they get into their, you know, business process system, um, and all from one login? So that's definitely been a pretty common question, especially with education systems, not always cooperating with single sign on, so it becomes an issue. Um, yeah. And so, Michael, any, um, we're going to wrap up for this episode, but any final thoughts or words of wisdom, I guess I'll throw them out there to the education folks now that you've done such a deep dive on the cybersecurity state in education.
Michael Sampson
Yeah. Hey Kim, thanks for the opportunity to be here. I guess. Um, the, the final thing that I would say is one of the things that we recommend and anyone in a row like us recommends is doing your own risk assessment for your organization. And then a research paper of this nature. All we can do is, is give general advice and comments about general and broad trends, but we would love organizations and the education sector to take this paper. And either as a consulting engagement with a consultant groups that they work with, or an internal review, if you have those people on staff say, well, what are the risks that we face? What do our people face? What are the systems that we've got that are critical like you and I talked about before, what are the needs and opportunities that we're going to have to deal with over the coming months and years, and then develop a approach for dealing with those things that's contextually relevant to that organization. And, you know, from my, from my point of view, as the analyst that wrote this, if that's all at an education institution, does as a consequence of reading the report, then I think that's a huge win because this is then been a pivot point for the institution to do something that is appropriate for themselves.
Kim Johnson
I think that's an excellent point. Um, I couldn't agree with you more. I see a lot of actually everywhere. It doesn't matter what industry, but education or not, I'm starting to implement cybersecurity controls with no real policy definition or cyber risk assessment. And so how do you know what you're trying to mitigate? How do you know the controls that you're going to have in place and the framework going to use to do those controls before you end up with 10 different solutions or the text technology that people are telling you, you should have. Um, so we see that a lot, uh, just in, in general, in third-party risks, that's huge. You have to know the cyber risk of your vendors, for example. Um, but yeah, I couldn't agree with you more, get a state of the, you know, state of the situation before you go try and fix it.
Michael Sampson
Yeah. And, and, you know, if you read a paper like this and you go, Oh, we have a bus scheduling system, I've never thought that could be ransomed. Well, that becomes something that you go, I learned something from this. I need to make sure that our risk assessment includes it because actually that is pretty important to us. What is our fit buddy been doing about this? What does that bus company do? What's their policy, what's their approach, what's their posture and all of this, right?
Kim Johnson
Get your tier top tier things down and, uh, start mitigating the risks that's created by them. So think of better advice. And hopefully we've inspired a few, uh, education institutions out there to take a second, look at theirs. If they have one or start, like you said, engaging to understand and start doing the assessment. Um, and Michael, that's actually all the time we have for now. Um, I thank you again for joining me and providing the deeper dive into the research and the cybersecurity challenges you found that are plaguing the education sector. Um, as mentioned, there are multiple solutions that we talked about that you should consider in terms of increasing security, making sure you're using some of those convenience factors. Although if Michael you're the, the it admin, maybe not, no checking of the device to be allowed. Um, but balancing,
Michael Sampson
I sit in some situations in some situations,
Kim Johnson
Um, and really, you know, when we, when we look at it from our perspective, uh, institutions that we work with, you need to look towards really a good combination of I am solutions. Um, understand what type of features and functionality, what multifactor authentication methods you need consider biometrics, single sign on, and even self-service password reset, as well as the, we set a good security awareness training program to protect your students, faculty, and staff. So anyway, that wraps up today's episode of I am pulse. Thank you for listening to the show. If you're interested in reading the white paper we've been talking about, uh, during this episode, please visit our resource center on bio key.com. That's BIO - key.com You can join us next time to learn more about I am and how to secure identity, the way that you want. Talk to you soon.