Do Your Vendors’ Cybersecurity Practices Make the Grade?

Many districts turn to outside vendors to assist with the complicated work of maintaining secure network operations. The need to collaborate with vendors could be the result of:

• Lack of expertise within the district IT staff
• Specialized software or technical solutions delivered by the vendor.
• Existing contract with an established vendor such as Microsoft or Cisco that obligates your district to work with another vendor

While vendors can provide important benefits to districts, they can also compromise network security. In 2021, hackers launched disruptive attacks against education sector vendors such as ACT and Student Transportation of America, according to the annual K12 State of Cybersecurity Report. Vendor mistakes could also cause malware infection, operational interruptions, and even school closures.

3 vendor vulnerabilities to watch for

Vendor-associated vulnerabilities come in three primary forms. Let’s look at each of them.

Network access

To do their job, vendors need access to your network. If they’re working on hardware, they might be on-site and physically connecting to your local system. Vendors often do their work off-site, however, ideally connecting through a secure method such as a virtual private network.

Either way, remember that new access points to your network could create openings for criminals to exploit. If connections aren’t configured correctly and maintained securely, they can become significant vulnerabilities.

Administrative privilege

Network administrators have the authority to make changes in your system. Every new administrator creates a potential vulnerability. That is why the principle of “least privilege” is a critical network security best practice. Least privilege means as few people as possible have administrative rights within your network.

Your organization needs to grant administrative rights to any vendor who performs maintenance, installs hardware or software, or upgrades an existing system. Administrative levels range from local (one computer) to global (everything in the network). This could be a problem if the vendor is not careful while conducting their business. Additionally, if a cybercriminal compromises the vendor, that person will have access to and control over your system.

Out-of-network storage

Your vendor might need to duplicate or back up parts of your system or data while conducting network maintenance. The goal is to ensure that if complications result in network malfunction or data loss, the vendor can restore the system to its previous, functional state.

This means your sensitive data may be temporarily stored in external systems managed by non-employees. You might not have full visibility of your vendor’s data management and network security practices, which could provide an opportunity for exploitation and data compromise.

Real-world examples

Now that you understand how vendors could compromise your network security, let’s look at some real-world examples of vendor-related cybersecurity incidents.

Illuminate Education

In January 2022, dozens of school districts across at least four states suffered a massive data breach of more than 1 million student records. Hackers didn’t target the districts. They attacked Illuminate Education, a third-party vendor hired to track K-12 student data and communicate with parents.

The stolen student data included name, date of birth, gender, student ID number, course enrollment, attendance, and class schedules, as well as whether students received free lunches or special education services. Security researchers found that Illuminate Education stored this valuable data on multiple, publicly accessible, unencrypted databases.

This is an example of a vendor offering a unique software solution that meets a specific district need and a hacker exploiting the vendor’s out-of-network storage vulnerability. An incident like this could be prevented with a data protection agreement (DPA) that requires vendors to securely store sensitive data.

Texas Counties and Municipalities

In June 2023, malicious actors attacked third-party applications used by the Google application programming interface (API). The hackers discovered a vulnerability in the way the third party configured their connection to Google and used it to gain access to and exfiltrate information from the Google directory. 

To date, over 180 school districts nationwide have had this directory information stolen, including more than a dozen in Texas. Any information districts were storing in the Google directory was taken and published on the dark web. This vulnerability was recently discovered and continues to be exploited. 

What can you do?

Here are things you can do to tighten up your application configurations to protect your organization, staff, students, and parents. 

1. Restrict cloud-based sign-ins so that staff can't use ESC accounts to log in to local district networks and sites. 
2. Use the Google admin console (Security > API Control > AppAccess Control API Control) to ensure administrators must approve any access or changes.
3. Don’t put anything in cloud-based directories except directory information (i.e. no sensitive or student data).
4. Go through your list of cloud-based applications and look for any unapproved apps. 
5. Only allow applications approved by your IT department for your ESC.
6. Inform your staff about the dangers of unrestricted and unapproved applications.

Vet your vendors

Every information technology vendor has a digital reputation you can research. Vet your vendor by checking their reviews and ratings on business reputation sites like the Better Business Bureau or market research firms like Gartner. A simple Google search with your potential vendor and terms like “data breach” or “hack” can also provide valuable information.

During contract talks with potential partners, have frank discussions regarding their stewardship of sensitive data and their general approaches to cybersecurity. Ask to see their terms of service, privacy policy, and information security overview/policy. These documents can answer a lot of questions about vendor security practices.

If a vendor doesn’t have these documents or something similar, consider it a significant red flag. You should also check their website for certifications and awards. If you can’t find any, that might be a question to ask the company representative.

It would also be beneficial to ask about other customers the vendor serves and their customer retention. This might give you an opportunity to reach out to existing clients for more insight into the vendor’s approach to customer service and security. If a vendor doesn’t seem to hold on to customers, it could be a sign they weren’t good data stewards or they opened client systems to exploitation.

Explain your acceptable use policies

An acceptable use policy (AUP) is a set of rules that govern how technology is used within an organization. Your AUP can be a great way to introduce a new vendor to your district’s policies and approaches to prioritizing cybersecurity. It is reasonable to require any technicians who will access your network to understand and comply with your AUP.

Enter data protection agreements

A data protection or privacy agreement is a document that allows your district to dictate how a vendor protects and uses your data. This could include specifying what type of encryption the vendor uses for data in storage or restricting the vendor from using your data commercially.

A well-developed DPA can even ensure that if a vendor is responsible for a breach of sensitive data, they will take responsibility for investigation, remediation, notification of impacted parties, and ongoing identity theft monitoring for victims. The Texas Student Privacy Alliance offers a DPA template for reference.