Risk assessments are awful, but necessary

Here are 5 ways to improve risk assessments in your district

Between 2021 and 2022, 56 percent of K-12 education organizations were hit by ransomware, a nearly 25 percent increase from the previous year. That’s a staggering number, and a clear indication that threats against schools are only getting worse.

While risk assessments are one of the best things a K-12 school can do to understand their cybersecurity vulnerabilities in order to be strategic about how to protect against them, this critical tool is often avoided. After all, they can be absolutely awful to perform, taking up valuable time, involving confusing jargon and often not even seeming to solve any problems.

If this sounds familiar, there’s some good news. Yes, risk assessments are far from sunshine and roses. But you can get through them with less friction and pain, and ultimately improve your security posture, if you adhere to the following guidelines.

1. Get Specific About Risks & Tolerance

I’ll just come out and say it: most risk assessments are way more cumbersome and time-consuming than they should be. If you’ve tried to go through the process before only to find it’s draining you of weeks or months of your time, you’re doing the wrong assessment. It’s also entirely possible that the assessment at hand is either written as a one-size fits all sort of deal, is too narrow (and not in a way that’s suited to you and your needs), or doesn’t seem to understand the unique nuances of working in an educational environment.

Your security priorities at a K-12 school will naturally differ from the security postures of government entities or other organizations. As such, your risk assessment should be different too, tailored to your particular situations, risks, data types and even vernacular.  As you begin to work through it, identify what aspects of cybersecurity are most important to you. For schools, this will usually be protecting student data. From there, you can determine your risk tolerance which will then inform your strategy and plans.

2. Simplify the Language

Riddle me this: IT professionals conduct risk assessments, but administrators are typically the ones who read them. This sets everyone up for a disconnect in language, general frustration and subpar outcomes.

Forget flat networks–tighten your security
4 ways to avoid cybersecurity snake oil

After all, how the IT person speaks about security gaps is going to be very different than how a principal or superintendent would. If the person with the authority to approve security measures doesn’t understand them, they’re less likely to be approved. Communication matters, so make sure your risk assessment is being written by humans for humans and with language that matches a school setting – not a for-profit enterprise.

3. Loop in Others

Risk assessments must be thorough in order to be accurate, but this doesn’t mean that one person needs to shoulder the burden. In fact, the best assessments are done through teamwork. When you start an assessment, take the time to really think through who on your team is best qualified to answer a particular question or section. Delegate that part to them, along with a deadline of when you need it completed. Then, rinse and repeat for all other questions and sections. This will help expedite the completion of the assessment, and get you more comprehensive insights.

4. Understand How Compliance Fits into the Picture

As an educational institution, K-12 schools have to abide by particular rules. It’s likely that you’ve invested time and resources into becoming compliant with minimum standards related to regulations such as FERPA, but it’s important to note that this doesn’t satisfy your cybersecurity requirements. Compliance and security are not one and the same. So, make sure that you attain compliance as necessary, but then take the time to improve your security posture outside of that compliance. It’s important to cover all your bases in order to protect your most sensitive data.

5. Define What’s Next

Finally, one of the most glaring issues with many risk assessments is that they end by pointing out a lot of security holes without offering guidance on prioritization or ways to fix them. Whoever conducts your risk assessment should share their findings and also take the time to provide a path forward for your school. They should keep in mind your biggest priorities, risk tolerance and available resources when helping you create a plan that is actionable and realistic.

When it comes to schools, cybersecurity is of utmost importance. Even though risk assessments have historically been terrible, they’re a highly valuable tool when administered properly. Make your school safer by conducting a risk assessment that has been designed for schools and that follows the tips outlined here. They still won’t be anyone’s idea of a good time, but they’ll be a lot more palatable – and help you protect your school and its sensitive data the way it deserves to be protected.

eSchool Media Contributors