As a professional in cyber security it is probably long overdue that I write this blog. There is a lot of misunderstanding and misinformation circulating with regard to cyber security in schools and school districts. That being said, I wanted to outline a few recommendations for reasonable actions schools could take to implement better cyber security posture. All of these recommendations are based on my experiences working with several large school districts in Indiana as well as Rosanna’s experiences in the classroom and working in edtech. To be clear, this blog is more targeted toward school IT staffs, administrators and school boards than individual teachers.
It is fitting to start by addressing the biggest challenge related to cyber for every school district across the nation. It is no secret that THE major concern within the tech industry is hiring and retention of knowledgeable technical staff. This is perceived to be the largest roadblock to success and it feels like every tech CEO is talking about it. The challenge is even harder for schools as districts are often working with extremely constrained budgets and amazingly complex environments. In every district I have worked with, IT staff are responsible for basically everything that uses electricity. Cyber security is only one responsibility alongside IT support for teachers and students, network monitoring, WiFi, website management, server maintenance, student information systems, patch management, application management, vulnerability monitoring, 1 to 1 rollouts, student information protection, emergency systems, communications systems and email monitoring. Suffice it to say, there is rarely time to make cyber security a priority and this challenge is only getting harder with advancements in edtech.
In addition to the aforementioned challenge, school districts often times have surprisingly complex environments. There are separate WiFi routers in most classrooms, a wide variety of student devices such as Chromebooks, iPads and mobile devices and hundreds of teacher workstations, routers, and infrastructural servers. Many districts have a single ingress / egress point with an Internet Service Provider (an access point to the internet). This typically means the amount of data coming in and out of that point is very large (an entire districts worth)! Given the challenge of small IT staff with way too many responsibilities and the complexity, diversity and size of their environments, here are three critical recommendations for school districts to get the most bang for the buck with regard to cyber security.
Use the Cloud Wherever Possible
I am not advocating for a district to run and manage their own cloud, but rather to use existing and reputable cloud services wherever possible. There are services that will host district websites (check out Wix or Squarespace) and secure student information all while providing management and updating for their own platforms. In most districts we have worked with, all data is organized into Student Information Systems (SIS) and Education Management Information Systems (EMIS). There are many potential providers for these systems as well, which would alleviate the stress and challenge of self hosting and securing all of that data. One prominent example is Clever. The return on investment for most of these cloud based systems is that even with a monthly or yearly charge, they are far cheaper than purchasing hardware and hiring additional full time staff to deal with all the headaches that go along with running, maintaining and securing district owned servers.
Outsource Network, Log and Endpoint Security
District IT staffs are already so busy there will likely not be time to implement the systems required for network security or log monitoring. Even if the systems are implemented there will not be time for IT staff to monitor the output and thousands of alerts generated by those systems. The most efficient and optimal solution for districts is to find a security partner and outsource the monitoring to them. A partner would be focused solely on security, have appropriately specialized staff and be able to communicate well with district officials. A security as a service organization will have the ability to monitor network and log based data for malicious activity 24/7/365. In addition to this, a quality security company will understand how to address some of the concerns with student privacy discussed in my previous blog on The State of Privacy in Edtech. In addition to all of this, a quality security partner will help navigate any future challenges as attacks get more advanced and district networks get more complex. Look for a company that has physical security operations centers (SOCs), a good balance of entry level and senior security analysts and a great reputation in the community.
Be Prepared to Respond
The complexity and challenge of cyber security across districts is only going to grow exponentially in the coming years and with this increased complexity and growth in capability, districts will more and more become a target for attackers. Most of these attackers will look to generate revenue by using ransomware or some sort of crypto coin mining. With inevitable security vulnerabilities, school districts need to have plans in place for how to respond when a breach occurs. An incident response plan is a critical component of any cyber security program and schools are no exception. How do you define an incident? Who needs to be involved from the district? Who needs to be involved from a legal and insurance perspective? Who is your technical incident response team? What are the timelines for identification of critical components and restoration of services? All these questions and more should be answered as part of your incident response plan. A quality security partner will be able to help any district form and enact an incident response plan.
No matter how districts approach the challenge of cyber security it is going to take some work and money to implement correctly. However, in many cases, there are resources available to help out. For example, my home state of Indiana recently placed a priority on cyber security services in public schools when the Indiana Department of Education in collaboration with the Department of Homeland Security announced a grant that would match some expenses for any district that outsources security services. Between grants like this and companies reducing costs for schools specifically (don’t be afraid to ask your security partner for a discount!), there is help from the budgetary aspect.
Cyber security in schools is not going to be a short term fad. Edtech, 1 to 1 and complex network environments at public K12 schools throughout the country are here to stay. Implementing a wholistic cyber security approach will be critical to protecting school systems and student information. As access to technology can help level opportunity across the board for all students, we cannot afford to lose confidence in cyber systems in our public schools.