As Cybersecurity Costs Rise, How Can K–12 Schools Ratchet Up Protection on a Budget?

K–12 Schools Band Together to Boost Buying Power

Located just outside Dallas, the Region 10 Education Service Center is one of 20 ESCs in Texas, which provide a wide variety of services to districts throughout the state. Region 10 serves more than 847,000 students across 120 entities in North Texas, about half of which are considered “small,” says CTO Chad Branum.

Region 10 districts typically have a technology professional on staff, but that person may fill dual roles, and most schools lack a dedicated IT security professional. Larger districts are starting to fund such positions, Branum says, but cybersecurity remains a tall order for one person to manage.

That’s where Region 10 comes in, extending local resources with the buying power of high-volume purchases. By negotiating on behalf of multiple districts, Region 10 can secure enterprise-quality solutions at a fraction of the price that districts would pay on their own.

RELATED: Get answers to commonly asked E-rate questions here.

Endpoint protection is a case in point. When district leaders reported that endpoint security was a major concern, Region 10 worked with CDW to deploy CrowdStrike to the districts that wanted it.

“It gives them the industry-leading endpoint protection solution, regardless of their size,” says Branum. “That shows the power of what a service center consortium effort can do.”

Sharing resources is a great strategy for both consistency and cost savings, says Amy McLaughlin, cybersecurity project director for CoSN.

“When you pool resources, you can make sure that a group of districts are all using a supported, unified set of tools,” McLaughlin says. “A group of districts may also be able to share a few security people or a virtual CISO.”

North Texas Schools Build In Resilience to Protect Against Ransomware

Region 10 also helps member districts strengthen their security in other ways. When districts reported that distributed denial of service attacks were a problem, the ESC came up with a solution: a massive network that connects more than 70 districts across 110 circuits, says Information Security Manager David Mendez.

“It has a 200-gigabit connection that can scale up to a terabit, and it’s all protected,” he says. “So now you have enterprise-grade DDoS protection, whether your district has 800 students or 60,000 students, at an affordable cost.”

That network is the backbone for other Region 10 services that districts can use, including Firewall as a Service and Backup as a Service.

“We built a lot of resilience to help districts should a ransomware attack happen,” says Mendez. “That was layer zero, and now we’re building on top of that.”

DIG DEEPER: Learn more about Backup as a Service and why schools should consider it.

This layered defense helps reduce the siloed solutions that districts might implement on their own, says Branum. “All of those other pieces ultimately come together to craft a more holistic solution for our districts,” he says.

Meanwhile, the ESC partners with industry-leading experts and solutions to provide 24/7 monitoring for 15 or so participating districts — thereby filling another crucial gap, Mendez says.

“You can get bond money and find the best equipment, but who’s going to look after it?” he says. “We said, let’s create a solution that affordable for K–12 schools and also enterprise-grade.”

The security operations center’s experts also review districts’ incident response plans to ensure that local teams know how to respond when a breach occurs.

“Our approach as a regional service center has been to find those offerings that can fill a lot of gaps and adding best-practice layers into the portfolio to help mitigate risk as much as possible,” says Branum.

Virtual CISO Provides Valuable Security Insight

When Tom Nawrocki became the executive director for IT at the Charleston County School District in South Carolina, one of his first moves was to hire two separate consulting firms to perform penetration tests, six months apart, to evaluate the network. They weren’t expensive, but they were extremely valuable in terms of insight, he says.

“That really catapulted us into knowing what needed to be addressed and what didn’t,” he says.

Nawrocki tried to hire a CISO, but like many districts, found it tough to compete with the private sector. Eventually, he engaged a virtual CISO instead.

LEARN MORE: How virtual CISOs eliminate cybersecurity staffing gaps.

“He helps me prioritize what the security landscape is shifting toward and how we should adjust our goals,” says Nawrocki. The virtual CISO also supports planning efforts, including incident response and disaster recovery.

Frequent vulnerability scanning is key to Nawrocki’s arsenal of cost-effective defense. The virtual CISO runs the scans and prioritizes results for Nawrocki’s team to address.

“He takes all of that off of me and my team,” says Nawrocki.

Increasing the scans carried an initial cost, but it has drastically reduced the number of issues that Nawrocki’s team must manage. “Because of that, I don’t have large events,” he says. “I’m also catching things earlier.”

Building a Security-Minded Team from the Inside Out

Overall, Nawrocki’s goal was to make security part of the culture. At first, that was a paradigm shift, especially for engineers who had never focused on security, but Nawrocki knew he needed a security-minded team.

That’s a smart strategy, says McLaughlin. “Hire people who are connected to the mission of education and who have the skills — but maybe not as much experience — and train them,” she says.

Now, Nawrocki’s team consists of a strategic combination of internal and external people.

“I’d never have just one person who is my go-to guy for all things security,” he says. “I have multiple people whom I trust, who know enough about my system that if I’m ever in trouble and one of them is not available, I can pick up the phone and call the others.”