Technology alone isn’t enough to give schools the protection they need. Security products require trained staff to implement, operationalize and maintain them. They must also design reference architectures and update strategies and tooling as threats and technologies change.
Securing schools is a complex problem that demands innovation, technology, expertise and an openness to change. Education, like cybersecurity, is constantly evolving and requires people and products to do the same.
Balance K–12 Ed Tech Implementation with Teamwork
Focusing on innovation challenges the norm in a positive way.
I learned this firsthand as a technology buyer at Arizona State University, a school that has topped U.S. News and World Report innovation rankings for seven years running. I made an effort to avoid spending money on products that would just sit on a shelf, something IT execs call “shelfware.” It also became clear that purchasing technology without security was irresponsible, and ineffective at stopping breaches. We created a plan to fully fund both the technology and the expertise for any initiative we wanted to pursue.
When bringing in a new service, it isn’t enough to only buy the tools or to only hire staff without providing them the tech they needed to do their jobs. Schools must commit to both: best-in-class security technology and people to implement, operationalize and enhance these tools as required.
At ASU, we implemented an IT rationalization initiative: Each year, we went through a list of every asset with a security implication, no matter where in the organization it existed. We followed these assets closely to ensure security features were implemented, and each year we revisited these crucial questions:
- Why do we have this software?
- What can we do to fully implement the licenses we have?
- Do we need more people to support this product?
- Do we need this technology?
- What do we need that we don’t have?
This type of process can give schools a broad view of security across the organization and allow them to adjust strategy as their needs and tooling evolve. It isn’t possible without the right products and expertise, which is exactly what today’s schools need to strengthen defenses.
READ MORE: Experts share tips to help schools overcome security challenges.
As education institutions continue to face security threats, funding technology without proper protection is a recipe for disaster. Schools need security tools and trained staff to defend against advanced attacks.
Five Tips for IT Teams Working to Secure Schools
Creating a culture of cybersecurity awareness is essential to every school’s success. Within that risk-based approach — and the governance and architecture conversations that go along with it — a few key recommendations continue to prove invaluable as we build and maintain capable, effective security teams.
- Refocus your tech funding. Unlike larger organizations, schools often lack resources to acquire technology and build out enterprise-grade security strategies. Create an IT rationalization initiative with your team and examine the products you’re using. Are there opportunities to use open-source products instead of paid software? Is there space to reallocate existing funds to a tool that would provide greater value?
- Be ready to act. If an incident occurs, the only thing you can control is your response. Organizations are largely judged not by the attacker’s actions but by how they respond to a crisis. Put together an incident response plan; it is the most important step you can take as a security leader.
- Protect your identities. Secure service and admin accounts with multifactor authentication and adopt a zero-trust approach in which you verify the user to access key systems and resources. Ensure only known entities can connect to your school’s environment.
- Practice good hygiene. Ensure software is properly configured, eliminate unnecessary software and stay up to date with the latest patches. Sometimes adopting software that’s easier to maintain is the best path to proper security hygiene.
- Control remote access. Avoid exposing server message blocks and remote desktop protocol ports to the internet and restrict the use of remote access tools. Controlling remote access is a comparatively simple precaution, but it continues to be an area where schools and universities could improve.
Schools face more cyberattacks than some other industries but often have significantly less funding to fight them. There are many cybersecurity resources and experts offering advice for anyone in the education space seeking to learn more about improving their security posture and responding to an attack.