Cybersecurity is a persistent headache across sectors, but the challenge is “compounded” for school districts due to limited resources and staffing, a lack of regulatory mandates, and the general complexity of K-12 IT systems, said Doug Levin, co-founder and national director of nonprofit K12 Security Information Exchange, or K12 SIX, during a recent webinar.
There are a variety of cyberattacks impacting districts, he said, including incidents involving ransomware, accidental data breaches by staff and third-party vendors, and phishing attempts targeting staff through email or text.
Even the major ransomware attack against Los Angeles Unified School District is not an atypical situation, Levin said, other than it’s impacting a district with such high enrollment. About 500 gigabytes of data was stolen from the nation’s second-largest district in September, and since then, roughly 250,000 LAUSD files were posted on the dark web, some containing Social Security numbers, contracts, W-9 tax forms, invoices and passports.
The LAUSD ransomware incident “is not even maybe an outlier in any other way compared to what we are seeing affecting schools across the country,” Levin said.
As districts continue navigating the looming risk of a cybersecurity incident, K12 SIX and technology leaders from Augusta County Public Schools in Virginia shared four best practices for schools to protect themselves now and in the future.
Create a security team
When Augusta County Public Schools hired Jeremy White as systems security administrator, one of his first requests was to form a security team for the district.
“Because my ideas on security are not the only ideas,” White said.
The group currently meets every other week to discuss issues that have come up since the previous gathering in addition to areas for future focus. Some measures the group has implemented include adding multi-factor authentication, enhancing email security, and completing an audit of the district’s Google Workspace.
This team has also completed an internal cybersecurity review to see what needs to be improved moving forward, White said.
Phase in multi-factor authentication
Districts can face several roadblocks to adopting multi-factor authentication due to technical or financial issues, Levin said. Another challenge to taking on this security measure is “getting buy-in” from the school community, from staff to parents.
District leaders already show a lot of support for security in Augusta County schools, White said. Additionally, Virginia is putting out a model cybersecurity framework for schools.
“That’s ammunition for us to go and say, ‘This is going to happen at some point. We need to implement it sooner rather than later,’” White said. “Why wait until we’re being attacked to start some of these things? And to their credit, [district leaders are] on board.”
On top of that, Augusta County schools implemented a tiered approach to start using multi-factor authentication, said Molly Shiflett, the district’s Instructional Technology Resource Teacher coordinator. The technology department began requiring multi-factor authentication for executive staff and then school building administrators, but those mandates have not reached teachers yet.
“I think that tiered approach has helped us roll that out and take baby steps with it,” Shiflett said.
Collaborate with instructional, district leaders
Blended learning with technology is “here to stay,” Shiflett said, so it’s important that infrastructure and security conversations are not siloed from instruction.
“Now they are so interconnected, it really takes working together to make sure we’re using technology in a way that is effective instructionally but also safe,” she said.
Additionally, engaging a district’s superintendent and school board on cybersecurity is “super important,” Levin said, given those parties’ roles in setting priorities and allocating funding.
“They will need to support the IT teams in doing the work to roll out new defenses that are going to affect other people across the district,” he said.
Vet new district technology
When working with third-party software vendors, the district is beginning to formalize a process where anything handling student data will have to go through the technology department first, Shiflett said.
This process will “ensure our due diligence with data privacy agreements,” she said.
Once a teacher tries to bring a new piece of technology into the classroom, it will have to be vetted by the technology department if the instructor wants to get reimbursed, White said.
“So unless you want to be paying for this out of your pocket, you need to get technology on board,” White said. “Vetting the security of the product — we’ve had some issues in the past that we want to prevent in the future.”