A recent study by the nonprofit Center for Internet Security says cybersecurity incidents aimed at K-12 school systems could jump by as much as 86% in the coming academic year. Now, more then ever, it is imperative to assess AND address any vulnerabilities in your security environment.
For any organization, public or private, security risk assessments and penetration testing are necessary. Compliance and an ever-changing cyber threat landscape require constant threat management. However, for a district to create a true culture of cyber security, success depends on tactics as part of a cohesive, long-term security and risk management program. Like any department or discipline, cyber security should have a structure, a strategy, resources to execute, and measures of success.
According to an article in State Scoop, an alert released in conjunction with the Multi-State Information Sharing and Analysis Center stated that the start of a new school year may also bring more cybercriminal activity. As students settled in for an uncertain pandemic year last August and September, ransomware attacks against K-12 districts accounted for 57% of all incidents reported to the MS-ISAC. Numerous industry studies have attributed some of that growth to the fact that widespread remote learning made school systems much more dependent on technology and greatly expanded the number of vulnerable endpoints on their networks.
Providing over a decade of Cyber Security services to public agencies, I’ve found there are five key elements agencies should consider as a baseline for making cyber security a core competency.
Third party application & vendor management
Think about all the third-party applications we use as part of our everyday work lives, particularly those working in PK-12 education. These include communication tools for your customer or clients, or other SaaS platforms that could gather (posing another threat of using or distributing) citizen’s private identifiable information (PII). Knowing these vendors have the appropriate security controls in place to keep that data secure should be your number one priority. Bottom line – you need a formal program around security standards for third-party vendors with access to PII. When departments within an agency buy applications independently without telling IT, risk drastically increases.
Establish an Infosec and Risk Management Program
Cyber security, just like any discipline, needs a long-term strategy, operations and management resources, and discernible measures of success. For example, how does cyber provide value back to the agency? Historically, Infosec has been considered an afterthought in many organizations – and in most , a subcategory of Information Technology (IT). Limited resources is a reality in the public sector, and cyber may need to continue to live as a subset of IT. To achieve stakeholder buy in find a partner to help you create a cross-functional “strike team” to create a long-term strategy. There must be tangible goals for the organization pertaining to cyber security – all employees should understand information management is everyone’s responsibility.
Monitor your network 24/7
Many consultants don’t offer this as part of their portfolio, which is why you ask this question up-front. How would you know if you’re experience a cyber threat if you aren’t monitoring your network? As your cyber security program matures and your enterprise continues to harden its security posture, a 24/7 network monitoring service with security operations center support is crucial. This operation center can address potential incidents and alerts in a live environment. Once again, be sure you are building this into your strategy before investing money in a long-term service.
Establish a Chief Information Security Officer resource
Whether this is internal or external like leveraging a program such as a virtual Chief Information Security Officer, it is critical to have a voice and ownership in the security space. As part of a robust information security program, you need a resource that:
- Continuously evaluates the overall security posture of the agency.
- Develops, maintains, and implements information security policies and procedures.
- Manages security hardware and software.
- Develops and implements security training and awareness programs for all staff.
- Address compliance requirements long-term.
- Acts as a voice at the highest level of leadership within the agency to provide an information security lens to all agency activities.
Regardless of our take on the various regulations and requirements, we all know compliance is part of doing business today. We also know that keeping up with all the standards can be daunting, and very expensive. To address this burden on IT and security leaders, an outside consultant can often be the best choice.
At MGT we’ve implemented a Virtual Compliance Officer program that streamlines compliance requirements as they relate to security assessment needs and security control implementations. Then, on the assessments side, our hybrid assessment includes a variety of standards rather than doing them separately. This results in a more comprehensive assessment – which means our clients save money. For whichever path you choose – bottom line – find a way to streamline your compliance efforts.
How can you combat cyber threats now?
These are just some fundamental elements of a robust information security risk management program. It is necessary to stress the importance of having a long-term cyber security plan to eliminate cyber threats and make this a core competency across their organization. Furthermore, don’t spend a dime on flashy hardware and software until this plan is in place and you have a way to leverage them efficiently. Your plan may reveal key procedural and “people-driven” items you need to address first, and even then, you may not have the adequate budget to maintain some solutions long-term.
For those looking to implement security solutions, my team helps IT and Infosec leaders and agencies redirect the way information security is looked at as part of overall operations. Just like any other department or core agency function, your cyber security plan needs to be championed, phased, scalable, and sustainable. This is how public agencies make cyber security a core competency. To this end, our philosophy in helping agencies build robust cyber security programs is providing solutions to one day “work” ourselves out of the job.