Don’t hesitate to develop and implement a cybersecurity response plan this school year.
These days, it’s more likely than not that when you open your daily newspaper or scroll through your newsfeed, you’ll see coverage of a cyberattack impacting both businesses and consumers. Recently, a number of these cybercrimes have been targeted toward school districts – for example, over the summer, Louisiana Governor John Bel Edwards declared a statewide emergency as a result of cyberattacks in several school systems throughout Louisiana. Along the same lines, the Syracuse, N.Y., City School District was shut down for more than a week during a ransomware attack; and a similar incident in Baltimore earlier in 2019 cost the city more than $18 million in recovery efforts and lost or delayed revenue.
As cyber threats evolve and grow, it’s not a matter of if a cyberattack will happen but when – or, further still, has it already happened to your district and you don’t know it yet. Attackers are getting highly skilled at compromising an organization’s infrastructure, sitting on a network and waiting for a prime time to launch an attack. So, what can school districts do to prepare? Below, are a few cybersecurity practices every district should employ:
- First, at a minimum, ensure that your organization is meeting the requirements of federal, state and local laws. Several states have recently passed (just a few weeks ago NY passed the SHIELD Act!) legislation requiring certain measures to protect educational institutions from cyberattacks. New York State Education Law, for example, requires multiple protections, compliance with NIST Cybersecurity Framework, and has very significant parameters for vendor contract management, among other guidelines designed to defend systems from cyberattacks of all kinds.
- Continuously train your employees and students. The cybersecurity industry shifts every 18 months to protect against hackers’ latest tools and tricks, but one of the biggest risks that remains constant is untrained users who don’t understand their roles and responsibilities in preventing an attack. Training goes hand-in-hand with IT solutions for comprehensive cybersecurity. All the cutting-edge software in the world can’t protect an organization that does not have a solid cybersecurity foundation built on a culture of responsible technology use. Employees—and in the case of school districts, student users—are the first firewall, but if they don’t know what to look for then it’s impossible to rely on them as a preventative measure.
- Perform an accurate and thorough risk assessment inclusive of an internal and external penetration test. Effective risk management extends beyond just cybersecurity, but your overall enterprise risk management activities should encompass identifying and addressing cyber-related vulnerabilities. Once those risks are recognized you can move on to developing a Computer Security Incident Response Plan (CSIRP).
- Implement and test a CSIRP. It is essential to establish clear processes and procedures proactively to help ensure you’ll be prepared to respond when (not if) an incident inevitably comes to light or occurs. Your CSIRP should be tested regularly with participation from both internal and external stakeholders to ensure everyone is on the same page in the event of a cyberattack.
The constant stream of cyberattacks in the news can be daunting, as can the thought of adequately preparing your organization for these threats, but the more action you take now, the more prepared you’ll be when a breach occurs and the better you can sleep at night knowing that you’ve taken all the necessary steps to mitigate risk and develop a thorough plan of action. Take the opportunity at the start of this new school year to conduct a risk assessment, develop a CSIRP and train employees and students on responsible use of district software and devices.
Carl Cadregari is an Executive Vice President for FoxPointe Solutions and the Information Risk Management Division of The Bonadio Group. Carl has expertise in the areas of Data Privacy and Cybersecurity Controls, Physical, Administrative, and Technical Security, Enterprise Risk Management, Vendor Management, and Disaster Recovery Planning, having worked with companies across almost all vertical markets ranging in size from small businesses to multi-regional and multi-national organizations with thousands of employees.