Oct 05 2021

Cybersecurity Roundtable: Guarding K–12 Schools from Bad Actors

As K–12 schools become fast-rising targets for cyberattacks, six IT experts discuss strategies for protecting their networks.

With a growing number of cyber incidents targeting K–12 schools, it should come as no surprise that cybersecurity is a top priority for IT leaders and administrators across the nation. In the Consortium for School Networking’s most recent EdTech Leadership Survey Report, respondents confirmed that “cybersecurity and the privacy of student data are the top two technology priorities.”

At the same time, the report found that only 54 percent of K–12 IT leaders surveyed have high confidence in their ability to handle a cyberthreat.

However, adequate cybersecurity preparation is a key part of any IT leader’s role, and bad actors never take a day off. Between 2019 and 2020, there was a 19 percent increase in ransomware and other cyberattacks targeting K–12 schools, according to the Multi-State Information Sharing and Analysis Center.

In the second half of the 2020-2021 school year, incidents such as data breaches, ransomware attacks, meeting invasions and denial of service attacks jumped 60 percent, according to the K-12 Cybersecurity Resource Center.

To get a sense of how school districts were approaching the increased threat level, we reached out to six experts in the trenches: Michelle Bourgeois, CTO of the St. Vrain Valley School District in Colorado; Kevin Bryan, technology director at Henderson Independent School District in Texas; Pete Just, chief operations and technology officer for the Metropolitan School District of Wayne Township in Indiana; Craig Larsen, information systems administrator for Eastern Carver County Schools in Minnesota; Frankie Jackson, director of strategic initiatives for the Texas Education Technology Leaders; and Keith Krueger, CEO of CoSN. Here’s what they had to say:

Discover expert security resources from CDW•G by clicking on the banner below.

EDTECH:  Would you say that your IT team is ready to effectively head off a cybersecurity attack today?

Bryan: I’m not going to be bold enough to say that things are perfect. Cybersecurity is a process. We have to be vigilant.

Bourgeois: Anyone who believes they have everything in place to prevent a cybersecurity breach is woefully misinformed. And anyone who thinks they’re totally unprepared is also probably wrong. I think it’s somewhere in between. We’re perpetually more ready than we were the day before.

Just: I think cybersecurity readiness is something where you’re never quite done. We’re aware of the biggest issues and address them as best we can. A lot has changed in the past year. Bad actors have a take-no-prisoners approach, attacking schools, pipelines and hospitals.

Larsen: We’re constantly reviewing where we are in our plan. Things are changing all the time. It’s not a one-and-done process, not even close.

Krueger: Heads of administration and technology are very concerned about cybersecurity. The irony is that when you get into specifics, school leaders often overestimate how secure they are.

86%

The percent by which school security breaches are expected to rise in 2021 compared with 2020, according to MS-ISAC

Source: washingtonpost.com, “The Cybersecurity 202: Schools are another prime ransomware target,” July 12, 2021

EDTECH:  Do you have, or recommend having, a dedicated cybersecurity expert on your team?

Bryan: We do. The state of Texas requires each district have a cybersecurity official that receives information and resources from the state.

Jackson: In 2019, Texas passed Senate Bill 820, requiring schools to assign someone as a security coordinator with specific expertise. Many districts fill this role with an existing employee or divide the work among several IT staff members. It can be difficult to find people to fill this role — there aren’t enough people with cybersecurity training right now.

Bourgeois: This is the first year we’ve had someone dedicated to information security. It’s a sign of the times. It came from a realization that as we put more and more information into our data center and the cloud, we have an obligation as stewards of student learning to do everything we can to keep their information safe. We also know, from COVID-19, that access to learning has to be seamless.

Just: What’s interesting in K–12 is that most districts don’t have a lot of cybersecurity expertise. Unless it’s a district of over 100,000 students, there’s probably not a CISO. I have two people on my staff who have IT security coursework under their belts, but we also have technology partners who have super-credentialed folks, so our approach is to spend money on outside consultants as well as training our staff.

Larsen: Like most school districts, we struggle with staffing. Having a full-time person is really hard to do, and for us, it really doesn’t accomplish what we need. It’s hard to find a CISO because there are not enough of them. However, we do have a managed service firm for security on retainer.

