Public institutions warned on remote access

Remote access is now a daily function for schools, hospitals, and city offices, and security agencies say those logins can also become the easiest way in for attackers. (bnonews.com) (cisa.gov) The April 13, 2026 advisory said public-facing institutions rely on remote tools to keep classes running, support patients, and maintain services during travel problems, weather events, and building closures. It said each remote desktop session, login portal, and administrative account adds another possible entry point. (bnonews.com) The federal Cybersecurity and Infrastructure Security Agency published a guide on June 6, 2023 saying remote access software helps organizations manage devices and networks, but threat actors increasingly abuse the same tools to get into victim systems. That includes remote administration and remote monitoring products used by information technology staff and contractors. (cisa.gov) A remote login is a digital front door: it lets staff work from home or fix systems offsite, but it also exposes whatever sits behind that door if controls are weak. The BNO piece pointed to weak passwords, unlimited login attempts, stale accounts, and poor monitoring as common gaps. (bnonews.com) The pressure is higher in institutions that cannot easily stop operating. A school district has payroll, attendance, and classroom systems; a clinic has scheduling and communications tools; a local government has resident services that people expect to stay online. (bnonews.com) That exposure sits inside a broader rise in attacks on public services. The U.S. Department of Education says school districts are experiencing an average of five cyber incidents a week, and the Federal Bureau of Investigation said ransomware complaints from critical infrastructure rose 9 percent in 2024. (ed.gov) (fbi.gov) The same Federal Bureau of Investigation report said internet crime losses reached more than $16 billion in 2024. A separate breakdown of that report showed healthcare, government facilities, and education among the critical sectors reporting large numbers of ransomware and data-breach complaints. (fbi.gov) (ic3.gov) (levelblue.com) Security guidance has been consistent on the basic fix: add more than a password. The Cybersecurity and Infrastructure Security Agency says multifactor authentication makes accounts 99 percent less likely to be compromised because a stolen password alone is not enough to log in. (cisa.gov) Microsoft’s guidance for Remote Desktop Services says organizations should plan multifactor authentication, backup authentication methods, and location- or device-based access policies for remote desktop deployments. Those controls are aimed at the exact systems many schools, clinics, and local offices still expose for convenience. (learn.microsoft.com) Healthcare defenders are seeing the same pattern. Health Information Sharing and Analysis Center’s 2025 threat report listed exposed imaging servers, medical devices on unsecured networks, help-desk targeting, and remote access abuse among the sector’s risks. (health-isac.org) The warning for public institutions is not that remote access should disappear. It is that the systems people depend on most often stay reachable from anywhere, and that convenience has to be matched with tighter controls before the next outage or breach. (bnonews.com)