Marc Johnson
Executive Director
ECMECC
Eric Simmons Director of Technology Services Chisago Lakes School District

There is no way to be 100% sure that a school district will not fall victim to a cyber incident. Cyber Insurance is an important part of a plan, but that’s for after an incident has occurred. There are many things that a district can do to minimize their risk before an incident happens, that might also help keep the insurance premiums manageable. Those of us in schools might like to think about this as a type of continuous improvement plan since it requires ongoing evaluation and action.

  1. Assess your risk – We all know the phrase, “you don’t know what you don’t know.” In order to start down the road toward improving your cyber risk profile, you need to have a baseline. While there are many tools available to help with risk assessments, many of them (especially those advertised as “free”) are self assessments and not comprehensive enough to provide the depth of knowledge you need to make meaningful changes or track your progress. Comprehensive risk assessments from third party organizations can be expensive, but they provide a wealth of information. These assessments involve multiple stakeholders in a district, including administration, operations, facilities and technology staff and look at many aspects of cybersecurity including administrative procedures, internal/external vulnerabilities, hardware/software inventories, the physical environment and others. There are several school cooperatives that provide risk assessments and various cybersecurity services at a lower cost than private businesses. Completing a comprehensive assessment (yearly) will provide a basis for planning, mitigating risk, and tracking improvement over time. 
  2. Have policies, procedures and plans – You are not a trained cybersecurity expert, and that’s OK. After all, a teaching license was the entry for many of us in district leadership roles, including the authors of this article. In today’s environment, there is a need for leaders in PreK-12 education to quickly learn and grow in this arena. Depending on the cybersecurity work happening in your district over the past few years, you might already understand where this line of thinking is headed. All levels of district and building leadership need to have engagement with your cybersecurity work and incident response plans. Some districts have implemented an Information Security Policy at the board level (link) and we encourage districts to consider reviewing this policy. At a basic level an Incident Response (IR) plan is a must for districts to account for how you plan to respond to a cyber incident. An incident response plan is your play-book to use when you have a suspected cyber breach. Your IR plan is not something that your technology team does on their own – stakeholders from communications, business, building management, human resources and other district-wide leadership roles are very beneficial to building a successful plan. There are many resources to help you develop an incident response plan, and many cyber insurance companies offer resources, templates and even services as a part of your policy if you are just getting started. This local MN-based organization has supported cybersecurity work in schools and is a no-cost place to grow your incident response plan: FRSecure Response Plan Template (link).

  3. Engage in high quality security awareness training for staff – Many cyber incidents start with people who may accidentally respond to a phishing attack; a message that tricks a user into clicking a nefarious link or providing login credentials or other personal information that hackers can use to infiltrate a network, steal money or information or lock files. There is no perfect solution to prevent phishing messages from reaching you and your staff and it only takes one. The best defense against this is comprehensive, ongoing training to help staff identify these messages and delete them before action. As with risk assessments, there are no-cost resources to help with this, but they also tend to be “one and done” types of training, which in education, we know is not the most effective. It is, however, better than no training at all. Better yet, however, is the use of a training platform that provides ongoing training, phishing simulations and immediate feedback to users. Many training programs exist including those from vendors, insurance companies and third party providers. The programs vary in cost and scope. Several school district cooperatives in the state offer comprehensive security awareness training programs that have been vetted and are offered at a significant discount from what a single district is likely to pay for similar/same programs. If a district absolutely cannot afford a more comprehensive program, it is highly encouraged to at least look into what may be offered as part of an insurance program or other training platform to which the district may already have a subscription.

  4. Mitigate risks to the best of your ability – There are many flashy softwares, tools and 3rd parties who are happy to sell you products to help make your district “more secure.” These products can be helpful, but can also give a false sense of security. Understanding where your greatest risks exist and then utilizing the services and products that most appropriately, and within budget, address those risks is paramount. As you dive into risk assessments (see #1), you will also start to see things that might have a large impact, but have low or no-cost. Multi-factor Authentication (MFA) is an example of a low-cost, high-impact security tactic that is an outcome of that work in many districts. Vulnerability scans, also part of a risk assessment, will help your technology staff identify areas for improvement in technical controls. Addressing these technical issues generally requires staff time rather than money to purchase services. As in the opening paragraph, there is no way to completely eliminate risk. In education there is a balance between providing easy access to administrative and instructional technology including online tools, and implementing best-practices in security that you’ll need to navigate within your district. With almost one school-year of the MN Student Data Privacy Law under our belts, we’re seeing a move for districts to have a deeper understanding of how and where student data flows between products, as well as beefing up our vetting process for new tools as they come into our schools, paying attention to both data privacy and cybersecurity.

  5. Monitor your networks for nefarious activity – A key aspect of continuous improvement is regular evaluation and monitoring. After an initial risk assessment, it is important to do annual reviews. Likewise, it is important to monitor your data networks for nefarious activities. This monitoring is often referred to as “endpoint detection and response” (EDR) or “managed detection and response” (MDR) products and services. EDR/MDR monitors networks in real time to identify activities which may be indicators of compromise. With limited resources for tech support in schools, most districts don’t have local personnel who have time or the level of knowledge needed to monitor networks. Generally, districts need to make use of third party tools or organizations to do this work. This can be expensive, yet is extremely important to thwart attacks before they result in ransomware or other incidents. There are opportunities now and on the horizon to access EDR/MDR solutions at highly subsidized prices. School technology and other leaders should monitor education technology groups in the state and/or school cooperatives for information about these opportunities. 

Resources: 

RELATED ARTICLESMORE FROM AUTHOR

Leave a Reply