Navigant's Cyber Risk and Information Security PracticeLearn More


Most Common Findings in Independent School Security Assessments27 June 2017

Academia, Employee Training, Policy Development, Risk Management

The independent school community faces a unique set of challenges when securing their sensitive data, with students, parents, facility, and administrators traversing the network from a variety of different platforms each day. COMPASS has had the pleasure of working with independent schools across the country over the past few years. Most of these engagements begin with an assessment across the Three Pillars of Cyber Security, People, Policies, and Technology. While each school environment is unique, there are many similarities in the findings from these assessments.

  1. Little to No Documented Policies and Procedures

Many of our independent school clients have been in business for 50-100 years. As a result, many policies on device use, data storage, password management, and even physical security are often assumed and not formally documented or acknowledged. It’s important that organizations work to document and communicate to employees and students,the procedures and policies related to the use of school owned data and devices, leaving no room for assumptions that could lead to data exposure. While COMPASS’s database includes 37 policies, the top 5 we recommend for independent schools are:

  • Acceptable Use of Assets
  • Password Management
  • Electronic Mail Security
  • Information Exchange
  • Social Networking Acceptable Use
  1. Employees Lack Security Training

Independent school networks host a variety of different users from a wide span of technical backgrounds. We often find that there’s a lack of training on cyber security threats and that users do not have the guidance needed to protect their school from common threats like ransomware, phishing, vishing (voice phishing), etc. When conducting mock-phishing exercises, COMPASS observes an average of a 23-25% click rate. It only takes 1 click on a malicious link or attachment to potentially compromise an entire network, so educating users on How to Detect Phishing Emails is key to safeguarding your school’s data.

  1. Lack of Patch Management

From a technical standpoint, our most common assessment focuses on scanning each device on the school’s network to enumerate vulnerabilities. What’s often found is that most of the identified vulnerabilities are a result of inconsistent patch management. Each operating system, software, application, etc. is constantly being updated to provide new features as well as added security measures to the end user. It’s difficult for schools to keep up with these updates unless they have a patch management plan that is frequently implemented. The most common vulnerability found in school assessments was identified back in 1999 and is related to a Linux machine. These types of weaknesses can be easily addressed by routinely applying patch updates and ensuring that all school devices are included in your plan.

IT Departments within independent schools are often spread thin with minimal resources for staffing. The primary focus is always to keep devices connected and functional to ensure that students are provided with the resources needed to further their education. Cyber Security is not just the responsibility of the IT department, but of the entire organization. There are cost effective ways for schools to identify and address their network vulnerability. For more information on common threats to the independent school community and how to strengthen your security posture, download our white paper, WHY K-12 EDUCATION INSTITUTIONS ARE PRIME TARGETS FOR HACKERS.

Work With Us Learn How