Schools and organizations that deploy large numbers of computers have a much-needed computing edge against cybersecurity risks with enterprise-grade Chromebooks.

Consumer-grade Chromebooks come with what Google calls “defense in depth,” which provides multiple layers of protection. If attackers manage to bypass one layer, others remain in effect. The networked Chromebooks deployed in school systems, medical facilities and government offices take multi-layered security and bolster it with additional features. One of them is Zero Trust security, a framework that authenticates every user and device.

All Chromebook devices run ChromeOS, an embedded operating system built around Google’s Chrome web browser. They run the same Google-certified operating system. This built-in enhanced security and automatic updates are designed for Zero Trust security and require no user monitoring.

Endpoint resiliency and data protection are two critical components of Zero Trust, complemented by robust data loss prevention (DLP) and granular access controls. Management of enterprise-level Chromebooks on an organization’s network is easily maintained by the IT system administrator through a console that is inaccessible to users.

The approach works whether students or employees use the Chromebook devices internally or remotely, ensuring security screens are always turned on. For example, users can access their devices using QR codes and picture-based login options.

“Schools have become frequent targets for cyberattacks such as ransomware, phishing and malware,” said Jeremy Burnett, vice president of technology at SOLduring a recent seminar where his company presented on the updated security features built into both consumer and enterprise Chromebooks.

CTL is a Chromebook manufacturer and ChromeOS OEM service provider that works with Google to deliver customized solutions for educators, learners and businesses. These solutions address the growing threats of cyber attacks that schools and organizations face.

ChromeOS Fundamental Security

According to Andrew Luong, Partner Success Engineer for Google and ChromeOS, the goal is to have strong authentication with second factors or security keys. Despite the other login options, students and others who are less tech-savvy prefer passwords.

“Getting users to change passwords regularly is complex because every application you use today asks for longer and more complex passwords. It became quite a struggle,” he told the virtual seminar audience.

Google’s password manager has been very helpful in generating stronger passwords because the more you have to change them, the less likely you are to remember them. Google’s various sign-in tools help users manage passwords better.

Another big challenge is device health, he added. Devices should be regularly updated with the latest security patches.

“Using ChromeOS is where we really shine,” Luong noted. “ChromeOS devices are automatically updated, a key advantage and differentiator, with all running the same Google-certified operating image.”

However, he added that school IT teams must ensure these devices are connected to get those updates and stay on the version you approve in accordance with your district or your school.

Using the IT admin console makes it easy to keep them on a specific version of ChromeOS so that the students can take their tests or the teachers or staff can use their classroom tools.

“What we’re doing in our console is having Google AI surface and show you, as you’re logging into the Cloud console, that devices are all up to date,” he said.

ChromeOS security behind the scenes

Updates are installed in the background on the second copy of the operating system. The process does not interfere with any user’s work. When all the updates are downloaded, a reload button appears to load the new operating system version.

Chromebooks include Verified Boot, a trust connection technology that verifies the integrity of the operating system at startup and ensures that the system has not been tampered with. If tampering or corruption is detected, the system automatically attempts to repair itself, often by restoring the operating system to its original state. This ensures that the operating system remains safe and intact, addressing any errors in its integrity.

Enterprise Chromebooks now have context-aware signals to check the integrity of the running ChromeOS version before allowing the devices to connect to school applications. This is an innovation in the zero-trust architecture framework, Luong explained.

Another recent security feature added to the IT management console is threat detection and response, which uses no agents. The driver license allows administrators to configure and monitor information flowing from ChromeOS device security events to the security event notification system.

“So centralized reporting and insights make it easy to have that zero-trust framework and improve your cybersecurity,” he said. “ChromeOS has built-in malware protection. No ransomware has ever been reported (on ChromeOS devices).”

These enhanced enterprise cybersecurity features are available through the admin console under a licensed plan from an authorized vendor such as CTL to enterprise-grade devices. Consumer-grade Chromebooks all have the other features mentioned regarding automatic updates and built-in malware and antivirus protection.

Insider risks in school cyber security

Luong emphasized an essential point about the strict cybersecurity protections inherent in all Chromebook devices. They cannot always survive careless employee actions.

“When it comes to phishing, about 90% of data breaches in K-12 schools are the result of a system employee clicking on a link — and that’s not a knock on school system employees,” he said.

If that click results in a ransomware attack, the fault isn’t with Chromebooks. Educational institutions are among the most targeted sectors.

This is where cyber security training comes into play. On average, US schools and colleges lose about $500,000 per day in downtime during ransomware attacks. So the stakes are high when something happens, Luong noted.

CyberNut offer security awareness training. The company’s platform is designed to be highly gamified and engaging, based on micro-training sessions with short, gamified experiences.

“The real goal is to allow schools to measure behavior change. Our success is not just based on checking a box for faculty staff after they watch a short video and take a quiz. We are laser-focused and deliver measurable behavior change through an ongoing, perpetual learning experience,” said Oliver Page, Co-Founder and CEO of CyberNut.

He offers a free trial, which allows organizations to learn about cybersecurity training. This includes a free phishing assessment to see how a school district is positioned from a security posture perspective.

The high cost of cyber attacks on schools

The quality of phishing emails has become more sophisticated over the past 10 or 20 years, with ransomware attacks on K-12 schools increasing significantly in recent years. According to Page, most of those attacks come through malicious email and phishing.

“It’s scary because it depends on how you calculate that number. If you’re talking about schools that have been targeted in some way and something has happened, it’s closer to 100% of schools that receive malicious emails every day that could lead to a ransomware attack. So, it’s common,” Page said.

Several factors place schools so prominently in the sights. Among the primary causes is a lack of budget, which leads to a lack of staff and expertise.

“It gets bad when we connect it with thousands of devices to manage and secure. We have tons of extremely valuable data,” Page warned.

The average ransom payment last year was $6.5 million. In addition to that ransom, you’re looking at additional millions in repair costs.

One of the realities of that is that no one is teaching students about cybersecurity, he added. Parents spend an average of 46 minutes educating their children about cyber safety in their entire lifetime.

“Coupled with the fact that the average child over the age of 13 spends seven hours a day online, it’s easy to see where the inequality and the concern lies,” he concluded.