What Is OpSec, and How Can It Help K–12 Districts?

What Is Considered OpSec in Cybersecurity?

Operational security is the process of identifying resources, analyzing threats and vulnerabilities, and assessing risks and countermeasures, says April Mardock, CISO and operations manager at Seattle Public Schools.

In other words, OpSec comprises the actions people take to make themselves — and their cyber landscape — more secure.

How Does OpSec Benefit K–12 Schools?

Many K–12 institutions are seriously examining and strengthening their cybersecurity posture for the first time in response to the growing volume of attacks against schools. Implementing OpSec helps schools improve their cybersecurity in many ways.

“You’ll decrease the possibility of disruptions in service for the school,” Jiggens says. “With everything from point of sale in the lunchroom and the school store to the student information systems that hold all the PII for the students in the staff, denial of that service can cause huge interruptions to the school district.”

In the digitally driven landscape of modern K–12 education, an outage can affect all parts of a school’s operations, not just teaching and learning. Transportation, food service, communications, and heating and cooling all rely on the district’s network infrastructure. Evaluating the district’s security posture, possible vulnerabilities and planned countermeasures can help IT administrators lower the district’s overall risk. This not only keeps school systems online, but also increases community and staff confidence in district leadership.

“A big focus in this region as well, right now, is getting compliance with insurance companies to get better rates and better coverage,” Jiggens says. “Insurance companies are requiring districts to achieve certain cybersecurity levels to get certain levels or tiers of insurance coverage. So, if you don’t have a lot of cybersecurity in place, you’re going to get lower payouts when you’re hit by ransomware.”

What Are the OpSec Challenges Facing School Districts?

There are OpSec hurdles for school IT teams to overcome at almost every level of the process, but risk assessment can prove to be the most challenging as IT departments and administrators search for common ground.

Districts tend to focus on physical risks, Mardock says. “Cyber is often not seen as a life or safety issue, so it doesn’t get the same level of focus or resources.”

This makes it difficult to convey the importance of prioritizing OpSec to district leaders.

“Often, they don’t think of the education system as one of the main targets of threat actors,” Jiggens says. “And the threat actors have realized that we don’t have the same protections in place as the Fortune 500 companies, as the government, as these other entities that put a lot of thought and effort into cybersecurity.”

How Can K–12 IT Professionals Implement the OpSec Process?

The first step, Jiggens says, is to define what needs protection and determine how much effort and money will be put into protecting it. Then, IT leaders can use the OpSec process to improve their security posture. They can act on cultural, systemic and operational levels, Mardock says.

“At a cultural level, reward the ‘see something, say something’ attitude in staff,” she says. This includes making sure there are no punitive responses when a staff member reports spam, malware or other malicious content.

“At a system level, turn on every malware control you have: on your firewall, on your CIPA [Children’s Internet Protection Act] web filter, on your anti-virus, in your spam filter.” Despite K–12 schools’ limited resources, Mardock states that it’s better to manage false positives from these controls than to recover from an attack.

Jiggens recommends hiring a full-time cybersecurity professional or, for schools that are unable to have an expert on staff, “outsourcing to a third party to address cybersecurity specifically.”

DISCOVER: Outsource K–12 cybersecurity expertise with a vCISO.

IT admins should also evaluate their ongoing operations. When possible, multifactor authentication and narrow firewalls should be put in place to keep schools protected.

“By far the best countermeasure for most districts is MFA,” Mardock says. “I don’t think many people realize how many stolen passwords are out there. You’re nearly guaranteed to have a large number of passwords stolen, even if you rotate them regularly. MFA can keep those stolen passwords from being used to redirect payroll deposits, change grades or worse.”

For guidance on additional measures to put in place, K–12 IT professionals can consult the available cybersecurity frameworks from organizations such as the National Institute of Standards and Technology and the Consortium for School Networking.

“A good place to start are those program frameworks,” Jiggens says. “Start asking questions and helping your board determine what risks they’re willing to take.”

Finally, schools should be documenting their OpSec practices. “Then you have something to refer back to, to make improvements upon, and you also have a reference for auditors,” Jiggens notes.