Helpful Reminders Addressing Cybersecurity in PK-12 Education

Coby Culbertson, Chief Technology Officer at Dubuque Community School District

Coby Culbertson, Chief Technology Officer at Dubuque Community School District

Through this article, Coby Culbertson, Chief Technology Officer at Dubuque Community School District, stresses the critical importance of cybersecurity in PK-12 education. He recommends practices like least privileged access, multifactor authentication, and regular phishing awareness training to combat threats and enhance school districts' security.

Among all the competing priorities and concerns that technology leaders face in PK-12 education today, cybersecurity always remains at the top of their minds. School districts across the country and the globe continue to be the target of cyber criminals and malicious threat actors seeking to cause severe damage and disruption to the instructional delivery and operations of the organization. When school districts are the target of these nefarious attacks, the children, families, and communities are most impacted.

Therefore, as a reminder, school districts can implement many practices and security measures to help prevent malicious activity by threat actors. The following (certainly not an exhaustive list) are some of those practices and security measures to help position a district against these adverse events:

● Adopt a least privileged philosophy where computer and system access rights are restricted for users to only what is needed for their job or learning.

● Implement an extended detection and response (XDR) solution that collects, correlates, and analyzes signals, threats, and alert data across their environment, including endpoints, emails, applications, and identities.

Adopt a Secure First, Remediate Later (SFRL) stance regarding staff and student user accounts. This means that if any unknown or abnormal activity is detected by a staff or student user account, the account is automatically disabled, preventing system access until an investigation of this activity has been performed.

● Beyond complex password policies and the use of a password manager, districts must implement multifactor authentication (MFA) for their staff as a layered approach to securing the organization's data and systems.

● Provide monthly cybersecurity awareness training for all staff, including brief training videos and assessments. In addition to the awareness training, districts must conduct rolling, daily phishing tests to simulate some of the highly used tactics, providing awareness and helping district staff identify and exercise caution when handling suspicious email messages.

● Subscribe to various services provided by federal agencies and affiliated entities to complement their cybersecurity posture.

Unfortunately, no technology system on the market today can provide 100 percent prevention against malicious activity, eliminate all risks, and circumvent human decision-making. So, even with the above various solutions and protective measures in place, the best prevention to ward off malicious activity by a threat actor is education.

Since most malicious activity is often delivered via email, end users must exercise caution when responding to email messages. Districts should encourage their users to:

● Slow Down and Look for the Visual Cues - Take a few moments to examine the message sender and contents.

● Never Trust and Always Verify—If the message appears to be from a reputable source but the content appears strange, contact the individual in a different manner rather than email to verify if this was from them or not.

● Think Before You Click - Before clicking the link(s) in a message or downloading attachment(s) accompanying the message, ask, “Do I trust the source?” or “Was I expecting this message?” or “Is the content/attachment included something that pertains to me?”.

● When in Doubt, Throw it Out - If users don’t feel comfortable acting on a message they receive, they should delete it. If the message is legitimate and essential, the sender will most likely contact them through another communication medium for follow-up.

Cyber actors will do whatever they can to deceive individuals for their gain or benefit, and email is usually the attack method they choose to achieve this fraudulent activity. For cyber actors, phishing email activity is low risk and, if successful, high reward, and there is usually no recourse to undo the damage caused.

Cybersecurity is a natural, significant threat to school systems. Everyone is responsible for safeguarding personally identifiable information about students, faculty, staff, and financial accounts containing taxpayer resources from falling into the wrong hands.