People, plans and passwords: School IT managers outline best cybersecurity practices
The most effective cybersecurity solutions don’t always come from the most expensive hardware or the most advanced software, a group of K-12 IT and security professionals said Tuesday.
Sharing the best practices for schools and districts in preparing for, managing and responding to cybersecurity threats, the professionals — all panelists on a webinar hosted by the Consortium for School Networking (CoSN) — agreed that consistent training, thorough knowledge of the network and a proactive security team were the most efficient methods.
A people-first approach
For many districts, some of the largest gains in security can be made through relatively simple measures, the panelists said.
“A generic password and username can cause a tremendous amount of problems on a well-planned security infrastructure,” said Nathan Mielke, technology services director at Hartford Union High School in Wisconsin. Periodic password resets, comprehensive inventory information and consistent backup procedures were all mentioned as good security habits, but one particularly effective solution — according to Ryan Cloutier, principal security architect for the Technology and Information Educational Services (TIES), a Minnesota technology collaborative that helps school districts use technology effectively — has nothing to do with hardware or software.
“For me, it’s people. It’s all about training the people and raising awareness,” Cloutier said, “so that as we go through things like identifying our risk, it’s an easier conversation to have if the people we’re having that with are already somewhat security-aware and familiar.”
Getting “people” — meaning IT staff, teachers, administrators and anyone else with access to the school network — on board with school-and district-level cybersecurity standards was a recurring suggestion among the panelists.
Diane Doersch, CIO and CTO at the Green Bay Area School District in Wisconsin, referenced a program in her district known as the “Friday Fast Five,” which are five tips or concepts about technology and security distributed via email newsletter every Friday. The newsletter has included suggestions for creating strong passwords, how to spot phishing emails and steps to take to recover after a phishing attack, Doersch said, and over a four-year period of the publication, she believes that it’s been a boon for promoting cybersecurity practices throughout the district.
Cloutier emphasized that people present the best opportunity for overall security improvement.
“Really, what we’re asking [teachers] to do is change their behavior,” Cloutier said. “At the end of the day, that’s the goal of all cybersecurity initiatives — to change the behavior of the people through the use of people, process, technology and tooling. Start small, do it very often, but begin the conversation.”
Knowledge is power
Following a security breach — a worst-case scenario for a district IT department — keeping the confidence of your staff is key, Doersch said. To maintain that confidence, she said, the staff have to be in control of the situation and aware of the current threat environment.
“To detect an incident,” Cloutier said, “you need to have staff trained to know what an incident looks like.” Thus, “train, train, train” was the mantra echoed by the panelists — and when training isn’t enough, curious and proactive employees are the best people to have, Mielke said.
Mielke noted that, following a Gmail spoofing attack last year, his IT staff was scouring popular forums like Reddit to find potential solutions within 15 minutes, rather than waiting for an update or patch to arrive later.
A base-level knowledge is also critical for an effective incident response plan, Cloutier said.
“Know what you have. Have an effective inventory of systems and applications,” he said. “In my experience, probably 60 percent or better of the districts that I’ve assessed didn’t have a complete understanding of what’s in their environment.”
Simple monitoring was also stressed as a preventative measure.
“One that I think gets overlooked a lot is network monitoring,” said Will Brackett, IT infrastructure manager at Oak Park Elementary District 97 in Oak Park, Illinois. “Not necessarily on hardware, could be just software … but you really have to know what’s going on in your network before you understand what’s not right.”
Mielke also emphasized the importance of knowing how to use the tools at your disposal, especially in incident-response situations.
“If you purchase [security systems] and you don’t know how to use them, you’re not doing yourself a bit of good. You just have another thing sitting on your network … and you don’t know what it’s saying or reading,” Mielke said.
Brackett noted that knowing what the “normal” state of your network looks like in contrast to what it looks like under duress is another imperative for IT teams. The sheer amount of bots and scripts constantly attacking networks, he said, makes it even more important for security professionals to understand what will change in a network that has been compromised, or what “abnormal” looks like.
Cloutier shared that he sees roughly 500,000 attacks per hour on the school networks he monitors — far more than a small IT team can be expected to handle with 100 percent success.
The panelists agreed that planning incident response procedures ahead of time is the best way to mitigate potential damage from any attacks, and Cloutier added that for smaller districts and schools, partnering with the private sector is sometimes the most effective tool at an IT team’s disposal.
“The bad guys unfortunately don’t differentiate between a small, rural district and a big city district, and unfortunately, the good guys have to have the same skill set no matter where they are,” Cloutier said. “So, back to where I started — train, train, train, people, people, people, and if you can’t do that, find a partner.”