End-User Support and Advanced Technologies Bolster K–12 Security

The Microsoft ecosystem also supports the district’s limited IT staff with its security capabilities. These features and analytics allow the team to focus on supporting the end users without having to constantly monitor for cybersecurity threats. From the early days of wondering whether they would have devices in time for remote learning, Nguyen has since built up the security measures at Orange USD through user training and advanced technologies.

Educating K–12 Staff on the Importance of Security

One of the first steps Nguyen took toward sophisticated cybersecurity in his district was educating staff. He started by sending out cybersecurity awareness messages to teachers and other staff members.

“The teachers have been teaching a certain way for decades. It was difficult for some of them to get on to email, and now we want them to do two-factor authentication and be cognizant of phishing attempts and fake HR emails,” he says. Following the introduction of the cybersecurity awareness campaign he implemented, “they started to have some visibility and some concern. That’s when we rolled out training. We rolled out MFA.”

Paige Johnson, vice president of Microsoft Education, says that educating users is important at all levels of K–12. Board members and administrators such as superintendents and CFOs need to understand that cybercriminals will target them because of their positions and the information they can access, she says. “Tell people, ‘We’re not doing multifactor authentication to torture you,’” she says.

Failing to educate administrators could cause tension between the board and the IT team. “When a school board member comes and says, ‘This is driving me crazy. Turn it off,’ that’s a lot of pressure on an infrastructure person who may say, ‘Oh, I guess I have to turn it off,’” she adds.

Creating an internal culture of trust can ultimately help schools implement zero trust. “Zero trust sounds so negative,” Johnson says. “Ironically, it requires extremely high trust and psychological safety. You want your general counsel, when they click on the wrong thing, to call the IT director and know it’s safe to say, ‘I think I just messed up.’ If it makes you feel better to get rid of the label, please do. The processes are still valid, even if the label makes you feel bad.”

DOWNLOAD THE INFOGRAPHIC: What is zero trust in K–12 education?

Using Advanced Technologies to Better Protect School Networks

As Orange USD’s IT department got users on board with security protocols on the front end, it also explored features running behind the scenes to keep networks locked down. Nguyen says that the consistency of using all Microsoft systems made security more manageable for his team.

“All of those Microsoft systems come back into the security center,” he explains. “We’re able to look at login analytics that show if people are logging in from different countries or different states, or they’re logging in from devices we’re not familiar with or into a website we’re not familiar with. On top of that, we have information on their email and analytics on that.”

“Those are things that would usually be in different systems. Now they’re all in one system,” he says.

While having a strong partnership with Microsoft has allowed Orange USD to integrate and improve its security posture, many other schools are still working to adopt the right tools for network security. Technology consultant Jill Pierce, who previously worked as a K–12 CTO for 30 years, highlights the ways many K–12 schools are approaching network and data protection.

“I always like to use the analogy of a farm fence: We can generally find the big holes where the cows are getting out,” Pierce says. “The problem is if there’s a small hole in the fence and just the baby cows are getting out. Schools are learning to look for those big holes. Now, it’s getting down to those specific things: finding the small holes and how to plug them and layer on top of them to make sure they don’t become a problem.”

When schools use advanced, automated technologies to monitor the network for threats, it’s like using a drone to check the fence line rather than walking along it for miles and miles. “In education, we’re looking at specific AI tools and monitoring devices that are constantly looking at traffic,” Pierce says. “So, I can use a drone to check the fence, but then I can also take that drone, set a point on the map, and have my brother-in-law go and look at the fence. It’s getting those alerts to the right people to check and see what needs to be done before it becomes a massive problem.”

MORE ON EDTECH: Schools look to cloud providers to secure their data.

Schools should make sure they’re taking advantage of these advanced technologies where they’re available. Johnson adds that schools often overlook components of their security dashboards, and encourages them to review the training modules that vendors have available.

“Make sure you’re looking at your tools,” she says. “We have built in a lot of systems that do the monitoring for you. We are deeply embedded with cyber units in Homeland Security, the FBI and the CIA, so we have signals that, frankly, even the largest districts can’t get, and we build that into our monitoring tools.”

For Nguyen, these automated tools don’t only better protect the network, they also give his IT team peace of mind. “Having these tools to help secure us is really something that alleviates a lot of stress and anxiety,” he says.