These days, it’s more likely than not that when you open your daily newspaper or scroll through your newsfeed, you’ll see coverage of a cyberattack impacting both businesses and consumers. Recently, a number of these attacks have been targeted toward school districts.
For example, Louisiana Governor John Bel Edwards declared a statewide emergency as a result of cyberattacks in several school systems throughout Louisiana. Along the same lines, the Syracuse City School District in New York was shut down for more than a week during a ransomware attack; and a similar incident in Baltimore earlier in 2019 cost the city more than $18 million in recovery efforts and lost or delayed revenue.
As cyber threats evolve and grow, it’s not a matter of if a cyberattack will happen but when. Or, it may have already happened to your district and you don’t know it yet.
Attackers are highly skilled at compromising an organization’s infrastructure, sitting on a network and waiting for a prime time to launch an attack.
Best practices
So, what can school districts do to prepare? Below, are a few cybersecurity practices every district should employ:
- Ensure that your organization is meeting the requirements of federal, state and local laws. Several states have recently passed legislation requiring certain measures to protect educational institutions from cyberattacks. One such measure is New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which goes into effect on October 23. The law requires organizations that maintain private information concerning New York state residents comply with expanded reporting requirements for notifying impacted parties in the event of a breach. New York State Education Law also requires multiple protections, compliance with the National Institute of Standards and Technology and Cybersecurity Framework, and has very significant parameters for vendor contract management, among other guidelines designed to defend systems from cyberattacks of all kinds.
As cyber threats evolve and grow, it’s not a matter of if a cyberattack will happen but when.
- Continuously train your employees and students. The cybersecurity industry shifts every 18 months to protect against hackers’ latest tools and tricks, but one of the biggest risks that remain constant is untrained users who don’t understand their roles and responsibilities in preventing an attack. Training goes hand-in-hand with IT solutions for comprehensive cybersecurity. All the cutting-edge software in the world can’t protect an organization that does not have a solid cybersecurity foundation built on a culture of responsible technology use. Employees—and in the case of school districts, student users—are the first firewall, but if they don’t know what to look for then it’s impossible to rely on them as a preventative measure.
- Perform a thorough risk assessment inclusive of an internal and external penetration test. Effective risk management extends beyond just cybersecurity, but your overall enterprise risk management activities should encompass identifying and addressing cyber-related vulnerabilities. Once those risks are recognized you can move on to developing a Computer Security Incident Response Plan (CSIRP).
- Implement and test a CSIRP. It is essential to establish clear processes and procedures proactively to help ensure you’ll be prepared to respond when (not if) an incident inevitably comes to light or occurs. Your CSIRP should be tested regularly with participation from both internal and external stakeholders to ensure everyone is on the same page in the event of a cyberattack.
Read: Ransomware targets more K-12 schools
The constant stream of cyberattacks in the news can be daunting, as can the thought of adequately preparing your organization for these threats, but the more action you take now, the more prepared you’ll be when a breach occurs and the better you can sleep at night knowing that you’ve taken all the necessary steps to mitigate risk and develop a thorough plan of action.
Take the opportunity at the start of this new school year to conduct a risk assessment, develop a CSIRP and train employees and students on the responsible use of district software and devices.
Carl Cadregari is an executive vice president for FoxPointe Solutions and the Information Risk Management Division of The Bonadio Group.
