The start of school has always been a very stressful time of year for everyone involved in the K-12 space. This year it will prove to be more stressful due to the complexity of the pandemic as well as the reality of having to provide instruction both synchronously and asynchronously. On top of the instructional challenges, we are seeing an increase in the number of cyber attacks against K-12 school districts. The most recent and most public cyber attack being Miami-Dade’s distributed denial-of-service (DDOS) attack.
For the third year in a row, CoSN’s (Consortium for School Networking) annual leadership survey ranks cybersecurity as the top priority for school IT leaders. Cybersecurity is defined as, “technologies, processes, and practices designed to protect networks, devices, programs and data from attack, damage, or unauthorized access.”
Many superintendents and school boards view cybersecurity as a “technology” issue and have very little understanding of their district’s current cyber posture. School districts, whether rural, suburban, or urban, should not believe that they are less of a target for cyber attacks. As it relates to cybersecurity, every school system needs to accept the new reality of, “It’s when, not if.” Given this new reality, cybersecurity needs to have shared ownership between the school board, superintendent, and IT department.
To formalize a shared ownership model there are five critical questions that need to be understood.
1. What is the district’s current cybersecurity risk profile?
Understanding what your current cyber risks are is the first step in ensuring shared ownership. To understand the current risks here are some questions to ask.
- What is our cybersecurity technology infrastructure?
- Hardware/Software/Monitoring/PD/Cyber Associations
- When was the last penetration test and what were the findings?
- What remediation has been completed
- What remediation is outstanding and what is the risk with these items
- What else are we doing to protect the district from cyber-attacks?
2. What type of cyber awareness programs are in place for employees?
Districts can spend a million dollars on cybersecurity but all it takes is one user on the network clicking a link and the entire infrastructure is at risk. Awareness programs should focus on helping your employees and students understand the cyber landscape and how to safely navigate this ever-changing world.
To understand the cyber awareness presence of your district, ask the following questions.
- Who owns it?
- Where is it occurring?
- How is it occurring?
- When is it occurring?
- What are the awareness topics?
3. When a cyber incident occurs, what is our incident response plan?
Incident response is the process and procedures your district will follow when a cyber incident is suspected. What you say and when you say it is critically important. Too often the wrong people are talking about a potential cyber incident at the wrong time. There is a big difference between cyber incident, cyber breach, or hack. To define and understand your incident response here are some specific areas to investigate.
- Internally – School system employees/departments
- Externally – Public, press, law enforcement
- When was the incident plan last reviewed and by whom?
4. Do we have the right security talent on board or at the ready?
Staffing and budgets are being stretched to the limits, but ensuring you have the right security talent available when a cyber incident is suspected can mean the difference between one day or weeks of impact. I mentioned penetration test above, one of the things I recommend is engaging the services of a group that conducts those tests throughout the year. They have a deep understanding of your infrastructure and most importantly they know your vulnerabilities. This external group can quickly assess any potential incident and quickly put together a remediation plan. To determine the skills gap that might exist from a staffing/expertise perspective here are some things to consider.
- Who do we have monitoring our cybersecurity footprint?
- Do we have the necessary skills in house to manage and maintain our cyber infrastructure?
- Do we have expert resources at the ready to come in and assist our technology team?
5. What is our risk profile?
When you have answered the above questions a comprehensive risk profile can be established. This risk profile becomes the foundation from which all communication, budgeting and staffing decisions are based. These two questions are the final steps in establishing your district cybersecurity profile.
- Have we quantified our cyber vulnerabilities’ hard and soft costs?
- Do we have cyber insurance – and what are the specific terms?
Once these questions have been answered and understood by the superintendent and IT lead there is a shared understanding and ownership of the districts cyber profile. The next step is for the superintendent and IT lead to present this information to the school board (IN CLOSED SESSION!) rounding out the three-legged milk stool of shared cyber ownership.
It is at this point the “district” understands its current cyber risk profile and has two choices, accept the risk, or mitigate the risk. Either choice holds all levels of leadership (board, superintendent, IT) accountable to the decision and prevents finger pointing should a cyber incident occur.
Just like remote learning, this issue is not going away. In fact I think it is only going to get worse. Cybersecurity is not a technology issue; rather, it is a district issue. It is important to not be forced into reaction mode should an incident occur. The steps outlined in this article will ensure that you, as a leadership team, successfully navigate the cyber incident chaos.
Lenny Schad is chief information and innovation officer of District Administration, and former CIO for Houston ISD.
DA’s coronavirus page offers complete coverage of the impacts on K-12.