IT/Security By Ken Brown, Chief Information Security Officer, Frontline Education on 3/13/2017
In a matter of decades, we’ve leapt forward a millennium in cyber technology. In the digital age, the development of new cyber tools and increasingly useful applications hasn’t shown much sign of slowing down. Unfortunately, the inherent risks haven’t either.
With so much sensitive information necessarily online, school districts must ensure protections are put in place in case of cyber malfeasance. But with ever-changing technology, it seems like some best practices are aging in dog years. How do we keep up?
State of the K-12 Cyber Landscape
The recent explosion of Edtech has drawn the majority of school districts to adopt new tools for data analytics, cloud storing, and PD. The benefits of this technology are huge, but they do come with risks. Over the last three years, there has been a definite increase in the number of K-12 security incidents.
One reason is because many school districts are easy targets. Districts often lack cyber security resources necessary to keep up with the evolving risks of cyber technology, or they don’t understand or take advantage of some of the security capabilities of the programs they use. So, for attackers, these school districts often represent the “low hanging fruit.”
A more troubling reason for the increase in incidents is the value of student information. A child’s ID and personal health information is lucrative on dark web markets. Criminals can get years of use out of a minor’s information before they reach the age where credit applications and other processes are initiated that might tip them off to the identity theft.
Because of these risks and incidents, State legislatures have begun introducing new regulations to protect student data. As of September 2016, 49 states and the District of Columbia (all but Vermont) have introduced at least one student data privacy bill, and 36 states have at least one new student privacy law.
Districts now bear the responsibility
both to put security measures in place to protect data privacy and also
to validate that security through compliance.
Understanding the Cyber Kill Chain
With the increasing sophistication of cyber criminal tactics, school districts need to reassess what they can do to foil attacks before it’s too late.
Most attacks begin when a district user opens a phishing message. Through that, attackers can gain access to the user’s account information and gain access to further, more sensitive information. On average, it takes districts 146 days to identify these breaches, by which time the attackers have had their run of district information.
Building Your Defense – Key Success Factors
- Don’t go it alone. Everybody in the district is responsible for their share of protecting district information.
- It’s all about the data. Obviously, hardware, software and networks are all part of security, but only insofar as they protect the data. So, district employees need to understand how to handle that data with care.
- Focus on people and processes first. Make sure district employees understand their personal responsibilities and how they’re involved in security processes.
- Build security into your daily workflows. If it’s tacked on to the end of a task, it will get overlooked during crunch time.
- You can’t manage what you can’t measure. How do you know your defense is successful? You need to put in place processes that help show what you’ve prevented (such as phishing emails) and that inform how you allocate defense resources.
- Balance prevention with detection and response. One way or another, attackers will get through. Make sure you have processes in place to help you identify and consolidate those compromises.
- Communicate in terms of mission, regulatory obligations and dollars, so that your stake holders understand your defense needs.
- Develop human firewalls. You want everybody in your district to think through what they do and how they can help prevent data breaches. This is often produces the highest return on investment for districts seeking to protect their information.
Building Your Security Program Using NIST’s CSF
- Build a cross-functional team and get leadership support. Create a committee with members from across the district to make sure all areas are being protected, and connect that team with tools and processes already in place.
- Initiate data discovery and system classification. Understanding where your data is and what kind of programs can access it will help inform how you need to protect that data.
- Perform a risk assessment and gap analysis, so you can identify where you’re most likely to suffer a data breach. NIST’s Cyber Security Framework (CSF) will help you analyze your defense needs construct thorough defense system.
- Package tasks into actionable and measureable projects. NIST’s CSF will help you identify these projects.
- Perform milestone reviews and adjust. Cyber risks will continue to evolve. Consistent, regular reviews and adjustments will be critical for ongoing data security.