3. Limit Unauthorized Access to Systems and Networks
Just like only certain teachers have access to certain student data, we need to make sure only authorized people are taking authorized actions on your technology systems. Also, remember – curious students might try to access systems they aren’t authorized to access. We want to encourage curiosity, but prevent it from turning criminal.
4. Continuous Security Awareness Training
Regular security awareness training – weekly updates, phishing testing, quarterly assessments – targeted toward students, teachers, staff, and administration is critical to keeping your systems and your people safe. By having an ongoing security awareness program, you create a “security-first” culture that reduces your risk of being attacked by a cybercriminal. Encourage your students, teachers, and administrators to apply what they learn both at home and at school. And remember that people are tired and stressed right now- they likely aren’t making mistakes maliciously so create a non-punitive program that teaches people where they have had a mis-step, rather than punishing them for it.
5. Maintain Secure Configurations for Systems and Networks
Systems patching is the top technical activity you can do to limit your cyber risk. A full 60 percent of breaches in 2019 were linked to vulnerabilities where a patch was available, but not applied. Patching and maintenance of systems should happen at least every week. Different systems release fixes at different times, so your district needs to create a schedule to consistently patch everything from hardware to operating systems to software.
6. Focus on Data Classification
Data classification, which has to do with data privacy and a clear definition of who has access to what, needs to be a focal point of your security program. By making sure you have a clear data classification process, you can limit who has access to what data and better protect your school and student data. This applies to third party vendor access, too – those systems your school uses such as PowerSchool, Kahoot!, Remind, and others.
7. Plan How to Respond to Cyber/ Information Security Events
Cyber events are inevitable, so you need to have a plan in place for how to handle them before they happen. Save time and effort by taking your crisis plans for weather events or fires and modifying them to address information security issues. Keep in mind that most districts don’t have the on-staff expertise to do incident response or sophisticated cybersecurity. When you’re creating your plan, identify partners that you might need to work with to identify and respond to an issue.
10 K-12 cyber must-dos
8. Perform Cyber and Information Security Assessments
Security assessments test your cyber and information security systems to ensure they are working. Just like you test new door locks, you have to test your information security programs. This is another area that having a third-party partner can be very helpful. Yes, your IT team can and should test your systems regularly. But having a partner run a stringent annual assessment is another layer of insurance that your systems are working.
9. Monitor Systems and Networks for Suspicious Activity
Monitoring is all about visibility – it tells us what’s actually happening on the network. Much like how schools usually outsource monitoring of their fire panel, network monitoring is an outsourced activity, so there is a cost involved. But, by monitoring and “seeing” what’s going on, you can respond faster at a reduced cost. Monitoring your network activity has to be a 24/7 activity; if you’re not watching the network at 2 a.m., it doesn’t count.
10. Use Multi-Factor Authentication Whenever Possible
How many of us have our Google email set up to require an extra PIN if we access it from a new computer? Hopefully most of us. This same level of security we use for our personal email is something we have to apply to our school systems, too. It’s called multi-factor authentication and it puts more ‘steps’ between the outside world and our sensitive data.
COVID-19 forced us into remote learning, which escalated our focus on our cybersecurity programs. While there is a lot to consider and do, it’s important not to be intimidated. Because schools already have plans and procedures in place for other emergency situations, prioritizing cybersecurity and cyber risk is something districts already know – just applied differently.