Cybersecurity has always been a high priority for K-12 administrators and staff, but with the rapid push to remote learning brought on by COVID-19, school leadership has had to consider how to educate through the lens of cybersecurity.
While school years are closing up for the 2019 – 2020 year, it’s still unknown what our learning environments will look like for the 2020 – 2021 school year. Let’s look at 10 things that K-12 schools must focus on – whether the next school year takes place in person on via remote learning.
1. Perform A Risk Assessment
You’re already doing risk assessments for severe weather, fire, or other types of crises and emergencies. Do the same for your technology resources. This will give you the visibility you need to identify areas of concern. Don’t be surprised if your assessment finds that you have more systems than you realized. For instance, many administrators are surprised to learn that computers are controlling other systems such as door locks or cameras.
2. Create and Maintain an Accurate Technology Inventory
The vast majority of districts don’t have an accurate inventory of their technology assets and contracts because they aren’t considering their hardware and software resources in addition to the third-party services with whom they’re contracted. Districts have to have a holistic view of all of these assets if they are to properly secure their schools and students.
3. Limit Unauthorized Access to Systems and Networks
Just like only certain teachers have access to certain student data, we need to make sure only authorized people are taking authorized actions on your technology systems. Also, remember – curious students might try to access systems they aren’t authorized to access. We want to encourage curiosity, but prevent it from turning criminal.
4. Continuous Security Awareness Training
Regular security awareness training – weekly updates, phishing testing, quarterly assessments – targeted toward students, teachers, staff, and administration is critical to keeping your systems and your people safe. By having an ongoing security awareness program, you create a “security-first” culture that reduces your risk of being attacked by a cybercriminal. Encourage your students, teachers, and administrators to apply what they learn both at home and at school. And remember that people are tired and stressed right now- they likely aren’t making mistakes maliciously so create a non-punitive program that teaches people where they have had a mis-step, rather than punishing them for it.
5. Maintain Secure Configurations for Systems and Networks
Systems patching is the top technical activity you can do to limit your cyber risk. A full 60 percent of breaches in 2019 were linked to vulnerabilities where a patch was available, but not applied. Patching and maintenance of systems should happen at least every week. Different systems release fixes at different times, so your district needs to create a schedule to consistently patch everything from hardware to operating systems to software.
6. Focus on Data Classification
Data classification, which has to do with data privacy and a clear definition of who has access to what, needs to be a focal point of your security program. By making sure you have a clear data classification process, you can limit who has access to what data and better protect your school and student data. This applies to third party vendor access, too – those systems your school uses such as PowerSchool, Kahoot!, Remind, and others.
7. Plan How to Respond to Cyber/ Information Security Events
Cyber events are inevitable, so you need to have a plan in place for how to handle them before they happen. Save time and effort by taking your crisis plans for weather events or fires and modifying them to address information security issues. Keep in mind that most districts don’t have the on-staff expertise to do incident response or sophisticated cybersecurity. When you’re creating your plan, identify partners that you might need to work with to identify and respond to an issue.
8. Perform Cyber and Information Security Assessments
Security assessments test your cyber and information security systems to ensure they are working. Just like you test new door locks, you have to test your information security programs. This is another area that having a third-party partner can be very helpful. Yes, your IT team can and should test your systems regularly. But having a partner run a stringent annual assessment is another layer of insurance that your systems are working.
9. Monitor Systems and Networks for Suspicious Activity
Monitoring is all about visibility – it tells us what’s actually happening on the network. Much like how schools usually outsource monitoring of their fire panel, network monitoring is an outsourced activity, so there is a cost involved. But, by monitoring and “seeing” what’s going on, you can respond faster at a reduced cost. Monitoring your network activity has to be a 24/7 activity; if you’re not watching the network at 2 a.m., it doesn’t count.
10. Use Multi-Factor Authentication Whenever Possible
How many of us have our Google email set up to require an extra PIN if we access it from a new computer? Hopefully most of us. This same level of security we use for our personal email is something we have to apply to our school systems, too. It’s called multi-factor authentication and it puts more ‘steps’ between the outside world and our sensitive data.
COVID-19 forced us into remote learning, which escalated our focus on our cybersecurity programs. While there is a lot to consider and do, it’s important not to be intimidated. Because schools already have plans and procedures in place for other emergency situations, prioritizing cybersecurity and cyber risk is something districts already know – just applied differently.