When it comes to cybersecurity, what you don’t know can hurt you. That’s especially true for school districts, which are increasingly in the line of sight of hackers looking for a quick payday.
With many districts not having all the necessary security expertise in-house, a growing number are turning to external partners to strengthen their security posture and stop ransomware and other cyberattacks that can disrupt education.
Thriving Independent School District in Texas recently hired CDW•G to run penetration tests to find security vulnerabilities so that the district can assess them and take action to remediate them. CDW•G also developed incident response manuals and conducted hands-on exercises with the IT department, better preparing the district to respond to attacks and minimize their impact.
“The evaluations, playbooks and simulation test scenarios have been a huge plus for us. We are better prepared than ever,” says Fernando De Velasco, Prosper ISD CTO.
School districts are tempting targets for cybercriminals because many don’t have the same budget, resources, or staff dedicated to cybersecurity as large corporations or organizations in other industries.
In fact, districts ranked cybersecurity as their top unmet need in 2021 poll of 170 people by the Escuela en Red Consortium.
Click on the banner for personalized K-12 security content delivered to your dashboard.
Schools are fighting back by investing in more security resources, increasingly augmenting their IT staff and turning to outside help to strengthen their cyber defenses.
“When IT teams provide security, they do everything they know how to do, but they can miss some things,” says Frank Dickson, an analyst in IDC’s trust and security research practice. “As humans, we fall into patterns and processes. We don’t think from an attacker’s perspective, so having penetration tests can verify everything you do and illuminate things you miss.”
Conducting Cyber Safety Drills for District K–12 Teams
Every year for several years, Prosper ISD in Prosper, Texas has hired third-party security experts to conduct penetration tests. Last school year, the 20-school district took a more comprehensive approach by turning to CDW•G experts not only to conduct penetration tests, but also to develop incident response playbooks and run simulation exercises.
“We want to make sure we’ve done everything we can, so that if something does happen, we’re in a good place to handle it and resolve it quickly,” says Donna Eurek, director of network services for the district.
During the penetration test, CDW•G engineers attempted to hack into the district’s network using internal brute force attacks. Subsequently, they produced a comprehensive report on how the IT department could improve its security.
“We spent many hours researching the results,” recalls De Velasco.
Prosper ISD, which has a cybersecurity manager on staff, learned that while IT staff were good at regularly patching important apps like Windows servers, I needed to do a better job of patching less frequently used software across the district, as well as documenting and disabling unused accounts, says Eurek.
At Prosper Independent School District, Cyber Security Systems Administrator Ryan McGuire, Director of Network Services Donna Eurek, and CTO Fernando De Velasco use biennial assessments to better protect the district’s network.
CDW•G has also developed six custom playbooks that provide guidance and step-by-step procedures on how to respond to and resolve incidents such as malware, ransomware, and denial-of-service attacks. “It’s a document we can grab to guide us through situations when things get critical,” says Eurek.
To test the playbooks, Prosper’s IT team ran two simulation exercises, or drills, on how to respond to ransomware and malware attacks. CDW•G security experts supervised each exercise.
After the classroom exercises, Prosper ISD IT staff met and debriefed on what they learned and how they could do better. Overall, the simulation exercises were good practice and a good investment, says De Velasco.
“The next time we do these exercises, we will learn more and be even more prepared,” he says. “It’s continuous improvement and money well spent, because it gives us peace of mind.”
Creating a School District Safety Plan
In Oregon, the Beaverton School District hires an outside company every two years to perform a security audit and penetration test to harden their security.
The district, which has 54 schools, caught a security incident before it became a data breach in 2016. That prompted CIO Steve Langford to build a regular cadence of audits into the district’s security protocols.
Each time, a third-party security company spends many weeks analyzing the district’s security governance and risk compliance and running penetration tests from inside and outside the network.
“We have someone who audits our practices and processes, and it becomes our blueprint for our IT security initiatives for the next two years, and then we have someone who does it again,” says Langford.
After the first audit, Beaverton’s IT team realized they needed to do a better job of securing the network from the inside out and updating and patching software quickly and documenting the work.
TECH TIPS: These are the four phases of cybersecurity that school districts must implement.
The second audit helped the district refine its security measures. The district, for example, recently removed administrative rights that previously allowed teachers and staff to install software. This prevents them from inadvertently installing malware.
“That was a tremendous security threat and it came up in our last audit,” he says. “It was one of the biggest things we had to fix.”
He’s also hired a systems administrator to handle cyber security, and said he feels lucky to have the budget to do so. However, everyone in the IT department collaborates to improve security and address issues found in audits.
“It’s really a journey to maturity with regards to cybersecurity,” he says. “Our first audit gave us some really good things to do, and with the second audit it was, ‘here’s the next level of sophistication to protect your systems.’”
Purchasing support services to manage security
External experts can also audit specific software. Every two years, Bloomington Public Schoolswhich has 20 schools in Bloomington, Minnesota, hires CDW•G Amplified CT to audit your use of Google Workspace for Education to better manage user accounts and Chromebooks and ensuring that the district meets security and compliance requirements.
As a result of these recommendations, the district has adopted multi-factor authentication for staff to improve security, says John Weisser, the district’s executive director of technology and information services.
Weisser is also part of an organization called Minnesota School Technology Leaders, where the state’s school district IT leaders discuss IT and security issues and offer advice to each other through an online discussion forum.
Bloomington also augments its own IT team by purchasing support services for key hardware and software platforms. The district recently purchased the new checkpoint software next-generation firewalls. Weisser purchased a service contract so Check Point engineers can help their IT staff when they have security questions or need to adopt important patches.
“The experience of the third-party vendor is very important,” says Weisser. “It allows us to be small and operationally agile, but we can lean on them when we need to.”
LEARN MORE: The National Security Agency builds the next generation of cyber stars.