Independent and Private Schools Address Unique Cybersecurity Threats

Among K–12 institutions, private and independent schools are particularly attractive targets because they charge tuition, offer financial aid and fundraise. So, they store an even greater amount of financial and sensitive information — a potential goldmine for hackers. As a result, Valerio says, rapid responses to cybersecurity incidents are critical.

For example, if a student clicks on a questionable website and downloads malicious code, security software notifies Valerio immediately. He calls the teacher in the classroom, who tells the student to bring the laptop to the IT department within five minutes for inspection and remediation.

“No one is immune to attacks, so you have to be proactive,” says Valerio, who is also the Florida school’s CTO and a Microsoft MVP. “I’ve put all these security barriers in place so when something triggers an alert, we are on it immediately. It doesn’t matter the time of day or day of the week. We are on it 24/7/365.”

RELATED: How to choose and integrate new technology vendors.

Private and Independent Schools’ Cybersecurity Needs

To prevent data breaches, private and independent school IT leaders safeguard their IT infrastructure and computing devices just like their public-school counterparts: by taking a comprehensive approach to security through a mix of technology, policies and people. But, as with all schools, some do it better than others depending on their budget and tech expertise.

The more than 30,000 private and independent K–12 schools in the U.S. vary widely in size and budget. While some use government programs such as E-rate to fund technology, they predominantly rely on tuition and donations from alumni, nonprofit organizations, foundations and corporations.

RELATED: Schools can use E-rate funds to boost cybersecurity.

Some independent and private schools can afford only one staff member to manage IT and educational technology for the whole school. Others, with deeper pockets, may have ample funds to hire a big IT team and deploy state-of-the-art technology and cybersecurity, says Ashley Cross, senior director of education and content at the Association of Technology Leaders in Independent Schools (ATLIS).

Independent and private schools face unique cybersecurity challenges because if their data is breached, they can suffer reputational damage, which could affect future enrollment, she says.

“Independent schools retain student records, but they also stay in touch with alumni for community building and donor relations,” Cross says. “So, they have to think about the lifetime records of constituents, which is a very different challenge than for public schools.”

Furthermore, independent schools with international students also have to adhere to other countries’ data privacy laws, such as the European Union’s General Data Protection Regulation, she says.

Private School Takes a Comprehensive Approach to Cybersecurity

Valerio, a cybersecurity architect and ethical hacker, does consulting work with private, independent and public schools to assess their cybersecurity posture. One big issue he sees is a lack of IT training.

Schools install data center hardware, but some don’t invest in professional development to ensure IT administrators know how to maintain the equipment. Some schools do not regularly install the latest firmware or software patches. He recommends that they do, but when he checks with them months later, many still haven’t done so.

LEARN MORE: How automated patch management supports K–12 cybersecurity.

“The problem is, when they get hacked, it’s too late,” he says.

At Westminster Christian School, Valerio practices what he preaches. He gets the budget he needs from the CFO and invests in security training and tools to develop the processes and procedures needed to protect the school’s IT infrastructure and data.

He makes sure his four IT technicians are certified and trained to do each other’s jobs, including his; that way, if he’s in meetings or off campus, they can resolve cybersecurity incidents. Every month, he runs tabletop exercises so they can practice how to respond to attacks. 

Valerio has also trained faculty and staff to be hypervigilant. He uses KnowBe4 to test them with fake phishing emails. “Now, if emails don’t look right, teachers know to send them to IT immediately,” he says.

Westminster, which has 210 faculty and staff and 1,280 students from pre-K through grade 12, equips every student with a Microsoft Surface Pro. The school manages its own data center and uses a mix of on-premises and cloud-based software.

Valerio and his team install firmware upgrades monthly on hardware, and for device management, they have standardized on Microsoft Intune, which automatically installs software updates and patches on school computers.

Valerio also performs his own monthly penetration tests, and once a year, he hires a third party to run an independent pen test to find additional vulnerabilities.

FIND OUT: School districts turn to outside experts to beef up cybersecurity.

For real-time security monitoring, he uses Cisco Umbrella — a cloud-based tool that monitors internet traffic and application use and secures users, endpoints and data — and Cisco Prime Infrastructure, which monitors the network. The school also uses Microsoft Authenticator for multifactor authentication, Sophos for endpoint security and SonicWall firewalls and virtual LANS to segment user traffic. 

“All of this is running constantly. If something tries to penetrate our barriers, we immediately get notified, and that’s how we stop it,” he says.

Independent School Looks to the Cloud for Advanced Protection

Good cyber hygiene starts with people, and that means providing faculty and staff with in-person and virtual training on cybersecurity, says William Stites, technology director at New Jersey’s Montclair Kimberley Academy.

Over the past seven years, the IT staff for the three-campus, 1,050-student, pre-K–12 independent school has migrated most core applications to the cloud to simplify management and bolster security.

“We’re just an IT staff of five. It’s not to say they’re perfect, but Software as a Service vendors can mitigate attacks better than we can,” Stites says.

DIG DEEPER: Schools bet that cloud providers can better secure their data.

But it’s important to vet cloud app vendors. Teachers and staff are not allowed to sign up for applications without the school’s approval. Stites and the school’s director of educational technology review every request to make sure the apps meet security requirements.  

“We need to know if teachers are exposing information by linking to documents or address books,” he says. “We need to look at those things because we are part of a connected whole where things overlap, and data accessed by an app could pose a real problem.”

Stites regularly hires a third-party security firm to audit his network. Every two years, he uses CDW’s Amplified™ IT services to audit the school’s Google Workspace for Education implementation and provide security recommendations.

“Google enables so many new features that it’s hard to keep up with all the changes,” he says. “Amplified IT ensures we are applying industry best practices to maintain privacy and data security.” 

Overall, Stites has taken a multilayered security approach that includes Sophos endpoint protection on students devices, but he realizes no school is invulnerable to cyberattacks.

“We are doing the best we can, from a technical and human perspective, to protect and secure our environment,” he says.