Listen to the article 4 min

This audio is auto-generated. Please let us know if you have feedback.

CHICAGO — Small school districts are perhaps the most vulnerable to cyber incidents due to their limited budgets and resources. 

But whether it’s increased vulnerability to cybercriminals looking to exploit the valuable student and staff personal data on-hand or a natural disaster that takes down an entire network, there are key steps that technology leaders in these school systems can take to protect those assets, regardless of finances.

“Disruptions come in many forms. Last spring, we had a huge storm come through. It wasn't a tornado, but it was, like, multiple tornado paths just throughout the whole county,” Ed McKaveney, technology director at Hampton Township School District in Pennsylvania, told attendees during a Wednesday session at the Consortium for School Networking’s annual conference. “We ended up having no power for however many days, plus no internet for the rest of the week after we had power restored.” 

No matter what shape a cyber disruption takes or the size of a school district, however, there are steps that can be taken to be cyber-ready. To ensure the basics are covered, McKaveney and his co-presenters — Richard Platts, chief technology officer of Allegheny Intermediate Unit in Pennsylvania, and Chris Smallen, chief technology officer of Lenoir City Schools in Tennessee — recommend a five-point model.

• Identify. Have you at least done a basic risk assessment? This can start with doing an audit to build an asset inventory and management database. Whether it’s a spreadsheet or a full inventory system, “you have to know what you have,” said McKaveney.
• Protect. Are basic protections in place to prevent the most common attacks? This includes multifactor authentication, single sign-on and cloud-based backups — and making sure end-users actually use them. ”We can come up with all the technical solutions we want in the world, right? A lot of times the technical part is the easiest part of our job,” said Platts. “It's having the conversation with human beings. Human beings are squishy and difficult and always kind of the hard part.”
• Detect. Would you notice if something went wrong? This is an area where using artificial intelligence-based support can be particularly helpful, said Platts.
• Respond. What do you do if a cyber incident happens tomorrow? Who is contacted first? What systems are isolated? Who communicates with leadership and families? “You don’t have to have a detailed plan. You just have to have a basic plan,” said McKaveney.
• Recover. Could you recover learning and operations quickly after an incident or other disaster? Prioritizing backups for critical systems is key here, as is mapping out which systems — like the student information system and transportation system — are brought back online first. Leaders should also focus on minimum viable recovery time over full system rebuilds and test their restores at least once a year. “Never underestimate the value of a fire drill,” said Platts.

Take advantage of free and shared resources

Resources are available to help fill gaps for tech leaders in districts with limited budgets, the presenters said. A variety are offered by CoSN, including:

• EmpowerED superintendent one-pagers.
• K-12 cybersecurity toolkit.
• K-12 Community Vendor Assessment Tool.
• Interoperability toolkit.
• Critical Infrastructure and Resilient Clouds for Unified Innovation and Technology in Schools, or CIRCUITS.

CoSN’s one-pagers in particular can be useful as “conversation starters” when communicating needs to superintendents, McKaveney said. 

Another resource tech leaders should take advantage of is the U.S. Cybersecurity and Infrastructure Security Agency’s toolkit for protecting K-12 organizations, the presenters said, adding that it’s also worthwhile to build a relationship with your local FBI field office if one is located near you.

“The first time that you've made contact with your FBI liaison shouldn’t be the first time you end up having an issue. Just at least know the person and have their phone number,” said McKaveney.  

“I never imagined I would have multiple FBI special agents' cell phone numbers in my contacts,” joked Platts.

“It is a little weird-feeling sometimes,” said McKaveney.

Finally, colleges and universities can also be a valuable partner for sharing resources and best practices.

“A lot of school districts are bigger than a lot of the small colleges and universities,” McKaveney said. “Some small private universities are the same size as your school districts. You have the same challenges, just different funding strategies and things like that.”