Securing Schools: The 5 Key Components of a Comprehensive Approach to Cybersecurity in Education

Data breaches cause real-world damage and tarnish the credibility of the organizations that fall prey to them. By one account, 5.1 million records are lost or stolen daily — nearly 60 per second. Data breaches cost organizations on average as much as $1.57 million in lost business.¹

While K-12 schools and their districts focus less on bottom lines, they are also far from immune from cyberattacks. According to a Center for Digital Education (CDE) survey, 85 percent of school leaders said they face greater cybersecurity threats than in years past.² Districts can find themselves outmatched as these threats intensify. Some large school systems rival Fortune 500 companies in size and scope, but fewer than one in five — 19 percent — have a chief information security officer (CISO), which have become commonplace in the private sector.

However, school technology leaders can develop strategies to protect against and mitigate breaches by procuring technology and developing risk management policies, planning for incidents before they occur, and identifying teams to respond to and mitigate a breach. This paper outlines the key components of a comprehensive approach to breach defense.

“The first step is to think holistically,” says Steve Caimi, Cisco industry solutions specialist for the public sector. “Before you do anything, remember that cybersecurity is fundamentally about risk management. A risk-based approach will help you make better decisions.”

Strategies to Secure Schools

Cybersecurity best practices are essential. A comprehensive framework for cybersecurity can help school leaders make informed, risk-based decisions on cybersecurity defenses, understand priorities and focus investments in the areas that matter most.

The National Institute of Standards and Technology (NIST) provides this critical guidance. Its Cybersecurity Framework breaks everything down into five simple key functions:

• Identify. Manage risks and identify data, threats and capabilities.
• Protect. Ensure appropriate safeguards to limit or contain the impact of cyberattacks.
• Detect. Establish systems and capabilities to detect cyberattacks.
• Respond. Plan and execute activities to take action during a cybersecurity incident.
• Recover. Restore capabilities and service impacted by cyberattacks and identify improvements to procedures and plans.

 

When addressed together, these functions can help guide both technology and policy decisions.³ The framework, says Caimi, “helps you prioritize your cyber investments so that every penny works toward bringing risk down to an acceptable level for your organization.”

1. Identify

Before making cyber investments, use a risk-based approach to set your priorities.

“Always think of cybersecurity in terms of risk,” says Caimi. “Every organization has a different risk profile and tolerance for risk. You must focus on the right investments because every organization has limited resources, and no one can buy, deploy or manage every possible defense technology.”

An effective risk assessment strategy involves taking stock of what’s in and on the network — for example, where the most sensitive student and employee data resides, what controls are in place to protect it, and what vulnerabilities need to be addressed.

“You really need to know what you have — systems, people, assets and data — to be able to identify breaches when they happen,” says Peter Romness, Cisco’s public sector cybersecurity solutions lead.

2. Protect

Developing a strategy to protect systems requires an understanding of cybersecurity best practices — the proven approaches to protecting against cyberattacks. These include preventative controls like identity and access management, data security and even cybersecurity awareness training. From a technology standpoint, risk management can inform an integrated approach to breach defense, which usually includes:

• Web and email security to help secure browsing and guard against phishing, malware attacks and ransomware.
• Endpoint protection that protects against malware attacks on devices and quarantines them from the network.
• Multifactor authentication to validate identities beyond simple passwords, and protect in case passwords are stolen.
• Encryption and backups to secure, protect and restore sensitive data.
• Network segmentation to cordon off sensitive student information or financial systems from the broader network.
• Anomaly detection to identify more complex threats and unusual behaviors that may suggest an inside threat from an existing employee or authorized user.

 

Along with technology, consider policy as part of the overall risk-management strategy. For example, requiring a second independent confirmation before funds are transferred to a new account can help prevent attackers from successfully stealing funds by compromising one device or account.

3. Detect

Most cyber professionals agree that no matter how well you protect your organization, some attacks are bound to succeed. And the faster you can detect and stop the breach, the less damage is done. That’s particularly important because time usually isn’t on organizations’ side. Two-thirds of breaches take months or years to discover, according to Cisco research.⁴

Automation and integration play critical roles in helping organizations identify and respond to threats. Automated monitoring tools and analytics can identify potential threats and alert IT leaders without human intervention. Systems also can be integrated in ways that ensure these alerts aren’t lost in the shuffle of multiple reports from different parts of the network. Without them, “it takes time to get information from each security device and correlate it with the others,” says Romness. “It can take days to figure out what happened. With them, we can compress this time to minutes.”

Technology is only one part of ensuring an organization is capable of detecting threats. The frightening reality is that only one-third of organizations discover breaches through their own monitoring.⁵ However, cyberattacks can be identified in many other ways, including alert internal users, outside organizations which monitor or inadvertently come across stolen data — even social media once a breach is made public. That’s why organizations must have systems in place to monitor and elevate information from these external sources. Leaders and line staff alike need to understand the threats identified in the organization’s risk assessment and be prepared to respond.

4. Respond and 5. Recover

Detecting a breach immediately means little if you can’t stop it. That’s why incident response is so important: The steps you take in the seconds and hours that follow incident detection has so much to do with how destructive the breach becomes. Fast response can mean little damage.

Leaders should develop an incident response plan and identify the staff who will be tasked with carrying it out when a breach does occur. The incident response team should not just include IT staff, but also those tasked with addressing legal issues, communications and public affairs, and ensuring continuity of operations in the event systems are down for a prolonged time. In many cases, vendors provide critical emergency response roles and support the in-house team.

“Your people must know their roles and have clear plans of action,” Caimi says. “Incident response plans should be tested and updated regularly. Reporting must be timely, consistent and coordinated. I’d say very few organizations could respond effectively unless they’re well prepared ahead of time.” With a well-developed plan in place, organizations can focus on first identifying and stopping the breach and then determining the potential impact and mitigating it. While technology plays an important role, the plan and team also must prepare for and respond to potential service interruptions after a breach, confront legal issues, provide employees and the public with information, investigate the cause of the breach and ensure evidence isn’t lost or destroyed.

It’s particularly important to consider the organization’s obligation to report breaches to stakeholders. While federal FERPA regulations do not specifically contain breach notification requirements, the law does require schools and other organizations to record all incidents of disclosure — intentional or not. The U.S. Education Department also recommends notification “if the compromised data includes student social security numbers and other identifying information that could lead to identity theft.”⁶ Many states have passed privacy laws in recent years which also may require disclosure of breaches.

“It is critical that educational agencies and institutions clearly understand which federal, state and local breach notification laws apply to them, and maintain compliance with all the requirements on data breach response, reporting, and internal and external notification,” the Education Department guidance states.

Finally, the last step of responding to a breach involves returning to the incident response plan and updating it based on the lessons learned. Even in the absence of attacks, plans should be reviewed regularly, according to Caimi. “Have you tested it? Is it up to date with the systems and vendors you have now?” he asks.