Quick Wins to Establish a Cybersecurity Foundation in K-12

Tim Tillman, Ed.D., Chief Technology Officer, Chesterfield County Public Schools

Tim Tillman, Ed.D., Chief Technology Officer, Chesterfield County Public Schools

Cybersecurity is a concern that most school districts in the nation have not been able to adequately plan, implement, test, and solidify. Technology leadership in our schools is faced with inadequate resources to properly implement a security program.

Some missing resources are financial, but schools also face a shortage of available talent and willingness of stakeholders. Technology teams are often expected to simply absorb and adapt to changing technologies and needs with existing talent.Rarely are new positions created and funded adequately. Unwilling stakeholders may claim they do not believe the district to be a viable target of attack or may claim a defeatist attitude seeing millions of dollars spent in large corporations, yet successful attacks still occur. 

It’s no secret by now that ransomware delivered via phishing poses a large threat to our schools.  Some unprepared K-12 school districts sit idle, waiting for an attack to occur. Other districts consider themselves aptly prepared behind the walls of a fortress and confidently beg for an enemy to attempt to breach their gates. Both positions have proven ineffective in the past against ransomware attacks for large and small organizations as well as school districts. So how do we protect our data from unauthorized access, stop encryption and manipulation of critical files, and end disruption of services and applications?

Attitudes and budgets need to be molded by technology leaders to change cybersecurity from a hyped subject in the media to normal everyday processes.For district technology leaders seeking to balance limited resources yet still maintain due diligence against attacks, there are three quick win strategies that can be implemented. Quick wins show value and effectiveness hopefully leading to more resources. 

Cybersecurity Awareness Training

Both positions have proven ineffective in the past against ransomware attacks for large and small organizations as well as school districts

Cybersecurity is a shared responsibility. However, we all know that cybersecurity responsibility starts, continues, and ends with technology leadership. Our communities of users have the responsibility to be suspicious of content and data with which they interact. They are gatekeepers of critical student data. We, as leaders, have to create an environment that allows our users to make informed decisions, allows them to fail and learn, and allows them to feel safe.Training is the first step in that process. It is sometimes too easy to assume that users know the best action to take, the right email to delete, or the wrong data to share.

Awareness applies to your entire community – students, teachers, staff, administrators, Boards, vendors, and partners. Training can change mindsets. Training can change your front-line users from a threat to an asset.Training gives users confidence to make informed decisions.Districts should employ both annual and on-boarding training that includes the basics of cyber hygiene while also introducing information on data sharing, hardware responsibility, concerns for remote work, and other district-specific content. Districts can send fake phishing campaigns to test skillsets and bolster education as needed. Training should not be a once-a-year activity that becomes a dreaded compliance event. Seek ways to train your users beyond compliance. Consider Board presentations, weekly emails, communications with parents, townhalls, twitter Q&A’s, blog posts, podcasts, or newsletters. The more often cybersecurity concepts are presented, the more often those concepts will become commonplace, improving your district’s culture surrounding cybersecurity.

Disaster Resiliency Planning

The most effective strategy against ransomware attack is resiliency -- the ability to bounce-back, to shift, to adapt, to continue. Resiliency isdifferent from Business Continuity. While continuity keeps us going in the face of something like a power outage, resiliency keeps us going for alifetime in the face of a constantly changing environment. It makes us nimble.

School districts should consider disaster recovery planning to instead be disaster resiliency planning. Plan for the ability to shrug off an attack. The importance of recovery time and recovery point objectives become shadowed by the existence of air-gapped redundant servers and laptops. Virtual snapshots of systems are easier and more effective than individual file backup in a typical disaster strategy. Spare hardware makes it easier to ignore or destroy infected hardware. Don’t waste time trying to recover;instead, be ready to simply shift, make adjustments, and keep moving.

Part of resiliency planning is segmentation. Districts should take the time to segment network assets and services and prevent lateral movement of attacks that can flood an entire school or district. If a teacher laptop suffers an attack, make sure that student and administrator devices cannot be accidentally infected by segmenting different user types.Segment instructional and business office environments. Segment BYOD and district WIFI. Segmentation can stop an attack from spreading and helps to ensure resiliency.

Logging, Monitoring, and Auditing

Districts with no insight into the actions of users and the logs of software in their environments have no clear understanding of whether an attack is in progress, imminent, or completed. Regular monitoring of log information can produce valuable and actionable information about the activities occurring within a school district’s network. Regular auditing and testing of security controls can reveal vulnerabilities otherwise ignored or unknown. 

Logs from servers, software, hardware, and infrastructure devices can be complex and large. Tools are needed to help decipher the large number of log entries that are generated. Tools like a Security Information Event and Management (SIEM) system. These systems can parse large amounts of data to produce patterns, compare against baselines, and alert the proper stakeholders. A SIEM is an invaluable tool in your arsenal.

A third-party audit can produce results that help a district mitigate risk. When working with a vendor, be specific in the controls that are being tested. An open-ended test of the network will produce too much data. Focus instead on a single system, change in the environment, or critical data repository. Each year, focus your third-party audit on a different aspect of your network.

Cybersecurity can be started in small tasks that eventually grow into a full program. A K-12 school district can make an impact by utilizing these three quick wins to start its journey.

Weekly Brief

Top 10 Innovative School District Tech Director

Read Also

Importance of Technology in the Education Sector

Importance of Technology in the Education Sector

Frank Williams III, IT Director, Student Management Systems at Houston Independent School District
Designing Learning Experiences with Educational Apps

Designing Learning Experiences with Educational Apps

Bucky J. Dodd, Ph.D, Assistant Vice President, University of Central Oklahoma
Bridging the Gap from Education to Employment

Bridging the Gap from Education to Employment

Mark Grovic, the Co-Founder and General Partner of New Markets Venture Partners, also taught at the University of Maryland for 20 years
Cybersecurity Worker Shortage is a Matter of National and Economic Security

Cybersecurity Worker Shortage is a Matter of National and Economic Security

Charla Griffy-Brown, Professor of Information Systems and Technology Management At Graziadio Business School
Three Things K-12 EdTech Leaders Can Do to Bolster Cybersecurity

Three Things K-12 EdTech Leaders Can Do to Bolster Cybersecurity

Tim Tillman, Ed.D., Chief Technology Officer, Chesterfield County Public Schools