IT/Security By Ken Brown, Chief Information Security Officer, Frontline Education on 3/13/2017
a matter of decades, we’ve leapt forward a millennium in cyber
technology. In the digital age, the development of new cyber tools and
increasingly useful applications hasn’t shown much sign of slowing down.
Unfortunately, the inherent risks haven’t either.
With so much
sensitive information necessarily online, school districts must ensure
protections are put in place in case of cyber malfeasance. But with
ever-changing technology, it seems like some best practices are aging in
dog years. How do we keep up?
State of the K-12 Cyber Landscape
recent explosion of Edtech has drawn the majority of school districts
to adopt new tools for data analytics, cloud storing, and PD. The
benefits of this technology are huge, but they do come with risks. Over
the last three years, there has been a definite increase in the number
of K-12 security incidents.
One reason is because many school
districts are easy targets. Districts often lack cyber security
resources necessary to keep up with the evolving risks of cyber
technology, or they don’t understand or take advantage of some of the
security capabilities of the programs they use. So, for attackers, these
school districts often represent the “low hanging fruit.”
troubling reason for the increase in incidents is the value of student
information. A child’s ID and personal health information is lucrative
on dark web markets. Criminals can get years of use out of a minor’s
information before they reach the age where credit applications and
other processes are initiated that might tip them off to the identity
of these risks and incidents, State legislatures have begun introducing
new regulations to protect student data. As of September 2016, 49
states and the District of Columbia (all but Vermont) have introduced at
least one student data privacy bill, and 36 states have at least one
new student privacy law.
Districts now bear the responsibility
both to put security measures in place to protect data privacy and also
to validate that security through compliance.
Understanding the Cyber Kill Chain
the increasing sophistication of cyber criminal tactics, school
districts need to reassess what they can do to foil attacks before it’s
attacks begin when a district user opens a phishing message. Through
that, attackers can gain access to the user’s account information and
gain access to further, more sensitive information. On average, it takes
districts 146 days to identify these breaches, by which time the
attackers have had their run of district information.
Building Your Defense – Key Success Factors
- Don’t go it alone. Everybody in the district is responsible for their share of protecting district information.
all about the data. Obviously, hardware, software and networks are all
part of security, but only insofar as they protect the data. So,
district employees need to understand how to handle that data with care.
on people and processes first. Make sure district employees understand
their personal responsibilities and how they’re involved in security
- Build security into your daily workflows. If it’s tacked on to the end of a task, it will get overlooked during crunch time.
- You can’t manage what you can’t measure. How do you know
your defense is successful? You need to put in place processes that
help show what you’ve prevented (such as phishing emails) and that
inform how you allocate defense resources.
- Balance prevention
with detection and response. One way or another, attackers will get
through. Make sure you have processes in place to help you identify and
consolidate those compromises.
- Communicate in terms of mission, regulatory obligations and dollars, so that your stake holders understand your defense needs.
- Develop human firewalls. You want everybody
in your district to think through what they do and how they can help
prevent data breaches. This is often produces the highest return on
investment for districts seeking to protect their information.
Building Your Security Program Using NIST’s CSF
a cross-functional team and get leadership support. Create a committee
with members from across the district to make sure all areas are being
protected, and connect that team with tools and processes already in
- Initiate data discovery and system classification.
Understanding where your data is and what kind of programs can access it
will help inform how you need to protect that data.
- Perform a
risk assessment and gap analysis, so you can identify where you’re most
likely to suffer a data breach. NIST’s Cyber Security Framework (CSF)
will help you analyze your defense needs construct thorough defense
- Package tasks into actionable and measureable projects. NIST’s CSF will help you identify these projects.
milestone reviews and adjust. Cyber risks will continue to evolve.
Consistent, regular reviews and adjustments will be critical for ongoing