This column is part of an ongoing series. For previous installments, click here.
The best advice comes from those living it. With that in mind, K-12 Dive asks a group of superintendents, principals or other administrators each month for their insights and best practices on top challenges facing public schools.
For this month’s question, we asked five district tech leaders: "With high-profile cyberattacks against school districts on the rise, what should district administrators be prioritizing as safeguards?"
Director of technology and media services at Newton County School System in Georgia
The people part is the biggest issue we have with security. Putting things in place such as multifactor authentication for your users is definitely one of those things to try to help keep your network and systems as secure as possible. One of the other main pieces is definitely to have your data backups in place. An off-premise, in-the-cloud backup solution is definitely going to be key for any type of system.
The way we are now in K-12 — I don’t want to be doom and gloom, but we can’t keep up with all the bad actors that are out there and the way they are attacking. There’s not enough manpower and there’s not enough financial resources to keep up. So we can put structures and resources in place to try to keep things secure, but we also have to look at it from the aspect of making sure we can get everything back to normal as soon as possible if we ever are compromised by ransomware attacks or any bad actors that are out there.
We can make it as secure as NORAD [North American Aerospace Defense Command] if we wanted to, but it’s that balance of the users having access to what they need when they need access to it, and also protecting that same information at the same time. That’s that tightrope that we as CIOs, CTOs, tech directors have to always walk — that fine line between security and accessibility to our end users.
Chief information officer at Wichita Public Schools in Kansas
There are so many factors weighing on districts today. One is how to handle risk and keep up with the rising demands of cybersecurity insurance. This one is tough because you end up implementing security features to staff instead of with them.
Another one is a lack of resources — and as most districts are in the middle of a hybrid or cloud [deployment] journey, it is a moving target to supply the necessary resources to make sure not only your data is good both on-premise and in the cloud, but in the transmission of such.
Through all of that, I think the most important is the digital literacy and citizenship of the end user. If we can help our users be more mindful and aware of how they operate digitally, our organization as a whole operates better and with more security.
Director of technology at Neshaminy School District in Pennsylvania
Districts need to start to look at the resources they do or do not have in place in securing their network. As staff learn these new skill sets, no compensation is even considered. Most upper admins think this is just part of the current job scope.
To combat these silent issues, you need to run a 24/7 shop. When and if something does occur, it is almost certain that no one understands totally how it happened and what will be needed to eradicate it. As we all know, it only takes one person to bring it all down.
You need a knowledgeable person dedicated in knowing your network structure, what they are looking for, and how to be proactive in making changes to your network to combat what can change from day to day.
We are in a technology boom, in that everything is being created and used on a network [with] many more entry points as we continue to add more and more network devices. IT understands the need to make something convenient and using technology to make that happen. But asking staff just to install [multifactor authentication] is just not convenient. The pressure that is put on IT directors to keep staff and students safe is monumental and we’ll only get the blame when something does happen.
Chief technology officer at Lakota Local School District in Ohio
There are so many lenses I could answer this through, and this is certainly not a complete list, but it all starts with establishing and underscoring a districtwide commitment and adequate funding to continually and systematically improve the district’s cyber stance, including:
- Training, updates, cyber/data security alerts for all staff, and more specialized training for technology staff.
- Right-sized cybersecurity-focused staffing resources and/or partners.
- Proven deterrents and mitigation solutions (i.e., multifactor authentication, endpoint and data loss protection, network/systems segmentation and monitoring, asset management and scanning, access management, regular backups, etc.).
- Collaboration with other districts on what is working and what is not.
- Efficient, centralized patching aligned with cyberalerts and vendor releases.
- Alignment with industry recognized controls and groups like CISA [Cybersecurity and Infrastructure Security Agency].
- Incident response creation/testing aligned with policy.
- Cyber insurance.
- Regular third-party security assessments and resulting adjustments.
- The capacity and willingness to continually learn, grow, adjust and support each other while simultaneously supporting instruction and operations.
Director of technology at Quakertown Community School District in Pennsylvania
I strongly believe all the software and hardware in the world will not protect against a poorly designed network, so I would always advise to begin with what you can change. In many cases, this is zero cost — unless, of course, you need engineering support that you may not have capacity to do in-house.
Diverse and segmented networks are a critical key in protecting us. Identify each device/user/purpose and ask, “What if?” What if a student from network A was compromised? What is now vulnerable? Now, identify what changes can be put in place to “lock” that [network] down so those devices only do the bare minimum of communication they need to.
Most student devices need no network access except for outbound internet. They do not need to see your internal infrastructure at all, so don’t allow it. I would repeat this process for all types of devices — especially [Internet of Things]. Limit IoT devices to vLANs based on vendor, and only allow what they need.
Plan for the event: What if you are breached? I would advise for a business continuity plan including redundant data centers and cloud-based options if you can afford it. In the event you may be down, can you create a remote cloud-based environment to allow for basic business functions to continue? Planning is extremely important and, although very tiresome work, running through situations and having a framework to put into action is key for a fast response.