Business & Technology
We recently sat down with Jeff Jennings, National SLED Practice Director at Fortinet, to discuss the major trends impacting K-12 and higher education institutions, and state and local governments. See what Jeff had to say about email as an entryway, E-rate, the move to the cloud, and more.
What would you say are the highest priorities for securing K-12?
By far the biggest issues for K-12 seem to be defense, cyber-infrastructure, and cybersecurity. Cybersecurity has risen from number ten on their priority list to number one.
For K-12, the Internet of Things (IoT) and one-to-one devices have created a situation that requires more than just perimeter security, which has been the status quo for the past ten or so years. Now, they have to be wary of everyone accessing the network, not just a designed few.
Anybody that has access to the network - students, administrators, etc. - can potentially (innocently or maliciously) be the gateway to cause a cyberattack. As a result, K-12 schools have had to rethink the entire cybersecurity process.
What are some of the main entryways being exploited in the education space to gain access to the network?
On the K-12 side, the most common entryway is email. Email is the access point for more than 95 percent of incidents. This is especially true for staff and administrators. The cyber hygiene and security practices of the staff are crucial, especially as threat actors are now mimicking the email addresses of superintendents and specific suppliers that serve the district to send seemingly harmless links. Furthermore, where there is a strong union presence, cybercriminals will send phishing emails as if from union leadership.
In higher ed., we are seeing a lot of the same issues around email, but also IoT. Everything that comes on campus has different requirements from the various departments, which creates a whole new set of problems in higher education that you do not see in the K-12 space.
What are schools doing to secure these entryways? Are there any efforts to offer education on cyber risks, investments in specific tools, etc.?
There are different levels that they must address. They are doing as much as they can with email filtering and secure email gateways. This helps, but the problem is that in 2015, secure email services and web hosting services became ineligible for E-rate. Schools know that they need to focus on email security, but now they have to do it out of their own pocket, which brings about many budgeting issues.
Instead of getting the best defense, in many cases, they are getting the best defense they can afford, which is not the same thing.
In higher education, there’s the potential for every student on campus to have 3-5 IoT devices. Therefore, being able to segment properly and secure these segments is a key focus.
This is where FortiGate and the Security Fabric can play a large role in addressing these higher education concerns with single-pane-of-glass visibility as well as the ability to segment and secure the network. For higher education, it’s a much larger, more complicated process than it is for K-12.
Funding and making the budget available is critical in both higher education and K-12. Their funding levels are fixed by July 1st, so they have to get the administration, beyond IT, the CTO, and the CISO, to understand the importance of network security, and how it affects each department of a school or university - as they are all network reliant.
Aside from funding, are there any other trends that stand out on the state and local side?
The state, local, and county government level is interesting, because they are transitioning to being more customer service driven. This requires them to put a much bigger stake in technology.
Beyond firewalls, we have seen this segment is very interested in SIEM and sandboxing to ensure they can secure their various processes as it heads to the cloud. For example, the HAVA security funding is being used at the state and local level to ensure security for voting.
As they move to the cloud, how can schools and state and local governments augment their cloud security?
Picking the proper cloud provider is very important here. This is where Fortinet has strength. We partner with AWS, for example, which is attracting users at the state and local level.
We are able to use our Security Fabric to secure the cloud and extend all the way to the end user device. With the addition of Bradford Networks, being able to control and load the end-user device, we have a solution that covers from the cloud to the service provider, through the data center, and all the way to the end user.