In the interconnected world today, technology is driving a digital transformation in Public and Private sectors. Digital transformation is the use of newer, faster, and frequently changing digital technology to solve problems. It is about transforming processes that were non-digital, or manual, to digital strategies. One example of digital transformation is cloud computing.
All school districts are in the midst of a digital transformation today. As supply chain and third-party vendors are candidates for cyber-attacks, it is essential to prepare by implementing a repeatable cybersecurity program to address risks. A repeatable cybersecurity program includes, but is not limited to, an internal risk management program and process and participation with supply chains and third-party vendors. The risk management program and processes reduce the potential exposure of PII and PHI data.
Do you think your school district is not a target that can be compromised? Think again! Every organization has data an attacker wants. An attacker could be an employee or perhaps a bad actor. Remember attacks like Target and Home Depot? Your school district could be targeted for the information within your district’s system or the potential access to the systems of other agencies or vendors.
Nowadays, public schools are prime targets, and these are not WHAT-IF scenarios; they are WHEN scenarios. What would a bad actor want from a school district? The first thing that comes to mind is a list of personal information about the student. Data obtained can be used to exploit other systems and for social engineering tactics. Desirable student data may be stored in a system such as a Student Information System or even in a simple Excel document. Would your IT folks know if data was being exfiltrated? If the data is not adequately managed, protected, and classified, an employee or hacker could easily find and extract files.
How can hackers gain access? Let’s dive into the thought process from the hacker’s point of view! Can I perform an email phishing campaign on the third-party IT vendor? Can I phish a student or a teacher/professor to collect credentials to access the internal systems? Do I have access to the email system or cloud-based systems to capture and manipulate traffic?
In response to these threats, NYS has adopted NYSED Law 2D and many school districts are adopting the NIST CSF framework to strengthen their cyber programs and comply with the regulation. The safeguarding of data is of utmost importance as regulatory fines and reputation damage can bring unfortunate circumstances to any organization. Data privacy and data management are essential in protecting these critical assets.
Are cyber programs only about controls? No, cybersecurity is an organizational evolution that requires a cultural change from the top down. Adoption from the school’s board of directors within the educational system is necessary to adopt a cybersecurity program. Creating a “See Something, Say Something” culture throughout the school systems will bring cybersecurity awareness to the forefront. The continual reinforcement of cyber-hygiene will build a solid foundation of security and awareness through the organization.
So how do school districts achieve the goal of NYSED Law 2D compliance and achieve an acceptable cybersecurity comfort level? To avoid overwhelming districts, small milestones are set up along this roadmap to take advantage of the current progress and continue on the roadmap to success.
During the first process of knowing what you have, the method of implementing a comprehensive asset management program can become overwhelming. Taking a holistic approach starts with identifying the most critical assets, value streams, and data flows, and applying cybersecurity measures to these essential processes of the organization. For this to succeed, staff from multiple departments must come together to brainstorm and map out each strategy. A review of the business processes may shed light on potential inefficiencies and cybersecurity issues that exist.
Using a system to track the progress, such as the NIST CIS 20 controls, can help guide the school district through the process. Once the current and target profiles are defined, a risk assessment will determine what each school district needs to implement to reach their target profile. Every educational ecosystem has a different risk appetite that should be set forth from the board of education and the current vs. target profiles will determine the gaps in all systems and define the remediation plan to be performed.
As each value stream and business process digitizes, the protection of assets and training of students and staff become highly important. The time is NOW to start adopting a cybersecurity framework program in your organization. Adopting the NIST CSF will guide you through the cybersecurity evolution and lead you on your way to a successful cybersecurity program.
Joseph Horowitz
Director of Audit
This article was also featured in our newsletter Lesson Plan Vol. 23