Do Your Vendors’ Cybersecurity Practices Make the Grade?
Many districts turn to outside vendors to assist with the complicated work of maintaining secure network operations. The need to collaborate with vendors could be the result of:
- Lack of expertise within the district IT staff
- Specialized software or technical solutions delivered by the vendor.
- Existing contract with an established vendor such as Microsoft or Cisco that obligates your district to work with another vendor
While vendors can provide important benefits to districts, they can also compromise network security. In 2021, hackers launched disruptive attacks against education sector vendors such as ACT and Student Transportation of America, according to the annual K12 State of Cybersecurity Report. Vendor mistakes could also cause malware infection, operational interruptions, and even school closures.
3 vendor vulnerabilities to watch for
Vendor-associated vulnerabilities come in three primary forms. Let’s look at each of them.
To do their job, vendors need access to your network. If they’re working on hardware, they might be on-site and physically connecting to your local system. Vendors often do their work off-site, however, ideally connecting through a secure method such as a virtual private network.
Either way, remember that new access points to your network could create openings for criminals to exploit. If connections aren’t configured correctly and maintained securely, they can become significant vulnerabilities.
Network administrators have the authority to make changes in your system. Every new administrator creates a potential vulnerability. That is why the principle of “least privilege” is a critical network security best practice. Least privilege means as few people as possible have administrative rights within your network.
Your organization needs to grant administrative rights to any vendor who performs maintenance, installs hardware or software, or upgrades an existing system. Administrative levels range from local (one computer) to global (everything in the network). This could be a problem if the vendor is not careful while conducting their business. Additionally, if a cybercriminal compromises the vendor, that person will have access to and control over your system.
Your vendor might need to duplicate or back up parts of your system or data while conducting network maintenance. The goal is to ensure that if complications result in network malfunction or data loss, the vendor can restore the system to its previous, functional state.
This means your sensitive data may be temporarily stored in external systems managed by non-employees. You might not have full visibility of your vendor’s data management and network security practices, which could provide an opportunity for exploitation and data compromise.
Now that you understand how vendors could compromise your network security, let’s look at some real-world examples of vendor-related cybersecurity incidents.
In January 2022, dozens of school districts across at least four states suffered a massive data breach of more than 1 million student records. Hackers didn’t target the districts. They attacked Illuminate Education, a third-party vendor hired to track K-12 student data and communicate with parents.
The stolen student data included name, date of birth, gender, student ID number, course enrollment, attendance, and class schedules, as well as whether students received free lunches or special education services. Security researchers found that Illuminate Education stored this valuable data on multiple, publicly accessible, unencrypted databases.
This is an example of a vendor offering a unique software solution that meets a specific district need and a hacker exploiting the vendor’s out-of-network storage vulnerability. An incident like this could be prevented with a data protection agreement (DPA) that requires vendors to securely store sensitive data.
Texas Counties and Municipalities
In August 2019, 22 county and municipal government networks in Texas were victims of a ransomware attack. All impacted networks shut down, and local government services halted.
The targeted entities lacked local IT departments. They all used the same vendro to oversee network maintenance and security. A hacker compromised the vendor, gained access with administrative control to all 22 managed systems, and installed the ransomware.
Your district could prevent a similar attack by budgeting for and developing robust staff information security resources to avoid using a vendor to manage your security. If you do hire vendors, make sure you thoroughly vet them (see below).
What can you do?
SolarWinds, Tyler Technologies, and Blackbaud are just a few school vendors that suffered high-profile cyber-attacks last year. With remote learning here to stay, at least for the foreseeable future, vendor attacks show no sign of tapering off.
Here are three things you can do to protect your organization and your staff, students, and parents.
Vet your vendors
Every information technology vendor has a digital reputation you can research. Vet your vendor by checking their reviews and ratings on business reputation sites like the Better Business Bureau or market research firms like Gartner. A simple Google search with your potential vendor and terms like “data breach” or “hack” can also provide valuable information.
If a vendor doesn’t have these documents or something similar, consider it a significant red flag. You should also check their website for certifications and awards. If you can’t find any, that might be a question to ask the company representative.
It would also be beneficial to ask about other customers the vendor serves and their customer retention. This might give you an opportunity to reach out to existing clients for more insight into the vendor’s approach to customer service and security. If a vendor doesn’t seem to hold on to customers, it could be a sign they weren’t good data stewards or they opened client systems to exploitation.
Explain your acceptable use policies
An acceptable use policy (AUP) is a set of rules that govern how technology is used within an organization. Your AUP can be a great way to introduce a new vendor to your district’s policies and approaches to prioritizing cybersecurity. It is reasonable to require any technicians who will access your network to understand and comply with your AUP.
Enter data protection agreements
A data protection or privacy agreement is a document that allows your district to dictate how a vendor protects and uses your data. This could include specifying what type of encryption the vendor uses for data in storage or restricting the vendor from using your data commercially.
A well-developed DPA can even ensure that if a vendor is responsible for a breach of sensitive data, they will take responsibility for investigation, remediation, notification of impacted parties, and ongoing identity theft monitoring for victims. The Texas Student Privacy Alliance offers a DPA template for reference.
Have Cybersecurity Questions?
Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or email@example.com.
Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance.
Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.