When it comes to cybersecurity readiness, McKaveney presented five questions that small districts and those with limited staffing and budgets should answer.
- Do we know what we have, what data we protect and where our biggest risks are?
- Are we using basic protections that prevent the most common attacks?
- Would we notice if something went wrong?
- What do we do if a cyber incident happens tomorrow?
- Could we recover learning and operations quickly after an incident or other disaster?
Identify Cyber Inventory and Risks
CoSN guidance recommends starting with an asset inventory and risk assessment to ensure cybersecurity efforts are directed properly to maximize investments. This could be as simple as a list on a spreadsheet or identifying assets via helpdesk software, McKaveney said.
DISCOVER: K–12 schools need a roadmap for effective cybersecurity.
Richard Platts, CTO of Allegheny Intermediate Unit in Pennsylvania, said data inventory is just as important as hardware and software inventory. Governance and ownership are a large piece of that. Data ownership is a three-tier system, he said.
“Think about your your IEP [Individualized Education Program] management software,” he said. “I've always insisted that that data owner is the special education director. It's a named person who owns that data. They might not do the daily maintenance of that data or the data entry, but at the end of the day, they're responsible for the overall quality of that data to be able to provide services to students.”
The next tier down are the data stewards, the people responsible for the maintenance and fitness the data, typically the IT team.
“Then you have a lot of other people down there, as general data users, who might be doing the day-to-day data entry or are relying on that data to do their job,” he said.
This way, when the time comes to conduct tabletop exercises, roles are already defined.
“Taking those steps is a lot of work, but it really pays off later on,” he said.
Ensure Basic Protections Are in Place
Districts don’t always need the most complex security measures in place. Often, basic protections are enough to keep assets protected, McKaveney said. Multifactor authentication, single sign-on, automated account provisioning and automatic updates on servers, endpoints and devices go a long way in keeping a network secure.
READ MORE: Find more solutions for small, charter and private schools.
Platts acknowledged that IT teams often think MFA is going to be a controversial move, with teachers reluctant to download verification apps onto their personal devices.
“A lot of times, the technical part is the easiest part of our job,” he said. “It's having the conversation with human beings that can be difficult and is always the hard part. You have relationships that you need to manage with different groups of employees and must be able to have these conversations.”
However, Chris Smallen, CTO for Lenoir City Schools in Tennessee, said he found MFA deployment less disruptive than expected, noting that most staff already use it in their personal lives for various services. Rolling out MFA to students is the next step, which can be more challenging.
Detection Is Possible Without 24/7 Monitoring
Many districts discover security incidents only after they’ve occurred, which is why having detection tools in place is vital to preventing bad actors from getting in. This does not require a full security operations center, McKaveney said. Detection is about building habits and leveraging tools you already have.
Regularly reviewing firewall and email security logs can also identify troublesome patterns.
“This is an area where we find AI support to be pretty helpful, not so much in monitoring and surfacing alerts, but for the investigation and forensic part,” Platts said.
LEARN MORE: Cybersecurity maturity is vital for resilient districts.
Incident Response Planning Can Be Simple
CoSN guidance recommends that districts, regardless of size, have an incident response plan in place. The plan can be simple, as long as it documents which parties should be contacted first, how to isolate systems and who communicates with leadership and other stakeholders. McKaveney noted that incident response plans are often required by cybersecurity insurance companies, so even the most basic plan will keep districts in compliance.
Platts said reflecting after incidents is equally important for his team.
“Having a workbook that you can go to, that's ready to go when you have an incident, is really critical,” Platts said. “It doesn't have to be complicated — What happened? When did it happen? Who was involved? Who responded, and what did they do?”
He also recommends writing a summary at the end of every day of a significant incident.
“My advice to anybody who's ever in any kind of incident is, write a memo at the end of the day,” he said. “I've never once regretted a memo that I sent to my superintendent at the conclusion of that day where I have an event. I've never regretted that time that I spent, even though you're exhausted, you will not remember it later on, so a summary at the end of the day, anytime you have any kind of incident, especially if it's an incident that you're going to talk about, is really recommended.”
Click the banner below to sign up for our weekly newsletter.
