2. Emphasize the District’s Student Data Protections
Cybersecurity insurance companies are looking very closely at data and how schools are protecting it, said Rod Russeau, technology and information services director at Illinois’s Community High School District 99.
The risk assessment will include questions on how much data the school stores, how the data is protected and how the district is backing up the data. Student data is extremely vulnerable, and many applications now collect and store data, so IT leaders should understand where all the school’s data lives before answering risk assessment questions.
DISCOVER: Download a checklist with five steps to securing student data.
3. Document Simple, Actionable Policies and Plans
District leaders can also expect questions on their policies, including any districtwide privacy and security policies they have in place. The cybersecurity insurance companies want to know how schools are documenting policies for users prior to and in the event of an incident.
The companies also want to know if districts have plans in place and how these are documented. They will ask about business continuity and disaster recovery plans.
“Complexity is the enemy of security,” Russeau said about policies, borrowing the words of Bruce Schneier. “You can find plans like this online that are 250 pages long, but when you’re starting somewhere, it doesn’t have to be complex. Keep it simple.”
MORE ON SECURITY: Create an effective incident response plan for your district.
It can also be helpful to include information on compliance with laws such as the Family Educational Rights and Privacy Act (FERPA), among others, as risk assessments will frequently ask about compliance.
4. Implement a Layered Approach to Cybersecurity
When implementing cybersecurity measures, districts should consider a layered approach, as this will better protect district networks, subsequently keeping insurance premiums lower.
Deborah Ketring, CIO of Missouri’s Rockwood School District, said that her district is encouraging staff to use passphrases instead of passwords.
“We went to 16 characters, and they can’t reuse the same password that they’ve used within the past year,” she said.
While it’s keeping the district safer, “it’s been a little bit of a struggle for a lot of them,” she admitted.
Rockwood School District also implemented multifactor authentication with its tech staff through Cisco Duo. This adds another layer of protection to the district’s network.
DIVE DEEPER: Multifactor authentication should no longer be optional for K–12 schools.
“That’s something that insurance companies are looking for,” Ketring said. “As you see the questions, you can tell they’re going for that layered approach.”
5. Check Data and System Backups Regularly
Insurance companies will want to see that school districts not only have backups in place but that these backups are tested regularly.
McLaughlin shared a cautionary tale of failing to test a device backup. “I only did this once, and it was a long time ago, but I backed up a machine and then I rebuilt it. But the backup didn’t actually work, and I hadn’t tested it,” she said. “The good thing is I knew how to handle somebody who burst into tears in my office.”
Risk assessments will want to know if schools are backing up business-critical systems and data weekly.
Ketring said schools should focus on a 3-2-1 approach, with three backups, two locations and one air gap.
Click the banner for customized cybersecurity content when you sign up as an Insider.