10 back-to-school cybersecurity essentials

Click Here to Learn How to Lower Cybersecurity Threats to Your School

Summer is over and schools are back in session across the country. If you missed the chance to prepare and test your cybersecurity protocols while students were living their best lives on summer break, there are actions you must take at the start of the school year to get your programs in shape.

Teachers and administrators are ready to kick off a great year of learning, but must match that same preparedness to ensure their cybersecurity safety house is in order.

While not an exhaustive list, here is a checklist of 10 areas that deserve the most attention and that you can get started on (or even complete) immediately. Keep in mind, cybersecurity often touches physical security, too, so some of the recommendations make important cross-functional impacts, including helping you secure and maintain your insurance coverage.

1. Do you have an expert security advisor?

It’s imperative you have someone qualified advising you on your security program. This could be an internal or external resource, paid or free, as long as it’s someone who is a bona fide security expert. If you don’t know someone like this, you can always reach out to your local university and ask if they have senior students or a professor who might be able to help you.

2. Have you completed a risk assessment?

Without completing a formal risk assessment, you can’t accurately know what’s going on in your world, security-wise. And if you don’t know what the threat is, you can’t protect yourself from it. A risk assessment can give you all the information needed for an effective security program, including what you need for continuity disaster recovery and incident response planning.

3. Have you designed and implemented security controls? 

Once you perform a risk assessment, you’ll know which security controls should be put in place, whether they’re administrative, physical, or technical. This also includes tackling the issue of access control. Do you know who’s coming and going? Have you designated which groups should have access, and to what?  Your security controls should be reviewed on a bi-annual basis at worst, quarterly at best.

4. Do you know what you have, and where you have it?

This pertains to asset inventory, in terms of your people, process, technology and data. What devices are connected to your network? What people have access to which systems? Do you know where your data is? If you signed an End User License Agreement (EULA) with a software provider, for example, you may have agreed to having your data sent to third parties. When all is said and done, it could end up in far more places than you anticipated. So, you need to take stock of your inventory, including what’s in the cloud (which isn’t guaranteed to be secure). Know what you have and where it is.

5. Have you identified who owns what?

Make sure you’ve delineated who has responsibility for what in every part of your security program. For instance, consider what happens when you sign a contract with a vendor. What parts are their responsibility and what are yours? If there are any gray areas, clean them up early. It’s also important to designate who takes care of notifying the school, the parents, and the state in case of a breach. If someone isn’t directly told they have ownership over something, they’re likely to assume someone else is handling it – leading to major gaps, for which you and your school or district might be liable.

6. Do you have multi-factor authentication in place?

This one is simple and non-negotiable. If you don’t have multi-factor authentication in place, you’re exposing your school to greater risk. For best results, use an authenticator app over SMS. And, for those employees who gripe about having to take the extra step, let them know it’s policy. Just like having their ID showing at all times.

7. Are you prepared to properly and securely dispose of information?

Unfortunately, eBay makes it easy to buy computers that schools have sold to an equipment recycler – with hard drives still intact (e.g. with existing data there for the taking). So, make sure you’re actually disposing of your digital information in the right way before you part with a piece of equipment.

A few tips: The disposal should be consistent with the NIST 800-888 guideline for media sanitization, and you should get a signed attestation from the company that they destroyed the data (or will do so) in accordance with that requirement. This will confirm the data is adequately disposed of, and remove you from liability (of course, this is not legal advice and you should check with your own legal counsel to make sure you’re in compliance with your local regulations).

8. Are you monitoring what you should be monitoring?

The term “monitoring” can encompass a lot, but the point is to have ongoing visibility into your systems and your security controls. To this end, plan to conduct vulnerability assessments, pen tests, and risk assessments against your organization and network, and ask your vendors to do risk assessments as well. Your own findings coupled with theirs should keep you apprised of any holes in your security program.

9. Do you provide enough training?

Training is key for overall security awareness, but it’s important to go beyond this. Your staff members should be trained on the proper way to store and share data, as well as on how to report suspected security events. This requires intentional, on-the-job training. For example, if an administrator is planning to send a spreadsheet of student data to a teacher across the hallway, there should be a formal procedure they follow to make sure they’re doing so securely. All too often, procedures are lacking which makes it easy to accidentally share private documents publicly.

10. What is your testing and emergency plan?

Safety in general is the top priority within schools, and this includes the physical and digital. Just as you have emergency plans in place for fires (e.g. fire drills), you should have emergency plans in place for other safety systems. For example, many physical safety systems are electronically controlled, like cross-campus door locks. If such a function relies on a computer, it’s imperative you check that the computer itself is as secure as you would expect the door lock itself to be. Additionally, are you testing your systems and incident response plans? Testing is the only way to guarantee that all the security groundwork you’ve laid will yield the results you expect it to.

Cybersecurity within schools can feel like an incredibly complex issue to tackle, but starting with this checklist will help you address the most critical items one by one. Here’s to a successful school year ahead, complete with improved cyber safety–and the peace of mind that comes with it.