TASB Risk Management Fund

Do Your Vendors’ Cybersecurity Practices Make the Grade?

April 19, 2021 Lucas Anderson

Woman looking at laptop with a cybersecurity image on screen

Many districts turn to outside vendors to assist with the complicated work of maintaining secure network operations. The decision could reflect a lack of expertise within the district IT staff. It might also be that a vendor offers a specialized software or technical solution the district needs. In some cases, an existing contract with an established vendor such as Microsoft or Cisco could obligate your district to work with another vendor.

While vendors can provide important benefits to districts, they can also compromise network security. In fact, the 2020 K-12 Cybersecurity Report found that outside vendor and partner security practices caused 75 percent of staff and student data breaches. Vendors’ mistakes could also cause malware infection, operational disruptions, and even school closures.

3 vendor vulnerabilities to watch for

Vendor-associated vulnerabilities come in three primary forms. Let’s look at each of them.

Network access

To do their job, vendors need access to your network. If they’re working on hardware, they might be on-site and physically connecting to your local system. Vendors often do their work off-site, however, ideally connecting through a secure method such as a virtual private network.

Either way, remember that new access points to your network could create openings for malicious actors to exploit. If connections aren’t configured correctly and maintained securely, they can become significant vulnerabilities.

Administrative privilege

Network administrators have the authority to make changes in your system. Every new administrator creates a potential vulnerability. That is why the principle of “least privilege” is a critical network security best practice. Least privilege means as few people as possible have administrative rights within your network.

Your organization needs to grant administrative rights to any vendor who performs maintenance, installs hardware or software, or upgrades an existing system. Administrative levels range from local (one computer) to global (everything in the network). This could be a problem if the vendor is not careful while conducting their business. Additionally, if a malicious actor compromises the vendor, that person will have access to and control over your system.

Out-of-network storage

Your vendor might need to duplicate or back up parts of your system or data while conducting network maintenance. The goal is to ensure that if complications result in network malfunction or data loss, the vendor can restore the system to its previous, functional state.

This means your sensitive data may be temporarily stored in external systems managed by non-employees. You might not have full visibility of your vendor’s data management and network security practices, which could provide an opportunity for exploitation and data compromise.

Real-world examples

Now that you understand how vendors could compromise your network security, let’s look at some real-world examples of vendor-related cybersecurity incidents.

Texas Counties and Municipalities

In August 2019, 22 county and municipal government networks in Texas were victims of a ransomware attack. All impacted networks shut down, and local government services halted.

The targeted entities lacked local IT departments. They all used the same managed service provider (MSP) to oversee network maintenance and security. A malicious actor compromised the MSP, gained access with administrative control to all 22 managed systems, and installed the ransomware.

Your district could prevent a similar attack by budgeting for and developing robust staff information security resources to avoid using an MSP. If you do hire vendors, make sure you thoroughly vet them.

Total Registration

In May 2019, 20 school districts across 12 states, including Texas, suffered a massive data breach of over 13,000 student records. Hackers didn’t target the districts. They attacked Total Registration, a third-party vendor hired to register students for the AP and PSAT tests.

The stolen student data included first and last names, telephone numbers, email addresses, student ID numbers, home addresses, and similar information for their parents. Security researchers found that Total Registration backed up this valuable data in an unsecured Amazon cloud storage folder.

This is an example of a vendor offering a unique software solution that meets a specific district need and a hacker exploiting the vendor’s out-of-network storage vulnerability. An incident like this could be prevented with a strong data protection agreement (DPA) that requires secure storage of all sensitive data.

What can you do?

SolarWinds, Tyler Technologies, and Blackbaud are just a few school vendors that suffered high-profile cyber-attacks last year. With remote learning here to stay, at least for the foreseeable future, vendor attacks show no sign of tapering off.

Here are three things you can do to protect your organization and your staff, students, and parents.

Vet your vendors

Every information technology vendor has a digital reputation you can research. Vet your vendor by checking their reviews and ratings on business reputation sites like the Better Business Bureau or market research firms like Gartner. A simple Google search with your potential vendor and terms like “data breach” or “hack” can also provide valuable information.

During contract talks with potential partners, have frank discussions regarding their stewardship of sensitive data and their general approaches to cybersecurity. Ask to see their terms of service, privacy policy, and information security overview/policy. These documents can answer a lot of questions about vendor security practices.

If a vendor doesn’t have these documents or something similar, consider it a significant red flag. You should also check their website for certifications and awards. If you can’t find any, that might be a question to ask the company representative.

It would also be beneficial to ask about other customers the vendor serves and their customer retention. This might give you an opportunity to reach out to existing clients for more insight into the vendor’s approach to customer service and security. If a vendor doesn’t seem to hold on to customers, it could be sign they weren’t good data stewards or they opened client systems to exploitation.

Explain your acceptable use policies

An acceptable use policy (AUP) is a set of rules that govern how technology is used within an organization. Your AUP can be a great way to introduce a new vendor to your district’s policies and approaches to prioritizing cybersecurity. It is reasonable to require any technicians who will access your network to understand and comply with your AUP.

Enter data protection agreements

A data protection or privacy agreement is a document that allows your district to dictate how a vendor protects and uses your data. This could include specifying what type of encryption the vendor uses for data in storage or restricting the vendor from using your data commercially.

A well-developed DPA can even ensure that if a vendor is responsible for a breach of sensitive data, they will take responsibility for investigation, remediation, notification of impacted parties, and ongoing identity theft monitoring for victims. The Texas Student Privacy Alliance offers a DPA template for reference.

Expert help from the Fund

Fund members with Privacy and Information Security coverage who suspect they have been the target of cybercrime should call the Fund immediately at 855.295.8344 to report a claim. If you have questions about cybersecurity education or consultation, contact Privacy and Cyber Risk Consultant Lucas Anderson.

Tagged: "cyber security", cybersecurity, "data breach"