Cybersecurity Planning: 10 Steps to Readiness
Blog post by Michele Israel based on this edLeader Panel
Education ranks high among industries where cyber incidents and threats occur frequently. From DDoS attacks to ransomware to malware encounters, school districts are at increased risk for harmful and costly security breaches that wreak havoc on systems and programs across departments.
In the recent edLeader Panel, “Cybersecurity Readiness in K-12 Schools,” K-12 technology officers and cybersecurity specialists shared cybersecurity readiness and mitigation strategies that could help districts boost their security efforts.
The COVID-19 pandemic led to a greater appreciation for 1:1 technology. But, with more students relying on digital resources came more cyber threats. Districts and schools know that preventing cyberattacks is a must, but challenges impede the headway they might make.
Insufficient technology budgets, higher rates of cybersecurity insurance pre-breach, struggles to update infrastructure and years of legacy equipment and processes are among the obstacles to effective cybersecurity in schools and districts.
Then there’s the human side of things. People are tired of yet additional protections, like the often-dreaded multi-factor authentication. Others worry that cyberattack-prevention actions could have more significant consequences than a breach.
There are crucial questions in educators’ minds: How can schools train every person part of the security and risk landscape? How can they educate students where they are with their technology usage? How can they harness and organize data that will inform cybersecurity methods?
The biggest concern: Where to start the cybersecurity planning and implementation processes.
What’s Happening Now and What’s Best Moving Forward
Many schools and districts have begun to tackle cybersecurity risks and events.
Some are getting a handle on their tech inventory, such as existing physical assets, software (not just approved tools and apps but all that students and staff bring and log into while in school), working on incidence response plans and protecting against and responding to ransomware—albeit all being done slowly and not always with a structured process.
The goal for schools and districts should be forming teams that come to a consensus on strategic, actionable steps to create a solid plan.
Readiness First and Then a Plan
Security and technology will become more complicated over time. Both weave their ways into every facet of the school and classroom. Therefore, protecting against cyber threats and attacks is essential.
So, where to begin? The panelists recommend taking the following 10 steps to establish cybersecurity readiness to lead to successful planning.
- Focus on business. Cybersecurity is a business problem, not a technical one. School districts protect their business needs, balancing educational and technological demands. Take a deep look at the landscape to be protected. Identify the assets, the software, how access controls are set up, who can get to what, etc. to develop a good plan and understand the highest risk.
- Identify all existing technology and where it lives. Don’t just look at approved apps and devices (and those that have been locked down). Pay attention to everything people bring into the organization, which tech audits often unearth.
- Initiate basic security measures. Run a vulnerability scan to identify weaknesses and flaws in systems and software. Then do a penetration (pen) test, which allows an analyst to enter the network to explore the holes the scan uncovered. It’s also essential to set up multi-factor authentication (which insurers now require).
- Establish partnerships. Work across departments and stakeholders for readiness planning. A solid plan requires different people managing and talking to different audiences (from teachers to leaders). Colleen Hoy, Director of Product Management at Education Networks of America (ENA), said to view security as a “team sport” that calls for internal and external players to be accountable to cybersecurity measures and commit to the long-term work those measures require.
- Create awareness. All members of the local educational community—from district cabinets to the school board—must be aware of cybersecurity risks and their impact across the organization, from teaching and learning to finance and human resources. Superintendents should be at the forefront of cybersecurity conversations.
- Establish a culture of understanding. Leadership should recognize that security is part of everybody’s job—it’s not just an IT problem! Everyone across the organization must accept that there could be a gap or a hole somewhere, or even human error, that has disrupted security.
- Respond positively. Balance fear with awareness. Set a tone for a positive culture, even when delivering bad news. A leader who speaks the truth without emotion about a breach is better positioned to heighten people’s understanding of and prevent cyberattacks. Awareness can generate some fear, but fear might be necessary, for example, when student data are revealed and sold. Or worse, their identity is stolen. It’s also vital to monitor reactions when someone clicks on something they shouldn’t or responds to a phishing email. And it’s OK to say no to a tool or app that was once used but now is deemed unsafe.
- Communicate effectively. The internal and external community needs to know when a breach occurs. That takes thoughtful strategy. Decide who will talk to the various stakeholders: the parents, teachers, media, police, insurance company, state bureau of investigations and other involved parties. What will the public message be? What are the legal ramifications of words used? Should there be a response on social media? Can teachers post about the incident?
- Learn about broader cybersecurity trends and practices. Join groups, such as InfraGard, to see what security leaders from different sectors do.
- Build trusting vendor relationships. Avoid partnerships with companies that want to sell a product. Vendors should be committed to K-12 education and the safety of staff and students. They must be willing to have conversations about effective practices and processes relevant to a district’s specific situation rather than pitching a new, shiny object as the fix.
It’s hard enough to realize that cybersecurity is a risk districts must contend with. And it seems like a huge challenge to tackle. Encouraging readiness among critical stakeholders might take some time but will ultimately lead to an efficient prevention and protection plan that keeps everyone safe across the organization.
Join the Community
CTO Tech Talks is a professional learning community on edWeb.net where technology leaders can gather together to share and explore best practices, challenges, and successes in advancing learning with technology.
ENA delivers transformative technology solutions supported by exceptional customer care. We work with our customers to engineer high-capacity and future-ready connectivity, communication, cloud, security, and data analytics solutions to education institutions and libraries across the nation.
CoSN (the Consortium for School Networking) is the premier professional association for school system technology leaders. CoSN provides thought leadership resources, community, best practices and advocacy tools to help leaders succeed in the digital transformation. CoSN represents over 13 million students in school districts nationwide and continues to grow as a powerful and influential voice in K-12 education.