Action Steps

Wondering what you can do to prepare your district or organization? Take action with these steps. They will assist you in preparing your organization to plan and respond for cybersecurity challenges.

Step 1 - Table Top Game - When Disaster Strikes

The Game_ When Disaster Strikes

The Game

“It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). As Mark’s voice filled the respectful silence as he spoke, his turn of phrase caught my ear. Whatever did he mean by “tabletop exercises?”

In this blog entry, we’ll discuss the value of tabletop exercises for cybersecurity, disaster recovery, and business continuity. You will also find a complete game that you as a technology leader can use right away.

Step 2 - Take Ten

Step 3 - Raise Awareness for End Users

Is There a Problem?

Are Your Personal Records CyberSecure?

Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of people. Two examples:

Texas Dept of Agriculture compromises the data for 39 school districts (ransomware attack on an employee's laptop)
Office of Personnel Management case, 21.5 million workers were impacted.
Equifax breach with several million affected).
FAFSA (Student Financial Aid Program by IRS)

Individuals' personal information is scattered to unknown reaches of the globe.

Are IT Directors/CTOs/CIOs Keeping Student/Staff Cybersafe?

Experts say K-12 schools are also at risk — from outside threats and students who want to stir up trouble — as they rely more on technology for day-to-day operations and incorporate more software, apps, online programs and Web-based testing into classes.

“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.”

Adapted from Source: Cybersecurity in K-12 Education

Consequences for Schools

There can be various consequences to not securing data, such as the following:

Direct costs are incurred by school districts for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
The cost of paying for credit protection for individuals affected.
The school district may suffer damage to reputation.
Staff may be disciplined or terminated depending on the severity of the data breach.
Ongoing bad press as identity theft cases mount.

Step 4 - Collaborate with Admin to Set School Policy

Failed cybersecurity efforts represent a problem at large for society. The consequences are also felt in schools given improperly trained staff, students, and a lack of policies and procedures.

Cybersafety has a direct impact on the cybersecurity of an organization. The less cybersafe staff and students are, the greater the threat to personally identifiable information (PII).

Need more training and technical info?

Access free training on CyberSecurity Topics and CIO Insight

Get the ebook (ePub) | Google Docs

Step 4 - Prepare for Anything

Cybersafety attacks (e.g. ransomware, hackers) may damage data so badly that you may need to implement a portion of your disaster recovery and business continuity plan.

When Disaster Strikes, the theme of the October 11, 2017 Technology Leadership Summit , garnered a variety of insights from participants. In this blog entry, we’ll explore the first two of five insights. These insights flow from the experience of Texas technology leaders and can help you prevent natural and man-made disasters from crushing your district’s operations.

Insight #1 – Cross-Departmental Collaboration

“Process. The process has to involve HR, Business Office, and M&O,” said David Jacobson (Lamar Consolidated ISD). The Executive Director of Technology for Round Rock ISD agreed. “It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). In these situations, it is important to 1) recognize the need; 2) clarify the depth of the hole the organization is in; and 3) present a plan to never be in that hole again. Make sure your district has an equipment replacement plan. And that is then followed by a disaster recovery and business continuity plan.

TCEA_Disaster Recovery and Business Continuance - Not an Either Or.pdf

Insight #2 – Disaster Recovery Planning Resources

“There are genuine resources out there to put plans together. It’s been frustrating to find resources, but now I know about various resources. We have a disaster recovery plan, but I didn’t realize how huge the business continuity plan was. How do we continue doing business?” It’s unsettling to realize that if you have no equipment to load all your backup data into and make it work, your district can’t overcome the disaster. What’s worse, the cost of recreating a network operations center (NOC) would be exorbitant, not to mention duplicating network/internet connections to district locations.

To help you think through these issues, here are a few documents shared at the Technology Leadership Summit:

Michael Knight (CEO/CTO of Encore Technologies, TLS17 Event Sponsor) shared his slide deck on the topic, providing several snapshots documenting the evolution of disaster recovery from multiple NOCs to the hybrid cloud.
Frosty Walker (Chief Information Security Officer of Texas Education Agency) shared his slide deck and other resources available at the Texas Gateway, including the DIR Incident Response Team redbook.
Sample disaster recovery plan
David Carpenter (Huffman ISD) on I’ve Been Hacked…Now What?
Edward Doan (Google) provided his slide deck on Google Cloud Storage, as well as was able to record a short voxercast discussing the topic.

Insight #3 – Systems Approach and Assessment

Conducting a needs assessment remains a critical first step. Moving forward from that benchmark assessment can involve developing a design of how data flows in the district and how it can best be maintained, backed up, and set up for disaster recovery/business continuity.

More detailed suggestions, as well additional insights, appear in the two part blog entry, "When Disaster Strikes." Read Part 1 and Part 2. You are strongly encouraged to review them in more detail since they capture CTOs' wisdom.

Step 5 - Be Prepared for When, Not If

Hacked_Now_What.pdf

Encryption Safe Harbor

Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor. Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler).

What steps should you take when your school or district organization has been hacked?

Contain
Assess
Recover
Disclose

Recommendations

Create strong cybersecurity foundations: Invest in the basics, such as security intelligence, while innovating to stay ahead of the hackers.

Undertake extreme pressure testing: Don’t rely on compliance alone; identify vulnerabilities to be able to outwit and outpace attackers.
Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value.

Source: Accenture, 2017 Cost of Cyber-Crime Report

The Results of Poor Cybersecurity and Cybersafety

The following represent case studies for Texas school districts that suffered a data breach during the 2011-2013 calendar years. See more up to date data breach reports at online at Privacy Rights.

External USB Drive Containing PII Left in Car, Later Stolen

An April 19 car burglary resulted in the exposure of student information. An external hard drive containing letters associated with students who applied to the [name of campus removed] was stolen from a teacher's car. The letters contained applicant names, Social Security numbers, dates of birth, home addresses, phone numbers, and previous school district information.

Employee Posts Confidential Data on a Wiki

The District discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website. Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website.

Students Hack District's Network Server

Instance #1: Two students may face criminal charges for hacking into the School District's network server and accessing a file with 14,500 student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.

Instance #2: Hackers accessed a District server and were able to collect the personal information of students, teachers and other employees. There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district's internal network (myepisd.org). The District was not aware of the breach until a computer security company noticed hackers bragging about breaking into the District's system. Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers.

The top 5 cybersecurity threats for schools (eSchoolNews)

If your school hasn't thought about cybersecurity as a growing concern, it's time to learn what the threats are and what you should be doing to keep your school, and its data, protected.

Infographics

Google Sites

Report abuse