Establishing a cyber safety plan that adapts with your district.

Cybersecurity continues to be a challenge for school districts. While new technologies have increased protection from cyber-attacks, most breaches still occur due to human error. That means that strong district leadership and employee engagement across the board is critical. Remember when cybersecurity wasn’t on your radar? Just a few years ago, school business officials didn’t have to worry about it! Then insurance companies started raising rates and creating separate policies for cyber protection. Along came those infamous insurance questionnaires requiring a signature from the treasurer/CFO attesting to the accuracy of information. While technology teams were involved, they struggled to keep up with the ever-changing, and sometimes obscure requirements. To meet insurance requirements and safeguard districts, many schools sought to implement or enhance existing technology solutions. Within a short period of time, IT teams were being asked to identify how to best protect districts by seeking advice from peers and obtaining knowledge from experts. At the time, a common request was, “Can you get me some of that MFA?” Despite these initial efforts, technology requirements have continued to evolve, leading districts to invest more in cybersecurity to ensure the district is protected. Why is cybersecurity still on the school business official’s plate? Technology solutions are just one aspect of a comprehensive cyber defense strategy. People and processes are equally important. Industry statistics reveal that over 60% of breaches and attacks are the result of human error. According to Proofpoint, a leading cybersecurity provider, 95% to 98% of breaches and attacks are at least partly due to human failure. While IT staff can focus on systems and technologies used in a district, they may not have the autonomy to enforce policies and practices. For this critical reason, district leadership is essential in the success of any cyber initiative. What can districts do beyond conducting third-party security assessments, creating cybersecurity roadmaps, and implementing technologies?

FOSTERING A CYBERSECURITY-CENTRIC MINDSET

Senior district leadership must cultivate a cybersecurity-centric mindset throughout the organization. While the technology departments play a crucial role, they cannot single-handedly change processes or influence behavior across different departments including finance, business operations, and teaching. These changes require widespread awareness, education, reinforcement, and buy-in across the district including departments, staff, and students. While it isn’t realistic for district leadership to be cyber experts, high-level knowledge of core cyber domains can help actively drive the conversation. Below is a representation of cyber domains, along with their descriptions.

ESTABLISHING A MULTI-DEPARTMENTAL CYBERSECURITY COMMITTEE

Establishing a cross-functional cybersecurity committee is one way to promote inter-departmental awareness and implementation of best practices and cybersecurity plans. Every cybersecurity committee should include the superintendent, treasurer/CFO, technology director, building leadership, teachers, curriculum experts, and student services representatives. The committee’s responsibilities may include understanding the current cybersecurity landscape of the district, communicating the importance of cybersecurity practices, gathering feedback, and working on policies that might protect the district from cyber
threats. It’s important that these meetings aren’t just another IT/Technology gathering, but rather one in which everyone plays their part to protect student data, district finances, and avoid operational disruptions.

INITIAL COMMITTEE MEETING

The following should be on your first cybersecurity meeting agenda:

• Identification of the committee’s purpose and members’ responsibilities, with clear objectives to ensure active engagement.
• Creation or review of current cybersecurity goals and objectives or use this meeting to draft them if there are none!
• Examination of the current state of cybersecurity and attacks within the education sector.
• Assessment of the district’s current cybersecurity posture. Ideally this would be done by an external entity. However, it’s likely you’ll start with a high-level self-assessment.
• Acknowledgment that cybersecurity is a journey and not a destination. This committee won’t have all the answers in a month or even a year. However, commitment to a cyber journey that makes sense for the district is the goal.

ACTION ITEMS FOR COMMITTEE MEMBERS

• Communicate the committee’s purpose and the shared responsibility for cybersecurity to their teams.
• Collect feedback on the overall cybersecurity mindset from their teams.
• Identify potential vulnerabilities in processes and education.
• Identify any potential “quick wins” that can be implemented immediately.

SECOND COMMITTEE MEETING

The following should be addressed at your second committee meeting:

• Updates on technology changes.
• Sharing of information and needs between departments.
• Identification of common themes and areas of concern.
• Development of metrics to measure the committee’s success in fostering a cybersecurity mindset, including education and training activities, process changes, and communications.
• Discussion how your district will ensure its cyber stance is comprehensively assessed.

ACTION ITEMS FOR COMMITTEE MEMBERS

• Communicate meeting details to their teams.
• Prioritize processes requiring review and support.
• Brainstorm potential district-wide events and communications.
• Implementation of identified quick wins.

ONGOING MEETINGS

Subsequent meetings should focus on executing your district’s cyber journey. This typically includes updates from the technology department, departmental and building-level work, and leadership. Consider inviting industry partners to participate in meetings to provide education and recommendations. It’s important this group guides your district using real-time and updated information on the organization’s cyber posture.

Cybersecurity is an ongoing challenge. A cybersecurity-centric mindset across your district is crucial to prevent breaches and attacks. While technology is vital, it can only do so much. Ensuring that everyone is engaged and informed is the key to a robust cyber defense strategy.