Cybersecurity Roundtable: Guarding K–12 Schools from Bad Actors

EDTECH:  Would you say that your IT team is ready to effectively head off a cybersecurity attack today?

Bryan: I’m not going to be bold enough to say that things are perfect. Cybersecurity is a process. We have to be vigilant.

Bourgeois: Anyone who believes they have everything in place to prevent a cybersecurity breach is woefully misinformed. And anyone who thinks they’re totally unprepared is also probably wrong. I think it’s somewhere in between. We’re perpetually more ready than we were the day before.

Just: I think cybersecurity readiness is something where you’re never quite done. We’re aware of the biggest issues and address them as best we can. A lot has changed in the past year. Bad actors have a take-no-prisoners approach, attacking schools, pipelines and hospitals.

Larsen: We’re constantly reviewing where we are in our plan. Things are changing all the time. It’s not a one-and-done process, not even close.

Krueger: Heads of administration and technology are very concerned about cybersecurity. The irony is that when you get into specifics, school leaders often overestimate how secure they are.

EDTECH:  Do you have, or recommend having, a dedicated cybersecurity expert on your team?

Bryan: We do. The state of Texas requires each district have a cybersecurity official that receives information and resources from the state.

Jackson: In 2019, Texas passed Senate Bill 820, requiring schools to assign someone as a security coordinator with specific expertise. Many districts fill this role with an existing employee or divide the work among several IT staff members. It can be difficult to find people to fill this role — there aren’t enough people with cybersecurity training right now.

Bourgeois: This is the first year we’ve had someone dedicated to information security. It’s a sign of the times. It came from a realization that as we put more and more information into our data center and the cloud, we have an obligation as stewards of student learning to do everything we can to keep their information safe. We also know, from COVID-19, that access to learning has to be seamless.

Just: What’s interesting in K–12 is that most districts don’t have a lot of cybersecurity expertise. Unless it’s a district of over 100,000 students, there’s probably not a CISO. I have two people on my staff who have IT security coursework under their belts, but we also have technology partners who have super-credentialed folks, so our approach is to spend money on outside consultants as well as training our staff.

Larsen: Like most school districts, we struggle with staffing. Having a full-time person is really hard to do, and for us, it really doesn’t accomplish what we need. It’s hard to find a CISO because there are not enough of them. However, we do have a managed service firm for security on retainer.

Krueger: 

It’s hard to answer that question for every district. Regardless, cybersecurity needs to be a major responsibility for someone. In recent data that CoSN collected from 390 school systems, over three-quarters of districts do not have a full-time employee dedicated to network security and only 41 percent of those districts are implementing a cybersecurity plan.

EDTECH:  Do you recommend investing in cybersecurity insurance?

Bourgeois: Yes. Our cybersecurity liability policy just came up for renewal. Insurers are taking a deeper look at their ability to recover their investment and are more diligent about knowing the security status of their customers. We’re under much deeper scrutiny. K–12 needs to be ready for insurers to ask hard questions.

Just: Yes. Our insurance company is coming to us with an increasing number of requirements. We do a pretty good job — we get complimented on what we do —but eventually we might not be good enough for cybersecurity insurers.

Larsen: Yes. This is an area where we’re seeing a dramatic shift. A few years ago, getting the insurance was as simple as answering a couple of questions. Now, not only is the insurance more expensive, but we also have to answer several pages of in-depth questions about our controls, and the insurance company follows up on our answers.

EXPLORE: Grade your cybersecurity preparedness with this downloadable checklist.

EDTECH:  What are your top cybersecurity priorities for the near future?

Bryan: Continuing to educate users. We have some good security appliances in place, and we do frequent backups in multiple locations. But educating everyone, from the superintendent to the youngest students, is the most important.

Bourgeois: We just adopted Cisco’s security suite, and as an IT organization, we’ve prioritized learning about cybersecurity. It isn’t just one person’s role, it’s every person’s role. Cybersecurity has to be part of the culture. One person will never make a dent with all of our cybersecurity needs.

Just: We’ve started to network with local businesses, not necessarily in K–12. For example, Indiana’s state CISO leads a community of CTOs, which is critical for helping us network. A multinational pharmaceutical company doesn’t have the same security needs as a K–12 school, but their CTO can help us with enterprise-level security solutions.

Krueger: There is so much more vulnerability than there used to be. Everything runs on the network — the HVAC system, security cameras, lights and more. And as major local employers, schools store Social Security numbers, so they are at risk for identity theft. What’s most important is for schools, districts and our federal government to recognize the importance of continuous investment in cybersecurity.

Jackson: Through the Texas Education Technology Leaders association, we are working on getting more schools certified as a Trusted Learning Environment. While the National Institute of Standards and Technology provides a framework of choice for many states, including Texas, TLE is tailored for K–12 school districts, and I’m working with school cybersecurity experts to map NIST requirements to TLE. When I was a CTO for a large district, it took us about two years to earn our TLE seal, which is about average.

DIVE DEEPER: Rockingham County Public Schools shares how it earned its TLE seal this year.

EDTECH:  How do you handle budget and cybersecurity funding concerns with district administrators and the public?

Bourgeois: A big part of it is trust. The public trusts us, and that trust is invaluable. Part of the justification for our budget is what would happen if we lost that trust. It would be detrimental to every other opportunity we have as a district. The less time we have in reactive mode gets us in a better position for what we want to be doing.

Bryan: There’s a balance, for sure, with security on one side and budget on another. We’re blessed in that respect. Our district has made a significant investment in cybersecurity. We haven’t hit a wall in funding yet.

Just: Many organizations have cybersecurity information that’s specifically geared toward administrators. Nationally, there’s CoSN, the Association of School Business Officials International and The School Superintendents Association. The Indiana K–12 Cybersecurity Task Force has made presentations locally to the Indiana ASBO. When we’re speaking with other non-IT administrators, we try to keep it very high level, but help them understand their part.

Larsen: Our administration and the public support ongoing funding for cybersecurity. Our funding stream is part of a tax levy passed seven years ago. Initially, the funding was primarily for physical security — things like building locks, access and cameras. However, over time, the funding has shifted from physical security to cybersecurity.

Click the banner below to find additional information on keeping your district safe from cyber threats.