Developing a Case – The Importance of Penetration Testing


Limited budgets are the most commonly cited challenge that school boards experience in improving their overall cyber security. With limited budgets, defending against cyber attacks is difficult as school boards need to carefully choose how they spend their budget across many different priorities. Unfortunately, many organizations are forced into action after a cyber incident has already occured, in an effort to reduce the threat of future incidents, retrieve stolen information, and repair a damaged reputation. The reality is these attacks are increasing against the education sector and are expensive. According to the IBM Cost of a Data Breach 2023 report, the average cost of a data breach in Canada is 5.13 million USD. 

For students, multi-factor authentication may be seen as less critical than MFA on staff accounts as students would not have access to the personal and private information of other students or staff. While the risk of a damaging cyber attack due to a compromised student account may be less, less risk does not equal no risk. Penetration testing provides the critical information a school board needs without the fallout and costs associated with a cyber attack. Penetration testing allows school boards to determine and assess the current level of threat to their infrastructure and create a plan towards remedying outstanding concerns. Results from a penetration test build the case towards and clearly identify the need for enabling multi-factor authentication on student accounts.


Creating a Strategic Plan 


Once need is established, the next step is determining specific usage cases within the board. Namely, who uses what type of solution and why. In our first blog, Passwordless Authentication in Education, we outlined different user groups within a school board and MFA options that met the needs of those groups. While senior administration teams may be first priority due to the access they have to sensitive information, all users in a school board need to be considered as they all present an opportunity to cyber criminals.  Schools are a primary target for ransomware attacks and every user, from students to the Director of Education plays a role in reducing these incidents.

Cyber insurance policies also need to be considered when planning towards the implementation of multi-factor authentication. In Ontario, OSBIE requirements for MFA on staff accounts kick in this year placing increasing emphasis and importance on implementing MFA for staff. School boards wishing to remain compliant on their cyber insurance need to plan for and anticipate potential changes to cyber policies to avoid missing out on coverage. With the possibility of an MFA requirement for student accounts on the horizon, school boards need to take action to ensure they can meet these requirements. 


Keeping IT Simple 


When choosing a multi-factor or passwordless authentication solution for the students in your school board, security and simplicity need careful consideration. Solutions have to meet the specific login requirements of the group they are being used for. Everyone recognizes that MFA is an important requirement for account security, yet there is resistance and reluctance to implement it. Why? In many instances, adding MFA to an account creates a more cumbersome, time consuming login experience. This is especially true for young students who do not yet know how to read and write, multilingual learners and students with exceptionalities. Enter passwordless authentication. MFA solutions need to be secure but they also need to be simple, easy to use and efficient. Teaching staff need to see how easy it is for students to access their digital learning environments and the time savings they will experience in teaching and learning time. 


Communicating with Stakeholders 


Creating a communication plan and understanding the specific needs of individuals and groups is critical to the successful implementation of multi-factor authentication. While the IT department’s primary concern may be enhancing security and securing access points, the majority of users, whether they be teaching staff, students or administration, may not have security as their most pressing concern. 

Stakeholder working groups are essential in giving voice to, and creating ownership amongst those using multi-factor authentication. When implementing multi-factor authentication for students, working groups should include Superintendents, Instructional Program Leaders, Curriculum team and union representatives.  The question is not whether or not multi-factor authentication will be implemented, it’s on the specific pain points, or concerns, these groups have on implementation and planning to overcome them. The main issue concerning student authentication is around the time and level of difficulty it takes for students to access their accounts. Understanding this concern, choosing a product that remedys this, and clearly communicating this to the relevant stakeholders greatly increases the chance of the successful adoption of passwordless, multi-factor authentication for students. 


Interested in learning more?