Question 2: Do you have a procedure for when people leave?
Account security requires that when people leave the district, their accounts are deactivated. Imagine my surprise when I was a superintendent and received an e-mail from an internal account for a person who had retired more than five years earlier. In addition to retired employees, student teacher accounts and substitute accounts are the often-forgotten accounts that cyber criminals use to breach system security.
Question 3: Does each employee have access to only what they need?
Account security should ensure users have access to what they need and no more, even though it is easier to not have to restrict resources. Even IT staff should have accounts that don’t provide root or core access. Backup accounts with root access and a complete list of root passwords for all district resources should be maintained in a corporate safe. This is essential for data recovery and in case of the corruption or exploitation of staff accounts.
When possible, segment the district’s resources so instructional, financial, and personnel information are segregated. This makes it more difficult for students to reach the school’s business documents and also limits the ability of viruses and other bad actors from moving from student documents saved in portfolios and learning management systems and infecting payroll databases, for instance.
4 simple questions school leaders should ask about #cybersecurity
Question 4: Do you provide proper training at all levels?
One last thing is to ensure training about the user’s role in safeguarding resources is routine. Asking staff or students to review cybersecurity measures once a year is not often enough. Some schools offer incentives for staff and students to take part in regular training.
None of these procedures costs much money. However, none of the more expensive or sophisticated interventions will have an impact if a district isn’t able to maintain control over its accounts and ensure no one is using 1234 as a password.