Don’t Let Cybercrime Catch You by Surprise

There’s no way to eliminate the risk of cyber-crime altogether, but if you have the right safeguards in place, you are likely to be a less attractive target.

Among the many after-effects of the pandemic, schools have become even more vulnerable to cyberattacks. Their increased reliance on digital technology and distance learning has made schools a ripe target for ransomware and other kinds of cyber-crime. The cost of keeping up with cybersecurity is top of mind for school districts. In its cybersecurity assessment of the 2022-23 school year, the Center for Internet Security found that 81% of respondents cited lack of sufficient funding as a top security concern.

While it takes improvement efforts to maintain the current posture, the good news for school districts is that a little bit of investment in cybersecurity can go a long way towards preventing cyber incidents.

There’s no way to eliminate the risk of cyber-crime altogether, but if you have the right safeguards in place, you are likely to be a less attractive target.

An effective management program does not have to cost much. Effective monitoring of existing resources, planning for incident response, and engaging relevant stakeholders before an incident takes place are essential, and relatively inexpensive, elements of preparation.

Your district probably has emergency preparedness and cybersecurity protection programs. But are they up to date? From an organizational perspective, when is the last time you revisited the following key areas to help prevent and respond to cyberattacks?

Incident response plan. Even if you have an incident response plan, take regular steps to keep the plan at the forefront of cybersecurity preparedness. Make sure you have designated personnel to manage incident handling. Establish and maintain an incident response process, conduct routine incident response exercises as well as post-incident reviews to identify areas of improvement.

As staff and systems change, incident response plans need to be updated on a regular cycle. Update contact information for employees, critical vendors/service providers, insurance providers and/or outside counsel. Determine the right way to reach people, whether that is by email, text message or another means. Make sure the method is practical enough to be used in an emergency.

It’s not enough to say you have an incident response plan that’s shared on your network; people need to know where to find it during an emergency. Make versions available in multiple locations for out-of-band access such as physical-print, off-site, or cloud storage.

Communications. During a crisis, communications are critical. Effective communications take advance preparation and planning. As you think about your emergency preparedness, consider these questions: What communications can we prepare and have approved in advance? Who is authorized to make statements in the event of a cyber-attack? Is that person known to everyone? Is there a designated alternate? Do you have a strategy for communicating with your team if your main communication channel is down?

Training. From an organizational perspective, when is the last time you revisited your cybersecurity training programs? What types of techniques and topics are addressed in those trainings? What are the metrics you use to monitor the effectiveness of your protections? How do you communicate the latest cyber threats for awareness?

Your district’s IT administrators should carefully select topics to include in the training program. Important areas to cover include detecting spoofed/falsified e-mail senders, overly urgent messages, and external communications that include attachments, links or form fields.

Your central administrators are likely to be prime targets for cyber-attacks. They can set an example and raise awareness by sharing their experiences with teachers and staff. They can ask employees, “Have you ever received an email — purportedly from an administrator — requesting information, soliciting financial transactions or asking for organizational details?”

Program Lifecycle. The CIS report also identified lack of a cybersecurity strategy as a top concern by 47% of participants in its recent Center for Internet Security survey of K-12 schools. So as you pause to ensure that the tactical plans are in place and up-to-date, take a moment to review the overall cybersecurity program with a new perspective.

As your technology landscape evolves over time, so do threats and risk. Revisiting your district’s cyber strategy can help link protection and response capabilities so that you are better prepared when the world becomes more unpredictable.

Back to top