Cyber Security in K-12: Is Your School District Prepared?

IT/Security By Ken Brown, Chief Information Security Officer, Frontline Education on 3/13/2017

In
a matter of decades, we’ve leapt forward a millennium in cyber
technology. In the digital age, the development of new cyber tools and
increasingly useful applications hasn’t shown much sign of slowing down.
Unfortunately, the inherent risks haven’t either.

With so much
sensitive information necessarily online, school districts must ensure
protections are put in place in case of cyber malfeasance. But with
ever-changing technology, it seems like some best practices are aging in
dog years. How do we keep up?

State of the K-12 Cyber Landscape

The
recent explosion of Edtech has drawn the majority of school districts
to adopt new tools for data analytics, cloud storing, and PD. The
benefits of this technology are huge, but they do come with risks. Over
the last three years, there has been a definite increase in the number
of K-12 security incidents.

One reason is because many school
districts are easy targets. Districts often lack cyber security
resources necessary to keep up with the evolving risks of cyber
technology, or they don’t understand or take advantage of some of the
security capabilities of the programs they use. So, for attackers, these
school districts often represent the “low hanging fruit.”

A more
troubling reason for the increase in incidents is the value of student
information. A child’s ID and personal health information is lucrative
on dark web markets. Criminals can get years of use out of a minor’s
information before they reach the age where credit applications and
other processes are initiated that might tip them off to the identity
theft.

Government Response

Because
of these risks and incidents, State legislatures have begun introducing
new regulations to protect student data. As of September 2016, 49
states and the District of Columbia (all but Vermont) have introduced at
least one student data privacy bill, and 36 states have at least one
new student privacy law.

defining key terms venn diagram

Districts now bear the responsibility
both to put security measures in place to protect data privacy and also
to validate that security through compliance.

Understanding the Cyber Kill Chain

With
the increasing sophistication of cyber criminal tactics, school
districts need to reassess what they can do to foil attacks before it’s
too late.

cyber kill chain process

Most
attacks begin when a district user opens a phishing message. Through
that, attackers can gain access to the user’s account information and
gain access to further, more sensitive information. On average, it takes
districts 146 days to identify these breaches, by which time the
attackers have had their run of district information.

Building Your Defense – Key Success Factors

  • Don’t go it alone. Everybody in the district is responsible for their share of protecting district information.
  • It’s
    all about the data. Obviously, hardware, software and networks are all
    part of security, but only insofar as they protect the data. So,
    district employees need to understand how to handle that data with care.
  • Focus
    on people and processes first. Make sure district employees understand
    their personal responsibilities and how they’re involved in security
    processes.
  • Build security into your daily workflows. If it’s tacked on to the end of a task, it will get overlooked during crunch time.
  • You can’t manage what you can’t measure. How do you know
    your defense is successful? You need to put in place processes that
    help show what you’ve prevented (such as phishing emails) and that
    inform how you allocate defense resources.
  • Balance prevention
    with detection and response. One way or another, attackers will get
    through. Make sure you have processes in place to help you identify and
    consolidate those compromises.
  • Communicate in terms of mission, regulatory obligations and dollars, so that your stake holders understand your defense needs.
  • Develop human firewalls. You want everybody
    in your district to think through what they do and how they can help
    prevent data breaches. This is often produces the highest return on
    investment for districts seeking to protect their information.

Building Your Security Program Using NIST’s CSF

  • Build
    a cross-functional team and get leadership support. Create a committee
    with members from across the district to make sure all areas are being
    protected, and connect that team with tools and processes already in
    place.
  • Initiate data discovery and system classification.
    Understanding where your data is and what kind of programs can access it
    will help inform how you need to protect that data.
  • Perform a
    risk assessment and gap analysis, so you can identify where you’re most
    likely to suffer a data breach. NIST’s Cyber Security Framework (CSF)
    will help you analyze your defense needs construct thorough defense
    system.
  • Package tasks into actionable and measureable projects. NIST’s CSF will help you identify these projects.
  • Perform
    milestone reviews and adjust. Cyber risks will continue to evolve.
    Consistent, regular reviews and adjustments will be critical for ongoing
    data security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top
error: Content is protected !!