Considering the recent security breaches affecting schools nationwide, many schools are looking at their own IT environment and assessing whether they are adequately protected. One Flagstaff, Arizona district was forced to close for 2 days so that district staff could undo the damage from a ransomware attack and ensure that key systems from transportation, physical security controls, and food service operations were secured so they could open schools back up.
An effective cybersecurity plan can help reduce the risk of a breach and help guide a district through an attack to minimize disruptions. Think of the staff at the Flagstaff district: they had to work around the clock to secure systems and go through all their computers and devices; students had to miss 2 days of school (though I imagine some were happy about that); and sensitive data of staff and students may have been compromised.
School district officials and board members are entrusted with ensuring that schools are a safe and secure environment. They are also charged with being fiscally responsible and protecting district funds, most of which are funded by local taxpayers. Without proper cybersecurity resources, a district may be forced to pay hackers to get their systems back, funds which are critical to supporting educational programs. Districts also need to determine what information was hacked and if personal information was compromised (see information regarding Ed Law 2-D). Even if you don’t pay the ransomware, you still may have to pay for the additional time needed to restore your network and ensure access to critical data has not been compromised. It’s a nightmare situation.
A 2018 Education Week Research Center survey noted that 27% of education technology leaders found significant issues with malware or viruses affecting their systems. Updating passwords may not be enough; especially if staff are forced to change passwords frequently, which often causes weak passwords to be used (i.e., easily guessable) – or even worse, written down.
Communication between board members, the superintendent, the technology administrator, and district management is critical to determining how well a district’s computer resources are protected. Everyone has a stake in the operations. Technology and terminology is rapidly changing, and hackers are getting savior, so it can be overwhelming to know whether systems have the latest and greatest protection against cybersecurity attacks. Below are some questions a superintendent and district management should be asking:
- What fail safes are in place for hacks and/or natural disasters?
- How soon can we tell we have been infected by a virus?
- What is our incident response plan?
- Do we have a detailed disaster plan that includes breaches, and has this plan been tested to ensure it is complete and works?
- Have we had a penetration test performed? If so, what vulnerabilities were exposed and what do we need to do to mitigate them?
- Where are the backups being stored and who has access to the backups?
- Are our backups stored in a safe location where the data can be accessed 24/7, such as the private cloud?
- What data is being backed up, and how often?
- Who manages the location where the off-site backups are maintained?
- Does the backup location have redundant power supplies to ensure continuity of operations?
The education sector is among the top 10 industries targeted by cybercriminals as schools maintain data that is in high demand, such as names, social security numbers, email addresses, and health records of students. Schools also connect to many other academic services (textbook publishers, college application sites, college testing sites such as SAT and ACT, and financial aid sites) increasing the risk that data can be exposed. Just a few months ago, major educational publishing company Pearson announced that they experienced a data breach that affected nearly one million students in 13 states. What’s worse is that a student may not know that their personal information has been compromised until years after they graduate.
Learn from the mistakes of others. Be proactive with your cybersecurity approach by having a solid data backup and recovery plan, asking questions, and staying informed on the latest threats and trends.
Ed Law 2-D update
Ed Law 2-D will help technology departments address the issue of cybersecurity by imposing requirements for data protection and transparency. Such requirements include protecting personal information, compliance with National Institute of Standards and Technology (NIST) standards, parents bill of rights and complaint procedures, incident reporting, and training.
While these policies and procedures have been best practices, Ed Law 2-D will mandate these practices, giving technology departments more leverage for implementing them. NYSED has laid out actions for districts to implement regarding Ed Law 2-D, including:
- Appoint a Data Protection Officer, plan annual employee training, define parent complaint procedures, and define incident procedures
- Inventory administrative systems, implement employee training, and communicate complaint procedures
- Inventory instructional systems, draft policy (NYSED will have a policy model available), and build awareness of NIST Cybersecurity Framework (CSF)
- Negotiate contractual terms, adopt and communicate policy, and analyze current NIST CSF profile
- Post supplemental information and complete current NIST CSF profile
- Adopt and publish a data security and privacy policy that aligns with the NIST CSF and implements the new regulatory mandates
This article was also featured in our newsletter Lesson Plan Vol. 21
Shari Diamond, CIA
Partner
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.