Security

Zero Trust Makes K–12 Schools More Cyber Resilient

Schools are more prepared to bounce back quickly from a cyberattack if they’ve worked toward zero-trust maturity.

Gary McIntyre is the managing director of cyber defense at CDW, focused on customer cybersecurity operations and defenses. He is a seasoned information security professional with over 20 years of experience focusing on the development and operation of large-scale information security programs.

Rebecca Torchia

Twitter

Rebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.

K–12 schools expend a lot of resources to prevent cybersecurity breaches. Implementing effective security measures and training users on proper cyber hygiene is a good start to keeping attackers away from valuable student data. But all it takes is one person clicking on the wrong link for attackers to find a way to breach a school’s defenses.

This is when cyber resilience — the ability to prepare for, respond to and recover from cyberthreats and incidents — becomes critical. And zero-trust strategies improve a school’s cyber resilience.

Click the banner to learn how to improve cyber resilience in your K–12 district.

Zero trust helps to limit the potential impact of a cyber incident through constant verification of trust, making it a fundamental strategy for cyber resilience. However, the investment and effort to implement zero trust widely can be overwhelming. On top of that, schools face staffing challenges in their IT departments.

“Many districts have impossibly high device-to-staff ratios (some as high as 30,000 to 1), and some have zero dedicated cybersecurity personnel,” says April Mardock, CISO at Seattle Public Schools. “K–12 schools are gradually adopting aspects of zero-trust security, although the term is often defined differently across organizations. Many schools are embracing the deny-by-default principle, which assumes a breach has already occurred and aims to minimize its impact.”

If IT leaders and school administrators understand the concept of minimum viability for an organization, they can focus their investments in zero-trust strategies on those that will have the greatest impact.

Understanding Minimum Viability

In considering how to improve their cyber resilience, K–12 IT leaders should identify and prioritize key processes that must be maintained for the organization’s continuing operation. Maintaining these processes should be key in schools’ backup and recovery plans.

The result of this assessment is the minimum viable organization, a concept that accounts for how long the organization can operate without specific processes or options that may be available for fulfilling these needs.

For K–12 school districts, delivering education to students is the key function for minimum viability. Schools must be able to continue teaching, so tools that enable this are essential. This includes systems that keep students safe physically and online, as well as payroll systems that ensure staff members are paid. Districts with a high level of cyber resilience will be able to recover these systems quickly and effectively.

Organizations must focus their investments in cyber resilience on the steps that enable them to maintain minimum viability. Getting critical functions back on track is essential to enabling rapid recovery from a cybersecurity incident.

Many schools are embracing the deny-by-default principle, which assumes a breach has already occurred and aims to minimize its impact.”

April Mardock CISO, Seattle Public Schools

3 Ways That Zero Trust Supports Cyber Resilience

The progress that organizations make toward zero trust also improves their cyber resilience. Zero trust supports resilience in three important ways:

Limiting the blast radius: Zero trust makes it more difficult for an attacker to gain a foothold in a school’s IT environment. When an attack succeeds, zero trust limits the damage the cyberattacker can do before the attack is discovered, which speeds up recovery.
Promoting visibility: Zero trust requires organizations to have mature capabilities for identity and access management; for example, with tools such as multifactor authentication. This improves the visibility that IT teams have into the environment, making clear who is accessing specific data and systems. These visibility improvements help IT teams detect issues earlier, diagnose problems more quickly and provide a clearer picture of how to solve them.
Improving trust: During a cybersecurity incident, organizations lose trust in the integrity of their data and systems, and getting that trust back is necessary for a full recovery. Zero trust enables IT professionals to be very granular about trust so they can quickly confirm which parts of the environment are still trustworthy.

“Zero trust is crucial for K–12 schools due to the unpredictable nature of cyberthreats,” Mardock says. “With limited resources, schools cannot anticipate every possible attack vector, which includes vendor threats, student threats and internet-based threats.”

As a result, cyber resilience strategies are becoming important priorities for K–12 school leaders. IT professionals should consider the relationship between these and zero trust to optimize the impact of their investments in both.

UP NEXT: What is the state of zero-trust security in K–12 schools?

shapecharge/Getty Images