Security

More Schools Are Considering Zero Trust. Here’s Why.

As cyberattacks and ransomware threats against K–12 institutions rise, more IT leaders are learning about the zero-trust cybersecurity model.

Tom Ashley

Tom Ashley is an education strategist for CDW Education. A former K–12 CTO, he holds a master’s degree in curriculum, technology and education reform.

K–12 environments are prime targets for hackers due to the sensitive information they hold and historically underdeveloped security measures. As a former K–12 CTO in Indiana and Georgia for more than 25 years, I saw many school districts dealt a devastating blow by cybersecurity breaches and attacks, many of which happened as the result of an overall lack of funding, awareness, support and staff expertise.

The COVID-19 pandemic only exacerbated the situation, as many schools leapt quickly into virtual learning environments, exposing more staff and students to vulnerabilities. Educators and IT professionals alike must now think about new security models alongside evolving instructional models. As a result, zero trust pops up more often as a topic of conversation.

Although zero trust was introduced in 2010 by John Kindervag, many school districts have not implemented this standard within their cybersecurity environments due to insufficient human resources, little available funding and a lack of zero-trust expertise. While zero-trust models might still not be prolific in school districts today, increasing awareness and support and implementing security layers are the best things schools can do to prepare for a future that will likely involve this approach.

Click the banner to curate your dashboard with cybersecurity content when you sign up as an Insider.

All Hands on Deck for Zero Trust

From a cybersecurity perspective, zero trust refers to a security posture based on the premise that every interaction or transaction begins in an untrusted state. For K–12 environments, zero-trust models close the security gaps on both sides of a school’s firewall.

The notion that a secure, hardened perimeter should protect everything inside the network no longer holds true; many districts learned this the hard way when they found themselves victims of successful cyberattacks.

When considering a zero-trust model, IT admins should remember that it must be a schoolwide initiative. When the entire school is involved, all departments and users operate with the same security standards in mind, which ensures the school is better protected on all fronts. Everyone on staff must understand the zero-trust approach.

Involving the entire school is important because breaches in schools tend to be initiated through phishing and social engineering campaigns that target educators or financial and human resources administrators with direct access to valuable information.

When considering zero-trust models, it is imperative to have the superintendent’s support. This helps get other staff on board with the initiative. Technology leaders also often report to superintendents.

Along with any implementation of a zero-trust strategy, schools must have reliable disaster recovery and backup plans. A dependable partner can help schools respond to incidents faster and more efficiently.

START HERE: What do K–12 schools need to know about Disaster Recovery as a Service?

Peeling Back the Layers of Zero Trust for K–12

It’s important for schools to recognize that a zero-trust model is a multilayered approach to protection. It involves budget, people, endpoint protection, identity management, data center protection, backups and disaster recovery plans, firewalls, network monitoring, cloud security, and more.

Schools building awareness around zero trust will want to focus specifically on insurance, budget and support.

K–12 districts must meet compliance standards and maintain insurance in case of attack. This means carefully evaluating their cybersecurity budgets.

Bringing in certified and skilled professionals to support the initiative, either by hiring them or accessing them through a partner, is crucial to maintaining and following best practices for zero-trust models. It’s not effective to introduce the rigor and thoroughness that come with a zero-trust strategy if the people tasked with implementing and maintaining it are not supported or trained.

CDW can help K–12 schools evaluate their security posture and offer guidance on implementing the layers of zero trust in a school environment. IT professionals can reference many frameworks to create their own zero-trust approaches.

The Consortium for School Networking provides a framework for establishing security plans at all levels of a school district, from the school board and superintendent all the way down to the teachers and students. The National Cybersecurity Center of Excellence also has a good framework to reference, and schools can also look to the National Institute of Standards and Technology’s 800-207 framework for information.

It’s important for districts to understand that zero trust is not a magic wand. It’s a complex, matrixed security framework that utilizes a variety of solutions and best practices to look at security through a different lens and, hopefully, achieve a safer outcome for all.

This article is part of the “ConnectIT: Bridging the Gap Between Education and Technology” series. Please join the discussion on Twitter by using the #ConnectIT hashtag.