IT professionals have long protected K–12 students from network intrusions such as malware and data breaches. Now, they find themselves purchasing and maintaining technologies that stop physical intruders too. Hough spoke with EdTech about the ways physical security and cybersecurity work together in a modern education environment, K–12 leaders’ responsibilities, and what they should prioritize when resources are limited.
EDTECH: Why are IT professionals seeing more overlap between physical security and cybersecurity in K–12 education environments?
HOUGH: The adoption and dependence on technologies to deliver the educational mission is high, and we expect it will continue to increase over time. As schools think about adopting new technology, IT professionals are crucial to that conversation because often the adoption of those technologies can introduce or exacerbate security risks to schools on the physical security and cybersecurity side. Schools can’t give up protection for the sake of convenience.
When we think about the threat environment, we know that it’s evolving. It’s more diverse. It’s more sophisticated, and the threats are far less siloed. There’s greater potential for the impact of school safety and security disruptions to cascade to other functions within the school.
The overlap between physical and cybersecurity highlights the interconnectedness of schools’ systems and how that opens them up to hybrid or converging threats. For example, an internet outage or cyberattack could take down a school’s video cameras, communication systems and access control.
EDTECH: With more interconnectedness, what should schools be doing to keep staff and students safe?
HOUGH: It’s critical that schools take a layered approach to security. They need to have multiple layers in place to reduce single points of failure and build redundancy into the system.
The challenge for schools — with their limited time, limited resources and, often, limited expertise — is planning for the appropriate redundancies that will be needed. You need to have a diversification strategy in place. Schools have to identify what’s critical to keep young people safe in a real-world incident and to support their educational mission, then add redundancies and layers to that capability.
Fundamentally, if schools do the basics in each domain — locking doors as part of physical security, multifactor authentication as part of cybersecurity and so on — it really limits the possibility of those threats converging down the line.
RELATED: What solutions are available for schools struggling with multifactor authentication?
In each layer of their safety system, K–12 leaders need to think through what technologies, what people, what plans and what policies are in place. Further, they need to know how those work together at that layer of the safety system to help deter, delay and detect bad actors, and then how the layers work together and build upon each other.
EDTECH: How can schools build and reinforce those layers of security given their limited resources?
HOUGH: In a resource-constrained environment like schools, safety comes down to the four P’s: people, policies, plans and practice.
The first is people. Every adult in that school building is going to have a hand in safety at some level. It’s also collaboration with law enforcement, first responders and other community health partners. Establish a relationship with the FBI field office. Many schools partner with third-party remediators in the event of a cyber breach. Make sure you’re collaborating and communicating and that all the individuals have the correct training before an incident.
MORE ON EDTECH: Mobile incident command centers are equipped for school safety.
Second is policies. Schools have to develop and implement policies that reflect their strategies. For example, these policies may cover operating and monitoring different technologies and detail what actions should be followed if a threat is detected. Then, school leaders have to train the key people they’ve identified on those policies and protocols.
Third, schools need to have a plan. Having a plan in place is not only to implement these tactics and strategies, but also to know what to do before, during and after an incident. A plan can’t detail everything that might happen, but it does need to clearly identify everyone’s roles and responsibilities so that they know what to expect and when.
Finally, schools have to practice: Regularly test and assess the plans. Run vulnerability scans on systems to stay one step ahead of the bad actors, and analyze those results to close the gap. Update the policies.