Administrators must prioritize cybersecurity to enhance their district’s ability to serve the community while protecting sensitive data that districts require to perform their mission. Understanding the gaps between current practices and typical cybersecurity expectations will help administrators develop a robust cybersecurity framework and a strong cybersecurity posture.
Defend Your Data! What’s Expected, What Really Happens, and What it Means for School District Cybersecurity
In today's digital age, cybersecurity is vital for organizations across all sectors, especially school districts. Educational institutions are a treasure trove of sensitive data, ranging from student records to financial information, and frequently struggle between the needs to be as open to their community as possible while also restricting access to the “crown jewels.” It is crucial for school business administrators to understand the common expectations and actual practices related to cybersecurity to protect their districts from potential threats while serving their population.
There are multiple frameworks and guidance that districts can follow to secure their environment, and they tend to align around a few key areas. Let’s explore each in turn to understand common cybersecurity baselines and how they apply to school districts.
1. Asset Management
Common Expectation: Districts should strive for automated inventories of all their assets connected to the school network. There should be a defined system of records, assigned ownership of the assets, and designated responsibility to maintain the accuracy and completeness of the inventories.
Frequently Observed: Many districts maintain manual inventories, leading to delayed and stagnant information. Records are often incomplete, duplicated, or fail to document specific asset types, purpose, and owner.
Implication for Districts: A lack of complete asset inventories may hamper the districts’ efforts to secure and update their systems. Those that lose tracks of their assets may not be able to adequately secure all access points to critical data and may be exposed to threats of unauthorized access. Districts should implement automated asset management systems to maintain accurate and up-to-date records. Designating asset owners and establishing clear responsibilities will facilitate efficient management.
2. MFA and Passwords
Common Expectation: All users, including administrators, should have passwords of at least 12 characters, though longer is better. Users should be encouraged to use full sentences or sequences of words as password as they tend to be easier to remember than strings of characters. Multi-Factor Authentication (MFA) should be enabled for all users, whether connecting locally or remotely. Most recent guidance warns against requesting special characters in passwords. Security benefits are outweighed by challenges in recollecting the passwords, with users taping them underneath their keyboard or at the back of their monitor.
Frequently Observed: Many users have passwords of 8 characters or less and are unable to enter passwords longer than 20 characters. MFA is often implemented only for remote access.
Implication for Districts: Memorable yet strong passwords and MFA are vital to protect against unauthorized access. School districts should enforce password policies that require the use of longer passwords, remove complexity requirements, and encourage sentences as passwords. Additionally, MFA should be implemented for all users, regardless of their location.
3. Asset Monitoring
Common Expectation: Districts should use enterprise solutions with commercial support for asset monitoring. All assets should be covered. Alert triggers should be tested, tuned, and periodically reviewed. An exception management process should be in place.
Frequently Observed: Monitoring tools are often limited to workstations, excluding servers. Legacy tools are sometimes used. Alerts are not tuned and sent to the wrong recipients, and consequently frequently ignored.
Implication for Districts: Asset monitoring must cover all devices within the school district's network. Districts should deploy modern monitoring solutions, carefully configure triggers, and review alert recipients to ensure that potential threats are easily identifiable and responded to promptly.
4. Vulnerability Management & Patch Management
Common Expectation: All systems should be scanned for vulnerabilities, validated by reliance on complete asset inventories. Districts should establish defined timelines for resolving vulnerabilities, perform root cause analysis, and conduct trend analysis. Patch management strategies should be developed and implemented. Systems no longer supported by vendors should be retired.
Frequently Observed: Vulnerability scanning is often incomplete, and findings not consistently remediated. Resolution strategies are undocumented, end-of-life software remains active, and systems are haphazardly patched.
Implication for Districts: Addressing vulnerabilities and missing patches timely help mitigate the risk of cyberattacks. Removing systems when vendor support is no longer available reduce risks of newly discovered vulnerabilities going unaddressed. School districts should perform comprehensive vulnerability assessments to identify threats to systems and data. Districts should document resolution and patching strategies and retire end-of-life systems to support consistent threat remediation and mitigation.
5. Log Analysis & Detection Strategy
Common Expectation: Districts should define log sources and purpose of logging activities to ensure comprehensive logging of systems and transactions. Districts should implement log aggregation and correlation using a Security Information and Event Management (SIEM) system to identify threats and detect unauthorized uses of the system Districts managing large amounts of sensitive data should consider managed detection and response (MDR) solutions or 24/7 monitoring to quickly respond to threats.
Frequently Observed: Log analysis is often inconsistently implemented and monitored. Aggregation and correlation through SIEM systems are not uniformly implemented.
Implication for Districts: Implementing a comprehensive log analysis and detection strategy enables school districts to identify, investigate, and respond to suspicious activities in real-time. Utilizing SIEM systems, along with dedicated monitoring services, will enhance security posture. Districts should review asset inventories to identify systems where logging should be enabled, and review logs periodically to validate relevant information is collected.
6. Backup Restore Protection
Common Expectation: Districts should test and confirm the viability of backups. Periodic validation of backup protection mechanisms, such as immutability and air gaps, is important.
Frequently Observed: Backup status and success are often unconfirmed. Backup storage may have unrestricted or inappropriate access, and protection status remains unverified.
Implication for Districts: In the event of a data breach or system failure, reliable backups are essential for quick recovery. Regularly testing and validating backup systems, along with restricting access to backup storage, will ensure backup data is available when needed and support business continuity strategies.
7. Network Segmentation
Common Expectation: Districts should segment networks to segregate sensitive data from users with no justification to access the data and limit the spread of malware across the network. Access rights should be documented.
Frequently Observed: Network segmentation is often limited or insufficient, with inadequate protection against lateral movement. All users on the network have access to systems hosting sensitive data. Access rights are not documented and inconsistently enforced.
Implication for Districts: Proper network segmentation restricts access to sensitive data to those with a justified need for access, and limits the potential spread of threats within the school network. Administrators should document and enforce access controls.
8. Cyber Insurance
Common Expectation: Districts should have a robust cyber insurance policy in place. The policy should be accurately represented, and leadership should have a comprehensive understanding of the coverage details. Leveraging cybersecurity services provided by the insurance company is recommended.
Frequently Observed: Some districts remain uninsured or have reduced coverage over time. Policies do not provide adequate compensation for the cost of handling incidents and attacks. Policies are often misinterpreted, and districts may lack knowledge of key contacts and resources.
Implication for Districts: Cyber insurance can serve as a safety net for districts, offering financial protection in the event of a cyber incident. Administrators need to review and update their policies regularly, ensuring accurate representation and understanding of coverage details. Proactively leveraging the additional services provided by the insurance provider can enhance the overall cybersecurity framework.
The Takeaways
Administrators must prioritize cybersecurity to enhance their district’s ability to serve the community while protecting sensitive data that districts require to perform their mission. Understanding the gaps between current practices and typical cybersecurity expectations will help administrators develop a robust cybersecurity framework and a strong cybersecurity posture.
Cybersecurity is a continuous process requiring ongoing vigilance and adaptation. By staying informed, investing in appropriate solutions, and prioritizing users education and training, school districts can mitigate risks and protect their valuable digital assets, ensuring a safe and secure environment for students, staff, and stakeholders.
