Cybersecurity isn’t just a technical problem. It’s a people problem, and it’s impacting school districts across the state. TASB Privacy and Cyber Risk Consultant Lucas Anderson recently shared his expertise on this topic during a TASB Talks podcast.
School districts are a target-rich environment, holding protected health information, personally identifiable information, payroll and tax information, and more. Cyber attackers are looking for the lowest hanging fruit. In many cases, school districts haven’t had the budget to fully invest in newer security features, a school resource officer to secure the facility, or the training employees need to help them identify spoofing or phishing attempts.
“People often imagine cybersecurity as being in this box or container. It’s an IT thing, it’s technical solutions and technical challenges. It goes beyond technical solutions and technical challenges. A lot of times, people are the softest targets, and they play a big role in cybersecurity because of their access to technology,” said Anderson.
More than half of all K-12 breaches are caused by insiders, according to the K-12 Cyber Security Resource Center. Many of these breaches are inadvertent. Protected health information could accidentally be sent in an email, or employees might be fooled by social engineering attempts. Either way, it’s still a breach. Another 23 percent of breaches are caused by third-party vendors and consultants making similar mistakes.
When people make mistakes and breaches like this happen, people often get embarrassed and try to fix it themselves, pretend it didn’t happen, or cover it up instead of going through the proper channels. Education on cybersecurity can cut the stigma and ensure that staff swiftly works to mitigate a breach. These breaches even happen to highly educated, technical users.
Follow these tips to protect your organization’s data:
1. Invest in Compliance Training
Education is the first line of defense against cybersecurity breaches. Staff at school districts and other educational entities need to comply with cybersecurity best practices and state laws. It is important to hold regularly scheduled compliance training for employees handling protected health information (PHI) and personally identifiable information (PII).
2. Create an Acceptable Use Policy
“You should have an acceptable use policy, and more importantly, know what’s in it,” said Anderson.
An acceptable use policy lays out the framework for how students, staff, and administrators use district-owned technology. This includes what constitutes acceptable internet browsing by students and acceptable software for teachers.
“I’ve talked to educators who, trying to save the district money, downloaded freeware to serve some purpose—increase efficiency in grading—and introduce malware into the system inadvertently while trying to do a good thing,” said Anderson. “An acceptable use policy would say that you have to go to IT if you want to have a piece of software installed on your system.”
Creating the framework and guidelines establishes a baseline for doing the right thing.
“If they don’t know what’s okay, then you can’t expect them to behave correctly,” said Anderson.
3. Implement Cybersecurity Response Drills
A cyber response drill is just as important as a fire drill or practicing responses to other emergencies. Staff can get familiar with the procedures and processes that need to take place when there’s an incident.
“You’re going to get hit. What matters is how you respond to it,” said Anderson.
There are a lot of questions that staff need to have ready answers to, including:
- Who needs to be contacted?
- Is there a regulatory obligation to inform someone at the state level or law enforcement?
- Does your district have a procedure for shutting down servers?
- Do you have backup policies in place? If so, who maintains your backups? If IT is notified on time, they may be able to segregate and quarantine the infected network component.
- Are you covered in the event of a cybersecurity incident? If you have cyber security insurance, you need to notify your claims manager.
Practicing these things and preparing responses to basic questions helps staff respond to incidents. That’s going to control the risk and minimize the ramifications when you do get hit.
4. Make sure you’re covered
What can districts do to protect themselves? There are a variety of cybersecurity policies out there. Districts need to look at what types of sensitive information they have to help determine how robust a policy they might need.
If your district has been hit by cybercriminals, it’s more likely that the district will be targeted again, according to Anderson.
“One thing that happens, with ransomware for example,” said Anderson, “people that don’t have routine backups in place and can’t just rollback, they pay. They end up on a list of targets that are known to pay. They get targeted again and again.”
The TASB Risk Management Fund (Fund) provides Privacy & Information Security coverage for Liability and Property members.
New Cybersecurity Legislation Texas School Districts Must Comply With
TASB’s Legislative Summary provides an update on the new laws and what they require of school districts, school employees, the Texas Education Agency (TEA), the State Board of Education, and other state agencies. Below is an excerpt from the Cybersecurity and Technology section of the report.
House Bill 3834—Required Cybersecurity Training for State and Local Employees
Effective date: June 14, 2019
Compliance date: The training must be completed by June 14, 2020.
Required Cybersecurity Training: Annually, local governments (including school districts) must identify employees who have access to local government computer systems or databases and require those employees and the local government’s elected officials to complete a cybersecurity training program certified by the Department of Information Resources (DIR).
DIR-Certified Training Programs: DIR will certify at least five cybersecurity training programs and publish them on its website. To be certified, a cybersecurity training program must focus on promoting information security habits and enforcing procedures that protect information resources, and teach best practices for detecting, assessing, reporting, and addressing information security threats. A local government that employs a dedicated information resource cybersecurity officer may offer its own cybersecurity training program if the program meets the stated requirements.
In addition to the training requirement, the Legislature passed laws addressing cybersecurity that will affect school districts.
Senate Bill 820—School District Cybersecurity Policy
Effective date: September 1, 2019 (currently no timeline for implementation)
Every school district must adopt a cybersecurity policy to secure district cyberinfrastructure against cyberattacks and other cybersecurity incidents, determine cybersecurity risk, and implement mitigation planning. The district’s cybersecurity policy may not conflict with the DIR-adopted information security standards for institutions of higher education. Each superintendent must designate a cybersecurity coordinator to serve as a liaison between the district and TEA. The coordinator must report any cyberattack or other cybersecurity incident as soon as practicable after discovery and notify parents if the incident involved their child’s sensitive information.
House Bill 4390—Data Breach Notification
Effective date: January 1, 2020 (currently no timeline for implementation)
A person who conducts business in Texas and owns or licenses computerized data with sensitive personally identifiable information must disclose a breach of system security “without unreasonable delay” and within 60 days after the data breach was determined to have occurred. The person must notify the Attorney General’s office of the breach within 60 days if the breach involves at least 250 residents of this state.
You can listen to the full episode of TASB Talks to learn more. Fund Liability and Property program members can contact Anderson for information about training, resources, and guidance to help address privacy and cybersecurity challenges as you work to create a culture of cyber awareness.