Schools that are concerned about the expense of outsourcing cybersecurity services may be able to fortify security with features that are already available on their devices.
“When you have a computer with an operating system, in most cases there are some built-in security features,” Stine says. “Just having those turned on and functioning can go a long way in helping to maintain a more secure environment.”
Schools can take other steps to enhance their cybersecurity posture, such as strengthening user, device and application security controls and segmenting their networks to limit what an intruder would be able to access.
“Those technical rules you can put in place to control the type of access and the connections between different groups of people or technologies can help mitigate some of the challenges, or at least reduce the impact if there are issues,” Stine says. “Those are certainly protections school districts should have in place.”
DISCOVER: What is Ethernet VPN, and how does it benefit K–12 schools' cybersecurity?
3. Prepare for Potential Recovery Needs
If a cybersecurity incident occurs, schools must be ready to address it while also maintaining crucial network operations.
Some cyber insurance policies cover recovery assistance services from an external provider and can be worthwhile, Rose says, but he advises schools to be aware it won’t absolve all risk.
“You still have to maintain a reasonable level of security, and some insurance policies don’t cover things like ransomware,” he says. “Some don’t cover districts if they don’t meet a specific minimum level of security controls. Make sure you understand what the policy is, what it covers and what the expectations are of you.”
Putting a carefully crafted disaster recovery plan in place ahead of time — and being able to perform it in a timely fashion — is another vital aspect of ensuring your recovery efforts will be successful.
“We’ve seen schools with a disaster recovery plan in place that they’ve never tried out,” Rose says. “They don’t have the proper individuals identified. They haven’t figured out how they’re going to fund some of this stuff.”