Krueger: It’s hard to answer that question for every district, especially those with fewer than 2,500 students. Regardless, cybersecurity needs to be a major responsibility for someone. In recent data that CoSN collected from 120 school systems, more than 75 percent of respondents said that they had a person responsible for cybersecurity; however, more than half of those responding didn’t have a formal cybersecurity program supported by leadership.

EDTECH:  Do you recommend investing in cybersecurity insurance?

Bourgeois: Yes. Our cybersecurity liability policy just came up for renewal. Insurers are taking a deeper look at their ability to recover their investment and are more diligent about knowing the security status of their customers. We’re under much deeper scrutiny. K–12 needs to be ready for insurers to ask hard questions.

Just: Yes. Our insurance company is coming to us with an increasing number of requirements. We do a pretty good job — we get complimented on what we do —but eventually we might not be good enough for cybersecurity insurers.

Larsen: Yes. This is an area where we’re seeing a dramatic shift. A few years ago, getting the insurance was as simple as answering a couple of questions. Now, not only is the insurance more expensive, but we also have to answer several pages of in-depth questions about our controls, and the insurance company follows up on our answers.

EXPLORE: Grade your cybersecurity preparedness with this downloadable checklist.

EDTECH:  What are your top cybersecurity priorities for the near future?

Bryan: Continuing to educate users. We have some good security appliances in place, like Sophos and cloud-based security, and we do frequent backups in multiple locations. But educating everyone — from the superintendent to the youngest students — is the most important.

Bourgeois: We just adopted Cisco’s security suite, and as an IT organization, we’ve prioritized learning about cybersecurity. It isn’t just one person’s role, it’s every person’s role. Cybersecurity has to be part of the culture. One person will never make a dent with all of our cybersecurity needs.

Just: We’ve started to network with local businesses, not necessarily in K–12. For example, Indiana’s state CISO leads a community of CTOs, which is critical for helping us network. A multinational pharmaceutical company doesn’t have the same security needs as a K–12 school, but their CTO can help us with enterprise-level security solutions.

Krueger: There is so much more vulnerability than there used to be. Everything runs on the network — the HVAC system, security cameras, lights and more. And as major local employers, schools store Social Security numbers, so they are at risk for identity theft. What’s most important is for schools, districts and our federal government to recognize the importance of continuous investment in cybersecurity.

Jackson: Through the Texas Education Technology Leaders association, we are working on getting more schools certified as a Trusted Learning Environment. While the National Institute of Standards and Technology provides a framework of choice for many states, including Texas, TLE is tailored for K–12 school districts, and I’m working with school cybersecurity experts to map NIST requirements to TLE. When I was a CTO for a large district, it took us about two years to earn our TLE seal, which is about average.

DIVE DEEPER: Rockingham County Public Schools shares how it earned its TLE seal this year.

EDTECH:  How do you handle budget and cybersecurity funding concerns with district administrators and the public?

Bourgeois: A big part of it is trust. The public trusts us, and that trust is invaluable. Part of the justification for our budget is what would happen if we lost that trust. It would be detrimental to every other opportunity we have as a district. The less time we have in reactive mode gets us in a better position for what we want to be doing.

Bryan: There’s a balance, for sure, with security on one side and budget on another. We’re blessed in that respect. Our district has made a significant investment in cybersecurity. We haven’t hit a wall in funding yet.

Just: Many organizations have cybersecurity information that’s specifically geared toward administrators. Nationally, there’s CoSN, the Association of School Business Officials International and The School Superintendents Association. The Indiana K–12 Cybersecurity Task Force has made presentations locally to the Indiana ASBO. When we’re speaking with other non-IT administrators, we try to keep it very high level, but help them understand their part.

Larsen: Our administration and the public support ongoing funding for cybersecurity. Our funding stream is part of a tax levy passed seven years ago. Initially, the funding was primarily for physical security — things like building locks, access and cameras. However, over time, the funding has shifted from physical security to cybersecurity.

Click the banner below to find additional information on keeping your district safe from cyber threats.

Kateryna Onyshchuk/Getty Images