Tim Tillman, Ed.D., Chief Technology Officer, Chesterfield County Public Schools
The tide is turning. In the last year, K-12 cybersecurity has received the focus and discussion needed to affect real change. No longer is the news dominated only by reports of breaches, ransomware, and denial of service. Now, we are finally starting to see news of federal, state, and local action to fund cybersecurity initiatives and start building programs that can protect school data. Real tangible progress in being made and momentum is building. It’s time for school district EdTech leaders to start building the foundation of a cybersecurity program that will be ready to adapt and grow with additional funding and resources.
In a recent discussion with a peer, I was asked how to navigate the mountain of cybersecurity information available to EdTech leaders. There are myriad white papers, best practices, frameworks, and guides available. There are hundreds of vendors claiming to have solutions, abilities, and foresight. It can be easy for an EdTech leader to become quickly overwhelmed by all of the things they “should” be doing.
So how do we protect our data from unauthorized access, stop encryption and manipulation of critical files, and end disruption of services and applications? First, ignore all of the marketing and focus on those things that create the highest impact for your school district.
Cybersecurity Awareness Training
Cybersecurity Awareness Training is about modifying user behavior. It’s psychological. Too often, training is seen as a compliance activity with a checklist of items to be reviewed.
We, as leaders, have to create an environment that allows our users to make informed decisions, allows them to fail and learn, and empowers them to act. Training is the first step. It is sometimes too easy to assume that users know the best action to take, the right email to delete, or the wrong data to share.
Awareness applies to your entire community students, teachers, staff, administrators, Boards, vendors, and partners. Seek ways to train your users beyond compliance. Consider Board presentations, weekly emails, communications with parents, town halls, twitter Q&A’s, blog posts, podcasts, or newsletters. The more often cybersecurity concepts are presented, the more often those concepts will become commonplace, improving your district’s culture surrounding cybersecurity.
Free resources are available to school districts from non-profit organizations. It is also very easy to create your own training content that covers the minimums.
Let It Go
Schools are famous for holding on to older technology, repositioning assets to neighbor classrooms, accepting surplus equipment, and generally using technology beyond a useful life span. We must learn to let go of technology that is no longer serving our needs.
“School districts should consider disaster recovery planning to instead be disaster resiliency planning”
Older unsupported technology is a cybersecurity risk. This idea applies to both hardware and software. Older technology is also inefficient and costs more to operate than newer counterparts. Unsupported, unpatched, and forgotten technology can be an entry point for malicious tools and services to mount an attack on your environment.
A Technology Refresh Policy can help enforce a district’s ability to decommission older technology and now allow it to remain just because it still works. A refresh policy can establish vocabulary, expectations, and life cycle management schedules that make it easy to replace aging technology while providing useful information for long-term budget planning. Involve your School Board in the approval of a refresh policy. Board approval and adoption gives leverage for budget negotiations.
Disaster Resiliency Planning
The most effective strategy against ransomware attack is resiliency -- the ability to bounce-back, to shift, to adapt, to continue. Resiliency is different from Business Continuity. While continuity keeps us going in the face of something like a power outage, resiliency keeps us going for a lifetime in the face of a constantly changing environment. It makes us nimble.
School districts should consider disaster recovery planning to instead be disaster resiliency planning. Plan for the ability to shrug off an attack. The importance of recovery time and recovery point objectives becomes shadowed by the existence of air-gapped redundant servers and laptops. Virtual snapshots of systems are easier and more effective than individual file backup in a typical disaster strategy. Spare hardware makes it easier to ignore or destroy infected hardware. Don’t waste time trying to recover; instead, be ready to simply shift, make adjustments, and keep moving.
It’s important to remember that Cybersecurity posture is a constantly changing and evolving target. There is no finish line. Starting small will enable a district of any size to grow its program and continue to build on a solid foundation.