In a 2022 survey, 72 percent of the participating school administrators responded that cybersecurity was either a priority or high priority for their district leadership and local school boards. However, only 14 percent of the respondents said their district was very prepared for a cyberattack event.
This alarming disparity between prioritization and preparedness is indicative of the challenges school districts are facing pertaining to cybersecurity. As the Director of Technology at Maconaquah School Corporation located in north-central Indiana, I know firsthand that implementing a proactive cybersecurity posture is a difficult and time-consuming–yet necessary–process. School districts are prime targets for hackers; therefore, we must be prepared.
In our own school corporation, we have adopted four key practices that enable us to continuously strengthen and advance our cybersecurity mitigation and prevention strategies.
1. Get Creative With Your Budget
Like many school districts, our IT budget has not increased to address the growing number and variety of cyber threats; in fact, it has stayed the same for the past five years. That can make it challenging to add new defenses, but we have found ways to strengthen our posture through strategic and creative financial planning.
One shift we have made is leveraging hosted and/or managed services to fill staffing gaps and eliminate expensive and unpredictable capital expenses. For example, we previously had an on-prem firewall solution that was managed by a former staff member. When they left, I made the decision to switch to ENA by Zayo’s hosted firewall so that I did not have to spend the time and money hiring and training a new employee who would likely leave after six months for a higher paying job in the private sector.
To attain leadership buy-in for this new direction, I broke down the monthly costs of buying a new on-prem firewall solution and included estimated hiring, training, and repair fees over the lifecycle of the equipment. This enabled district leaders to see a side-by-side cost comparison of using a hosted, cloud-based firewall service versus an on-prem solution. Once they saw those numbers and realized the hosting service also included access to ENA’s team of security experts, they supported the decision to transition to cloud-hosted firewall.
Additionally, evaluating tech and app user usage is another way we are freeing up funds to support cybersecurity. With so much money being invested in educational software, it is critical to monitor if teachers and students are using our paid learning tools. We regularly survey teachers and review usage data to assess and adjust our licensing. This enables us to free up budget dollars and reinvest these funds in proactive cybersecurity tools like DDoS mitigation. We adopt the same approach with infrastructure and network solutions, seeking out bundling and other cost-savings opportunities to free up funds we can use to support our cybersecurity strategies.
2. Find Trusted Partners Who Bring Additional Expertise and Support
With IT staff members stretched so thin, it is imperative to find great companies you can depend on to help you. I have five primary companies that I trust and who have a great track record working with us. Even if their pricing is a little higher, the benefits far outweigh the costs because they are reliable and responsive, they know the ins and outs of our network, and they understand our goals and objectives.
For example, we have been working with a company for 10-plus years, and they are very familiar with our IT environment. I asked their team over the holiday if they could update our firmware and upgrade our server that runs our application management and patches. Their team remotely completed the work in half a day whereas it would have taken me much longer to finish those upgrades, and I have the peace of mind of knowing their experts took care of everything.
3. Train and Retrain
Most school districts have some type of cybersecurity training program in place for staff, but we are building a training culture centered around empathy and understanding. Teachers are busy. When they have 25 kindergarten students running around, and they get a spoofed email that looks like it is from a legitimate sender, it is easy to understand why they might accidentally click a link.
To address this, we have created some of the following training channels to reinforce best practices with current staff as well as onboarding new team members:
- We hosted a “Know Before You Click” training campaign reinforced by monthly phishing simulations with built-in 30-minute cybersecurity trainings.
- We conducted a Little Phish Cybersecurity weekly video series that addressed cybersecurity issues in an engaging way and was followed up with a short-written synopsis.
- We host a two-day professional development academy in the summer for teachers and staff.
Our training programs are always evolving to meet the needs of our staff, but the most critical factor is that the training never stops, and it never will. To be proactive, we must be diligent about educating staff members and ourselves about the very real threats that exist in today’s digital landscape.
4. Continuously Identify and Address Your Vulnerabilities
As with training, school districts should never remain idle when it comes to evaluating and addressing their vulnerabilities. We have spent the last few years identifying and fixing gaps in our cybersecurity posture and defenses. For example, when I became the technology director, I discovered every teacher had local administrative rights to their C drive. We have since removed those rights and corrected the issue, but those are the types of problems that can go unnoticed and leave a district’s network exposed. Conducting regular audits and evaluations has put our district in a stronger position, but the work is never complete. To be diligent, we must proactively assess our cybersecurity weaknesses and defenses regularly.
Unfortunately, hackers and cyberattacks are not going to go away. Until new funding opportunities are made available, K-12 schools need to reexamine their budgets and find sustainable ways to strengthen their cybersecurity defenses.