IT professionals have long protected K–12 students from network intrusions such as malware and data breaches. Now, they find themselves purchasing and maintaining technologies that stop physical intruders too. Hough spoke with EdTech about the ways physical security and cybersecurity work together in a modern education environment, K–12 leaders’ responsibilities, and what they should prioritize when resources are limited.
EDTECH: Why are IT professionals seeing more overlap between physical security and cybersecurity in K–12 education environments?
HOUGH: The adoption and dependence on technologies to deliver the educational mission is high, and we expect it will continue to increase over time. As schools think about adopting new technology, IT professionals are crucial to that conversation because often the adoption of those technologies can introduce or exacerbate security risks to schools on the physical security and cybersecurity side. Schools can’t give up protection for the sake of convenience.
When we think about the threat environment, we know that it’s evolving. It’s more diverse. It’s more sophisticated, and the threats are far less siloed. There’s greater potential for the impact of school safety and security disruptions to cascade to other functions within the school.
The overlap between physical and cybersecurity highlights the interconnectedness of schools’ systems and how that opens them up to hybrid or converging threats. For example, an internet outage or cyberattack could take down a school’s video cameras, communication systems and access control.
EDTECH: With more interconnectedness, what should schools be doing to keep staff and students safe?
HOUGH: It’s critical that schools take a layered approach to security. They need to have multiple layers in place to reduce single points of failure and build redundancy into the system.
The challenge for schools — with their limited time, limited resources and, often, limited expertise — is planning for the appropriate redundancies that will be needed. You need to have a diversification strategy in place. Schools have to identify what’s critical to keep young people safe in a real-world incident and to support their educational mission, then add redundancies and layers to that capability.
Fundamentally, if schools do the basics in each domain — locking doors as part of physical security, multifactor authentication as part of cybersecurity and so on — it really limits the possibility of those threats converging down the line.
RELATED: What solutions are available for schools struggling with multifactor authentication?
In each layer of their safety system, K–12 leaders need to think through what technologies, what people, what plans and what policies are in place. Further, they need to know how those work together at that layer of the safety system to help deter, delay and detect bad actors, and then how the layers work together and build upon each other.
EDTECH: How can schools build and reinforce those layers of security given their limited resources?
HOUGH: In a resource-constrained environment like schools, safety comes down to the four P’s: people, policies, plans and practice.
The first is people. Every adult in that school building is going to have a hand in safety at some level. It’s also collaboration with law enforcement, first responders and other community health partners. Establish a relationship with the FBI field office. Many schools partner with third-party remediators in the event of a cyber breach. Make sure you’re collaborating and communicating and that all the individuals have the correct training before an incident.
MORE ON EDTECH: Mobile incident command centers are equipped for school safety.
Second is policies. Schools have to develop and implement policies that reflect their strategies. For example, these policies may cover operating and monitoring different technologies and detail what actions should be followed if a threat is detected. Then, school leaders have to train the key people they’ve identified on those policies and protocols.
Third, schools need to have a plan. Having a plan in place is not only to implement these tactics and strategies, but also to know what to do before, during and after an incident. A plan can’t detail everything that might happen, but it does need to clearly identify everyone’s roles and responsibilities so that they know what to expect and when.
Finally, schools have to practice: Regularly test and assess the plans. Run vulnerability scans on systems to stay one step ahead of the bad actors, and analyze those results to close the gap. Update the policies.
None of the four P’s demand additional resources today, but they’re about leveraging and optimizing the resources schools have. Any new technology is only as good as a school’s people, training and policies.
EDTECH: Speaking of new technology, how does artificial intelligence factor into what schools should be doing when it comes to physical security and cybersecurity?
HOUGH: So many more security solutions are using artificial intelligence. These include AI-based video cameras that have features that instantly trigger alerts, which can speed response time. AI cameras can also interpret sound, like glass breaking, even if it’s out of view of the camera. AI features also help monitor and regulate cyber risk; for example, helping to detect malicious links and phishing attempts.
DIVE DEEPER: Schools can prepare for artificial intelligence-backed cyberattacks.
AI tools can provide better detection capabilities. They can help schools be more proactive in managing and mitigating threats. They can provide predictive analytics that help school leaders make more-informed decisions in a resource-tight environment to better allocate those resources.
EDTECH: What’s the best advice you have for K–12 schools seeking to sharpen their security posture?
HOUGH: There’s a saying in school safety that if you’ve seen one school, then you’ve seen one school.
Every entity needs to consider its own unique position as far as its cyber and physical technologies, its people, and what its purpose and mission are. The principles of cyber and physical convergence, though, and how to approach that, largely remain the same. Schools need to be able to operate and monitor their environments effectively in a sustained way.
