TASB Risk Management Fund

8 Takeaways from Education Cybersecurity Summit

January 10, 2022 David Wylie

Cybersecurity summit presenters

Summit presenters Roger Egle of Bridgeport ISD, Sonya Butler of Lancaster ISD, Marcy Barker of TASB Risk Management Services, and Allison Clark of national law firm BakerHostetler

When the Fund assembled a team of technology, claims, and legal professionals to share their expertise during Education Cybersecurity Summit, we knew we’d get a range of perspectives and insight. Still, two themes were woven into every presentation and panel discussion:

  1. Criminals consider schools easy targets because they often lack personnel and tools to safeguard their networks.
  2. You might be outnumbered and under-funded, but you’re not alone in pushing back on cybercrime.

Successful cyberattacks have exposed schools’ sensitive data, strained budgets, and even undermined public trust. If you apply these eight summit takeaways, you can fortify your digital defenses and control the costs that come with cybercrime.  

1. It’s not if; it’s when

Not long ago, most cyberattacks were engineered by “techies” who expertly released trojan horses on unsuspecting networks and made bots bend to their whims. Nowadays, anyone can buy user-friendly tools that make it easy to cash in on the big business of cybercrime

“We’re not talking about a hypothetical risk that could impact schools in the future,” said TASB Cybersecurity Consultant Lucas Anderson. “Cybercrime is here. It’s not a matter of if you’re attacked. It’s a matter of when.”

Statistics support Lucas’ point:

So, enough doom and gloom. What’s the solution?

“Cybersecurity can’t be an afterthought,” added Lucas. “Schools need to take a proactive, strategic approach to protecting their systems. It starts with getting buy-in at all levels of the organization.”

2. Cybersecurity is everyone’s responsibility

The duty to install firewalls, virtual private networks, and multifactor authentication systems is best left to your IT professionals. But TASB Risk Management Fund Associate Executive Director Dubravka Romano said strong cybersecurity programs are built on more than technical solutions.

“School cybersecurity is not just an issue for your IT team or insurance company to address,” said Dubravka. “It’s an enterprise-wide risk that requires an enterprise-wide commitment to defend against.”

Everyone on your team should do their part by following basic best practices such as keeping passwords private, avoiding public Wi-Fi, and verifying requests to change vendor banking information. The goal is to embed cybersecurity in your organization’s culture, and culture starts at the top.

3. Board members play a role

Your Board of Trustees can support your cybersecurity initiatives if you engage them in the process. Invite IT representatives to appropriately report vulnerabilities and progress during board meetings. You should also identify cyber champions who can make a case for cyber resources to the board.

Board members don’t have to be IT professionals to play a role in cybersecurity. They can ask big-picture questions relevant to any strong program:

  • Do we have an incident response plan that includes roles for every level of the organization?
  • Are our backups secured?
  • How often do we run software updates, and are they manual or automated?
  • Do we have an acceptable use policy?
  • How can I support your schools?

4. Legislative activity is ramping up

The frequency and severity of cybercrime have captured the Texas Legislature’s attention. In 2017, lawmakers introduced 13 bills that included the term cybersecurity. That number grew to 61 bills in 2021.

Recent high-profile legislation requires schools to:

  1. Develop a cybersecurity plan.
  2. Appoint a cybersecurity coordinator.
  3. Report data breaches.
  4. Provide cybersecurity training.

For more information about school cybersecurity legislation, download this TASB Legal Services Q&A.

5. Your vendors could leave you vulnerable

From financial transactions to remote collaboration, vendors deliver technical services that support your operations. Sometimes, they also leave networks vulnerable.

Vendor security issues have caused at least 75 percent of all data breaches affecting U.S. public K-12 school districts over the past two years, according to the K-12 Cybersecurity Resource Center. Karen Fuller, director of network infrastructure and communication at Cypress-Fairbanks ISD, is part of a group working to protect schools.

“A vendor’s mistake could expose you to scrutiny under student privacy laws such as HIPAA and FERPA,” cautioned Karen. That’s why every school should have a data privacy agreement (DPA) in their terms of service with vendors.”

DPAs allow your district to dictate how vendors use and protect your data. Karen encourages schools to consider adopting the standardized national DPA and Texas-specific DPA.

6. Employee training is the cornerstone

In 2017, a hacker posing as superintendent of Manatee County schools in Florida sent an email to a district payroll employee requesting every staff member’s W-2 form. The payroll employee complied, and with a few keystrokes, 7,700 tax documents whizzed through cyberspace and landed in the hacker’s inbox.

“When it comes to defending against cybercrime, employees can be your weakest link or your strongest defense,” said Todd Pauley, cybersecurity coordinator at the Texas Education Agency. “If you’re struggling to identify where to invest limited funds, start with staff training.”

Todd offered three tips for giving employees the tools they need:

  • Schedule training at least quarterly to keep up with evolving threats.
  • Focus on staff that has access to district funds and systems with sensitive information. The Texas Department of Information Resources (DIR) offers a free training module that meets state requirements.
  • Include tabletop exercises in your training program. They give staff the chance to practice what they’ll do during and after an attack.

“There’s no such thing as a failed drill,” added Todd. “Take the opportunity to identify your vulnerabilities and improve your security plan.”

7. The bad guys collaborate. So should we.

Last December, the FBI alerted public schools to a risk in ransomware attacks that stole district data and disrupted distance learning. The alert was a product of information sharing and analysis organizations (ISAOs).

“Cybercriminals constantly share ideas for breaking down schools’ defenses,” said Jonathan King, statewide cyber resilience and resource manager at the DIR. “When they find strategies that work, the word spreads fast. ISAOs provide a forum where the good guys collaborate and stay one step ahead of criminals.”

ISAO members can report threats confidentially, learn about trending crimes, share lessons learned, and access budget-friendly solutions. Here are a few ISAOs your schools should explore:

Pro tip: Visit the Texas ISAO website to sign up for alerts and report threats.

8. The cyber insurance market is challenging

The explosion of cyberattacks is creating challenging, volatile cyber insurance market conditions. Most insurance carriers are tightening their underwriting guidelines, limiting or declining coverage, and increasing premiums.

At renewal time, schools need to demonstrate that they maintain effective cybersecurity practices. With that in mind, carriers are asking questions such as:

  • Which staff roles and resources are dedicated to cybersecurity?
  • What are your internal cybersecurity policies and protocols?
  • What cyber events and losses have you sustained?

Pro tip: Explore whether you can apply Elementary and Secondary School Emergency Relief Fund (ESSER) Grants toward your security efforts.

Take advantage of your resources

Education Cybersecurity Summit is an example of how regulatory agencies, educational organizations, and other stakeholders are coming together to stamp out cybercrime. The campaign includes resources every school can access at no cost:

Fund members with Privacy and Information Security coverage benefit from training and consultation services delivered by our dedicated cybersecurity consultant.

Tagged: compliance, cyber, "cyber security", cybersecurity, "data breach", "Privacy and Information Security", ransomware