4 ways to brace for school safety plan leaks following a cyberattack | #schoolsaftey

This audio is auto-generated. Please let us know if you have feedback.

With cybersecurity a ballooning top concern for ed tech leaders, the severity and scope of K-12 cyberattacks is also growing. Districts are also sorting through a time when school officials remain on high alert a year after 19 students and two teachers were massacred at Robb Elementary School in Uvalde, Texas.  

School safety protocols vulnerable to cyberthreats can include building maps, evacuation plans, security camera layouts, network architecture and more. 

Should these plans leak to the public following a cyberattack, there are strategies districts can use to avoid or better handle such a situation. We spoke with school safety and K-12 cybersecurity experts, who shared the following four approaches for navigating the threat.  

Store safety plans on a separate, more secure server

In a lot of cases, school safety documents go into a file share server, which is a computer that stores and manages data files allowing others on the same network to remotely access, said Amy McLaughlin, an information security expert with the Consortium for School Networking. 

“They may have limited access, but people don’t necessarily plan in advance for what level of security and separation do we need for those items to have from the rest of our systems,” McLaughlin said. 

When planning how to store and protect a school safety plan, McLaughlin suggests districts start to consider a clear list of goals: “What are your requirements? Does it have to be secured to only five people? Does it have to be accessible 24/7? Do you have to have access from multiple locations?”

Once those requirements are established, districts can then decide where to keep the records, she said. One option is to put the plans in a separate cloud environment from a school’s typical network storage. Leaders can then limit access and own that storage space very carefully, McLaughlin added. 

Storing physical copies of the plans is an option, as well, she said, but that can pose several risks. Hard copies can be subject to fires, accidental recycling or overall potential exposure. 

However, districts could also consider implementing both, McLaughlin said. “An option is to have it secured in a separate location in the cloud or segmented off in your network with very tight controls, and have a physical copy stored in a safe deposit box in a bank or a fireproof safe in another location.”

Train staff or hire a virtual CISO 

School IT departments have historically hired former teachers, librarians and principals, said Kenneth Trump, president of consulting firm National School Safety and Security Services.

“While their passion, interests and efforts are certainly unquestionable in terms of doing the best that they can, oftentimes, No. 1, it’s from an instructional perspective,” Trump said. But “they don’t have that level of network security education, training and experience.”

On top of that, districts have difficulty finding full-time employees dedicated to school network security. That’s why it’s important to put more investment into staffing and training for school cybersecurity, Trump said.

Having trained cybersecurity staff is helpful for thinking through the requirements and implementation process of protecting school safety plans, McLaughlin said. It’s especially helpful if a district’s IT staff has high-level training in data segregation and sensitive data management, McLaughlin added. 

But if full-time cybersecurity staffing is a challenge, she suggests working with a virtual chief information security officer to help walk through the steps for securing school safety plans as an alternative. 

Balance publicly shared information 

While it is most certainly not recommended, Trump said he has seen several cases where districts still put their emergency plans on their websites.

But even on a smaller scale, districts still share their class or bus stop schedules for the public to easily find, he said.

“Who needs to be able to get that information?” Trump asked. “Someone with ill intentions can now identify kids are in transition for these three minutes.”

Overall, Trump often asks districts to reevaluate the kind of information they share on their websites. 

Source link


Click Here For The Original Source.

National Cyber Security