In today’s world where hacking and other forms of cyber-attacks abound, it isn’t enough to simply expect that the IT staff has data security under control. According to the White House Council of Economic Advisors, in 2016, cyber threats costs the U.S. economy between $57 and $100 billion. The same document articulated that “cybersecurity is a common good.” Schools are not immune, and a recent review of a dark web marketplace by Flashpoint for access to compromised Remote Desktop Protocol servers proved that. Two-thirds of the server information available was from educational entities.
School district leaders needs to be proactive in asking the following questions to ensure that data security is being taken seriously. Are realistic safeguards in place to protect student and staff privacy? Can your district recover data in the case of an emergency or disaster?
Question 1: Are your password procedures up to speed?
Password and account security needs to be ramped up. Required password changes should be implemented at least each semester, if not every 90 days. IT staff are often hesitant to require such changes as staff grumble about this and take up a great amount of help desk time when changes are required. Leadership should try to insulate the IT staff from these types of complaints and at the same time ensure that strong password policies are in place. Passwords are moving toward a dozen characters and reQu1ring! the inclusion of capital letters, numbers, and special characters. Make sure no one shares their passwords with anyone—not even their trusted assistant.
Question 2: Do you have a procedure for when people leave?
Account security requires that when people leave the district, their accounts are deactivated. Imagine my surprise when I was a superintendent and received an e-mail from an internal account for a person who had retired more than five years earlier. In addition to retired employees, student teacher accounts and substitute accounts are the often-forgotten accounts that cyber criminals use to breach system security.
Question 3: Does each employee have access to only what they need?
Account security should ensure users have access to what they need and no more, even though it is easier to not have to restrict resources. Even IT staff should have accounts that don’t provide root or core access. Backup accounts with root access and a complete list of root passwords for all district resources should be maintained in a corporate safe. This is essential for data recovery and in case of the corruption or exploitation of staff accounts.
When possible, segment the district’s resources so instructional, financial, and personnel information are segregated. This makes it more difficult for students to reach the school’s business documents and also limits the ability of viruses and other bad actors from moving from student documents saved in portfolios and learning management systems and infecting payroll databases, for instance.
Question 4: Do you provide proper training at all levels?
One last thing is to ensure training about the user’s role in safeguarding resources is routine. Asking staff or students to review cybersecurity measures once a year is not often enough. Some schools offer incentives for staff and students to take part in regular training.
None of these procedures costs much money. However, none of the more expensive or sophisticated interventions will have an impact if a district isn’t able to maintain control over its accounts and ensure no one is using 1234 as a password.