Cyber ââSecurity Roundtable: Protecting K-12 Schools from Bad Actors
EDTECH: Do you have or recommend having a dedicated cybersecurity expert on your team?
Bryan: We do. The state of Texas requires that each district have a cybersecurity officer who receives information and resources from the state.
Jackson: In 2019, Texas adopted Senate Bill 820, requiring schools to appoint someone as safety coordinator with specific expertise. Many districts fill this role with an existing employee or divide the work among several members of the IT staff. It can be difficult to find people to fill this role – there aren’t enough people trained in cybersecurity right now.
Bourgeois: This is the first year that we have had someone dedicated to information security. It is a sign of the times. This came from the realization that as we put more and more information in our data center and the cloud, we have an obligation, as gatekeepers of student learning, to do everything possible to protect their information. We also know, from COVID-19, that access to learning must be transparent.
Only: What’s interesting about K-12 is that most districts don’t have a lot of cybersecurity expertise. Unless it is a neighborhood of over 100,000 students, there is probably no CISO. I have two people on my staff who have computer security courses under their belt, but we also have technology partners who have super-skilled people, so our approach is to spend money on outside consultants as well as ” train our staff.
Feedback: Like most school districts, we struggle with staff. Having a full-time person is really hard to do, and for us it really doesn’t accomplish what we need. It is difficult to find an RSSI because there are not enough of them. However, we have a managed service company for deposit security.
Krueger: It is difficult to answer this question for every district, especially those with fewer than 2,500 students. Either way, cybersecurity has to be a major responsibility for someone. In recent data that the CoSN collected from 120 school systems, more than 75% of the people questioned declared having a person in charge of cybersecurity; however, more than half of the respondents did not have a formal cybersecurity program supported by management.
EDTECH: Do you recommend investing in cybersecurity insurance?
Bourgeois: Yes. Our cybersecurity responsibility policy has just been renewed. Insurers are taking a closer look at their ability to recoup their investment and paying more attention to knowing the security status of their clients. We are under much more scrutiny. Kindergarten to Grade 12 must be prepared for insurers to ask tough questions.
Only: Yes. Our insurance company comes to us with an increasing number of demands. We do a really good job – we are complimented on what we do – but we could possibly not be good enough for cybersecurity insurers.
Feedback: Yes. This is an area where we are witnessing a radical change. A few years ago, getting insurance was as easy as answering a few questions. Now, not only is insurance more expensive, but we also have to answer several pages of in-depth questions about our checks, and the insurance company follows up on our responses.
TO EXPLORE: Assess your cybersecurity readiness with this downloadable checklist.
EDTECH: What are your top cybersecurity priorities for the near future?
Bryan: Continue to educate users. We have good security devices in place, such as Sophos and cloud-based security, and we perform frequent backups in multiple locations. But educating everyone, from the principal to the youngest students, is most important.
Bourgeois: we just adopted Cisco Security Suite, and as an IT organization, we’ve made learning cybersecurity a priority. It is not just the role of one person, it is the role of each person. Cyber ââsecurity must be part of the culture. One person will never make a dent with all of our cybersecurity needs.
Only: We started to network with local businesses, not necessarily from kindergarten to grade 12. For example, the Indiana State CISO runs a CTO community, which is essential in helping us network. A multinational pharmaceutical company does not have the same security needs as an elementary and secondary school, but its CTO can help us with enterprise-level security solutions.
Krueger: There is so much more vulnerability than before. Everything works over the network – the HVAC system, security cameras, lights and more. And as major local employers, schools store Social Security numbers, so they’re vulnerable to identity theft. Most importantly, schools, districts and our federal government recognize the importance of continued investment in cybersecurity.
Jackson: Through the Texas Education Technology Leaders Association, we are working to get more schools certified as Trusted learning environment. While the National Institute of Standards and Technology provides a framework of choice for many states, including Texas, TLE is designed for K-12 school districts, and I’m working with school cybersecurity experts to map NIST requirements to TLE. When I was the technical director of a large district, it took us about two years to get our TLE seal, which is average.
DIVE MORE DEEP: Rockingham County Public Schools share how they earned their TLE seal this year.
EDTECH: How do you deal with cybersecurity budget and funding issues with district administrators and the public?
Bourgeois: Much is confidence. The public trusts us, and that trust is invaluable. Part of the rationale for our budget is what would happen if we lost that confidence. It would be detrimental to all the other opportunities we have as a district. The less time we have in reactive mode the better off we are for what we want to do.
Bryan: There is a balance, of course, with security on one side and budget on the other. We are blessed in this regard. Our district has made a significant investment in cybersecurity. We have not yet hit a fundraising wall.
Only: Many organizations have cybersecurity information specifically for administrators. Nationally, there is CoSN, the Association of School Business Officials International, and the Association of School Superintendents. The Indiana K-12 Cyber ââSecurity Task Force made presentations locally at the Indiana ASBO. When we chat with other non-IT admins, we try to keep a very high standard, but help them understand their role.
Feedback: Our administration and the public support the continued funding of cybersecurity. Our source of funding is part of a tax levy adopted seven years ago. Initially, the funding was primarily for physical security – things like building locks, access, and cameras. However, over time funding has shifted from physical security to cybersecurity.
Click on the banner below to find additional information on protecting your neighborhood from cyber threats.