Apr 05 2022

School Districts Turn to Outside Experts to Beef Up Their Cybersecurity Posture

School districts are contracting with friendly hackers to probe for vulnerabilities, plan incident response and run tabletop exercises.

When it comes to cybersecurity, what you don’t know can hurt you. That’s especially true for school districts, which are increasingly in the line of sight of hackers looking for a quick payday.

Since many districts don’t have all the necessary security expertise in-house, a growing number are turning to outside partners to strengthen their security posture and stop ransomware and other cyberattacks that can disrupt education.

Prosper Independent School District in Texas recently hired CDW•G to run penetration tests to find security vulnerabilities so the district could evaluate and take action to remediate them. CDW•G also developed incident response playbooks and ran tabletop exercises with the IT department, better preparing the district to respond to attacks and minimize their impact.

“The assessments, playbooks and tabletop test scenarios have been a tremendous asset to us. We are better prepared than ever before,” says Fernando De Velasco, Prosper ISD CTO.

School districts make tantalizing targets for cybercriminals because many don’t have the same budget, resources or personnel dedicated to cybersecurity as large corporations or organizations in other industries.

In fact, districts ranked cybersecurity as their top unmet need in a 2021 survey of 170 people by the Consortium for School Networking.

Click the banner for customized K–12 security content delivered to your dashboard.

Schools are fighting back by investing in more security resources, increasingly augmenting their IT staffs by turning to outside help to strengthen their cyber defenses.

“When IT teams provision security, they do all the things they know about, but they can overlook some things,” says Frank Dickson, an analyst in IDC’s security and trust research practice. “As humans, we fall into patterns and processes. We don’t think from an attacker’s perspective, so having penetration testing can verify everything you do and illuminate things you miss.”

Conducting Cybersecurity Drills for K–12 District Teams

Every year for several years, Prosper ISD in Prosper, Texas, has hired third-party security experts to run penetration tests. Last school year, the 20-school district took a more comprehensive approach by turning to CDW•G’s experts to not only perform penetration testing but also develop incident response playbooks and run tabletop exercises.

“We want to make sure we’ve done everything we can, so if something happens, we are in a good spot to handle it and resolve it quickly,” says Donna Eurek, the district’s network services director.

During the penetration test, CDW•G’s engineers tried to hack into the district network through internal brute force attacks. Afterward, they produced a comprehensive report on how the IT department could improve its security.

“We spent a lot of hours digging through the results,” recalls De Velasco.

Prosper ISD — which has one cybersecurity administrator on staff — learned that while the IT staff was good at regularly patching major applications such as Windows servers, it needed to do a better job patching less frequently used software across the district as well as documenting and disabling unused accounts, Eurek says.

At Prosper Independent School District, Cybersecurity Systems Administrator Ryan McGuire, Network Services Director Donna Eurek and CTO Fernando De Velasco use biennial assessments to better protect the district’s network.

At Prosper Independent School District, Cybersecurity Systems Administrator Ryan McGuire, Network Services Director Donna Eurek and CTO Fernando De Velasco use biennial assessments to better protect the district’s network.

CDW•G also developed six custom playbooks that provide step-by-step guidance and procedures on how to respond to and resolve incidents, such as malware, ransomware and denial-of-service attacks. “It’s a document we can grab to walk us through situations when things get critical,” Eurek says.

To test the playbooks, Prosper’s IT team ran two tabletop exercises — or drills — on how to respond if breached by ransomware and malware attacks. CDW•G’s security experts oversaw each exercise.

After the tabletop exercises, Prosper ISD’s IT staffers met and held a debriefing on what they learned and how they could do better. Overall, the tabletop exercises were good practice and a good investment, De Velasco says.

“The next time we do these exercises, we will learn more and be even more prepared,” he says. “It’s continuous improvement and money well spent, because it gives us peace of mind.”


The percentage of school districts that increased their cybersecurity budgets in 2021

Source: Consortium for School Networking, “EdTech Trends 2021,” August 2021

Creating a School District's Security Blueprint

In Oregon, the Beaverton School District hires an outside firm every two years to perform a security audit and penetration test to bolster its security.

The district, which has 54 schools, caught a security incident before it became a data breach in 2016. That prompted CIO Steve Langford to incorporate a regular cadence of audits as part of the district’s security protocols.

Each time, a third-party security firm spends many weeks analyzing the district’s security governance and risk compliance and running penetration tests from inside and outside the network.

“We have someone audit our practices and processes, and it becomes our blueprint for our IT security initiatives over the next two years, and then we have someone do it again,” Langford says.

After the first audit, Beaverton’s IT team learned it needed to do a better job securing the network from the inside and updating and patching software promptly and documenting the work.

TECH TIPS: These are the four phases of cybersecurity school districts must implement.

The second audit helped the district refine its security measures. The district, for example, recently removed administrative rights that formerly allowed teachers and staff to install software. This prevents them from unintentionally installing malware.

“That was a tremendous security threat and came out in our last audit,” he says. “It was one of the most important things we had to fix.”

He also hired one system administrator to take charge of cybersecurity, saying he feels fortunate that he has the budget to do so. Everyone in the IT department, however, collaborates to improve security and address issues found in the audits.

“It’s really a journey to maturity with regards to cybersecurity,” he says. “Our first audit gave us some really good things to do, and with the second audit, it was, ‘here’s the next level of sophistication to protect your systems.’”

Purchasing Technical Support Services to Manage Security

Outside experts can also audit specific software. Every two years, Bloomington Public Schools, which has 20 schools in Bloomington, Minn., hires CDW•G’s Amplified IT to audit its use of Google Workspace for Education to better manage user accounts and Chromebooks and ensure the district meets security and compliance requirements.

As a result of these recommendations, the district has adopted multifactor authentication for staff to improve security, says John Weisser, the district’s executive director of technology and information services.

Weisser is also part of an organization called Minnesota School Technology Leaders, in which the state’s school district IT leaders discuss IT and security issues and offer advice to each other through an online discussion forum.

Bloomington also augments its own IT team by purchasing support services for key hardware and software platforms. The district recently purchased the new Check Point Software next-generation firewall. Weisser bought a service contract so Check Point’s engineers can assist his IT staff when they have security questions or need to adopt major patches.

“The outside vendor expertise is super important,” Weisser says. “It allows us to be small and nimble operationally, but we can lean on them when we need to.”

LEARN MORE: The National Security Agency builds the next generation of cyber stars. 

Oleksii Syrotkin/Stocksy

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.