5 best practices for starting a successful cybersecurity program
While there’s no question technology adoption creates powerful learning environments, it can also present significant security risks to teachers, staff, and students. According to Verizon’s 2017 Data Breach Investigations Report, the number of total security incidents in the education sector outranked both the healthcare and retail industries. It’s obvious that cybersecurity remains an increasingly dangerous threat that often gets overlooked when it comes to safety. This is partly due to limited school funding, strict budget factors, and a corresponding lack of IT support.
While cybersecurity is a constant challenge for any industry, the education sector has less resources and more at stake. School district networks house a variety of sensitive information on staff members, students, and students’ families, including credit card numbers, Social Security numbers, and sometimes even medical information, making K-12 schools a top target for hackers.
Data breaches and other threats
For example, in early January the largest school system in San Antonio, Texas, reported that it suffered a data breach last August, which exposed the personal data of more than 23,000 current and former students and staff. Ransomware is another common type of attack, costing schools thousands of dollars and significant downtime. In October 2017 an entire district in Montana was shut down for several days after hackers who dubbed themselves “TheDarkOverlord Solutions” threatened to release student, teachers, and school leaders’ personal information unless a ransom was paid.
But it’s not just cybercriminals that pose threats for schools—students are also guilty of misuse, with challenges ranging from device theft or loss to unauthorized application changes. Tech-savvy students have even launched distributed denial of service (DDoS) attacks, aiming to disable the network access and disrupt the school day to get out of a class or test.
Regardless of the type or severity of attack, it’s clear that K-12 institutions need to have a strategy in place for minimizing the potential of a security breach as well as a recovery plan for after one hits. While there is no one-size-fits-all solution for combating threats, investing in the right tools and crafting appropriate processes or procedures can significantly reduce their impact. For most districts, this decision comes down to technology budget allocation, but I urge administrators to consider the risks.
Here are five key best practices that I recommend to increase efficiency and foster a safe learning environment for students and staff.
1. Train and educate staff. Invest in training resources to make sure your IT department is knowledgeable and trained to safeguard the online safety of each student, family, teacher, and administrator. As technology continues to evolve, so will the number of risks and cybersecurity issues. You need to constantly refresh your IT staff on the latest policies, procedures, and compliance regulations to make sure they remain up to date. One way to stay up-to-date is by attending conferences, workshops, and summits focused on security topics. One of our customers also recommends hosting regular face-to-face meetings with the IT department staff and sharing relevant news articles.
2. Set strict guidelines and policies. As an elementary step toward protecting sensitive data, your IT staff must set clear usage policies and strictly enforce compliance with them. For example, you might require teachers to use school-issued smartphones that have security software installed. You’ll want to also closely monitor how students and staff use new products or apps, both on and off the school’s network. For example, one of our high school district customers issues a comprehensive policy for staff that outlines regulations for how technology should be used responsibly to support their teaching programs. The district also has an acceptable technology use document that students and parents are required to review and sign annually. Another one of our customers requires IT staff to talk face-to-face to with each seventh-grader before providing them with a district-issued device.
3. Backup sensitive data. With ransomware attacks on the rise, school districts should perform regular backups of all critical information to limit the impact of data or system loss. Ideally, this should be kept on a separate device and stored offline. One of our customers recommends performing full and incremental backups regularly using Data Domain for disk-based backups or SysCloud for the Google cloud environment.
4. Build an incident-response playbook. More schools and IT departments are integrating cybercrime response into their school’s crisis plan so that students and staff can be educated and prepared if and when a crisis occurs. These plans should serve as living documents that include initial response proposals as well as long-term plans.
5. Foster digital citizenship education. Teachers and parents must work together to highlight and enforce the 9 Pillars of Digital Citizenship with students. These pillars include information on basic digital literacy, rights and responsibilities, online safety awareness, password protection and appropriate usage. Not only should these guidelines be embedded into curriculum alongside technology use, but schools should also encourage constant dialogue with parents and students about the importance of being a good digital citizen. We regularly work with schools to kick-start digital citizenship campaigns across the community to help promote positive school culture and responsible technology use.
Seventy-five percent of teachers use technology in their classrooms on a daily basis, but with rapid technology adoption comes potential risks and challenges that cannot be overstated. While K-12 schools will continue to be a top target for cyber threats, focusing on basic cybersecurity practices and investing in the right technology and procedures will help prevent staff, teachers, and students from becoming victims of the next major data breach.