DA op-ed: 4 steps to mitigate cybersecurity risks
You don’t need to be a cybersecurity expert to understand the potential consequences of a data breach—financial loss, damaged reputation and even closure in some instances.
Yet many K-12 school systems, as well as colleges and universities, lag behind in comprehensive cybersecurity solutions to protect their sensitive data. Education leaders need to take a proactive role in driving cybersecurity efforts within their institutions to mitigate attacks from both inside and outside sources.
Here are the steps leaders can take to protect their network and safeguard their institution’s data.
Step 1: Assess where you are and what you have to lose
The first step to improve cybersecurity measures is for leadership to understand the school’s current risks and vulnerabilities through a comprehensive security assessment, which can be completed in-house or by a third-party advisor. The assessment will shed light on the data the school collects and maintains, as well as how it’s stored, and any backup systems in place. It will uncover missing or weak protocols related to passwords, needed software updates and firewalls. If a school is subject to any compliance requirements, an assessment will determine adherence to them.
Step 2: Manage your risks
An assessment provides information about a school’s vulnerabilities, but that knowledge is only the first step. Education leaders need to look at the results and understand the risks in order to prioritize them and start working through mitigation strategies. In many situations, schools can:
- Change or stop the activity causing the risk. For example, schools can require passwords to be changed every 90 days.
- Implement measures to continue the activity, but decrease the risk associated with it. For example, schools can make sure that they are always running the most up-to-date software.
- Contract with a cyber insurance provider to secure a policy that fits their needs.
Step 3: Prepare for the worst
Regardless of whether a data breach is due to an internal mistake by an untrained staff member or a targeted outside attack, education leaders need to be prepared to respond appropriately to mitigate further damage.
The best way to prepare is by developing a documented, flexible incident-response plan that outlines exactly what needs to happen after an incident. As reputation is important to educational institutions, they must be able to quickly respond to a situation in a competent manner.
The incident-response plan should also indicate who is on the incident-response team; that is, the individuals who will come together after an incident, as well as the roles they will play and actions they will need to take immediately.
According to the Ponemon Institute’s “Cost of a Data Breach Study 2018,” having an incident-response team was found to be the No. 1 way to lower the cost of a breach—which averages $148 per breached record. Having a team was found to reduce the cost of each breached record by $14.
A strong incident response team will include individuals from the following functional areas:
- risk management
- information technology
- human resources
- board of directors
- advancement (if applicable)
Step 4: Practice ongoing cybersecurity training
When it comes to protecting data, internal stakeholders need to be the first line of defense. Often, staff members and faculty are unaware that certain, seemingly innocent actions could open a door to expose sensitive data, and have an irreversible and detrimental effect on the school. Therefore, cybersecurity training is crucial, but it’s not just a box to check off. Rather, it must become a comprehensive and ongoing part of an institution’s culture, in which everyone understands their roles in protecting data from malicious attacks. Education leaders need to lead the charge and set an example for the importance of cyber training. In the Ponemon study, conducting cybersecurity training reduced the cost of breaches by an additional $9.30 per record.
While it’s not possible to eliminate all risks, education leaders need to realize that protecting against cyber risks is a top business priority, and that there are steps they can take to mitigate the most damaging effects of a breach.
George Breeden, a certified association executive, leads the Nonprofit & Association Practice at Hartman Executive Advisors. Hartman is an independent technology leadership and advisory firm that works to align institutional goals with IT strategy.