Take these steps to carefully evaluate cybersecurity vendors--and if something seems too good to be true, it likely is

4 ways to avoid cybersecurity snake oil


Take these steps to carefully evaluate cybersecurity vendors--and if something seems too good to be true, it likely is

For example, a vendor might say their offering can provide automated compliance to the Family Educational Rights and Privacy Act (FERPA). The reality is that there are still manual steps that need to be taken to get to the right level of compliance, even when it’s allegedly automated. There’s still hard work to be done and if a vendor makes it sound like you won’t have to lift a finger, they’re not being honest.

A quick tip–any vendor that tells you their “solution” for your cybersecurity needs solves all of your security concerns or challenges, just doesn’t get it. There is no total or complete solution for cybersecurity, just points on a scale that lead you toward reduced risk.

3. Take into account your total cost of ownership over time.

There are some offerings out there that promise a wide range of incredibly sophisticated functions–and can actually deliver on them. Before purchasing such a system, consider whether it’s designed for education (and priced for it). If so, make sure you actually factor in the full cost of using it before going any further.

As an example, let’s say a school is evaluating a highly advanced product that helps gather log data and make sense of it. The school sees this great product, and makes a purchase. What they don’t realize until it’s too late is that sophisticated technology like this requires a very specialized set of skills to operate. They have neither the number of full-time employees they need, nor people with the right level of expertise to use it properly.

So, make sure you understand how many people will be needed to run a given product and what their skills have to be. Also keep in mind the costs of training and recertification, along with the opportunity cost of pulling staff away from their other duties in order to take care of these new ones. If you fail to factor all this in, you can end up with expensive products that can’t be maximized, and waste significant money and time.

4. Understand your contract terms.

Most everyone has done it: skimming through a lengthy contract, hastily initialing, and signing on the dotted line. Who has time to read all that, much less make sense of the Ts and Cs? Well… you need to.

Especially when it comes to cyber safety, your contract is essential:

  • First, find out how transactional the relationship will be. Will you have ongoing support, or are you on your own once you buy the software, tool, or product? Do you need to pay a premium support contract in order to get access to faster help? Is there an expiration date on the support you receive after a set term, requiring you to make a supplemental purchase for additional assistance? These questions have to be answered before you sign an agreement.
  • Second, make sure you understand the service level agreement (SLA) and costs. Does performing backups cost extra? What’s the divorce clause like? What assurances are given that any data provided as part of the service was stored properly (with lists of locations), destroyed properly (with details on methods used and attestations of completion), and within an agreed upon timeframe after the engagement ends. Does it require additional payment, and, most importantly, who owns your data if you break up?

Your terms should all be clear, fair, and in your school or district’s best interest, so take the time to evaluate your contract before making a purchase. And, just like with a risk assessment, if a vendor balks because you have questions or suggestions for the agreement, run–don’t walk–away from the deal.

Final Thoughts

Remember that cybersecurity requires expertise and proper guidance. Whether it’s someone on staff who understands cybersecurity and is qualified to advise you on it, a third party or virtual chief security officer (vCSO), or a volunteer expert from your local university, make sure you have help from someone who has walked the walk and can talk the talk.

As you prepare your cybersecurity program, keep in mind that you should plan to reevaluate it each year. Gone are the days when we plan five years out, because technology is racing ahead at warp speed. So, keep this in mind as you evaluate vendors and make plans. It’s never easy to sort through security purveyors but remember this: if something feels slimy, it’s probably snake oil.

Latest posts by eSchool Media Contributors (see all)

Want to share a great resource? Let us know at submissions@eschoolmedia.com.