15 Budget-friendly Cybersecurity Tips for Schools
Your organization’s finance professionals make tough, sometimes unpopular, decisions come budget season. Funneling funds to one initiative could mean scaling back, postponing, or eliminating other initiatives. If you’re looking to make a case for cybersecurity, consider these statistics:
- Publicly disclosed cyberattacks against schools exploded by 235 percent between 2018 and 2020: K-12 Cybersecurity Resource Center.
- In 2020, cyberattacks cost schools an estimated $6.62 billion in down time: cybersecurity research firm Comparitech.
- Parents’ greatest worry is the compromise of their children’s sensitive data (43 percent). Just 11 percent worry about the impact that beefing up security will have on taxpayers: global cybersecurity company Kaspersky.
The Fund specializes in pushing back against cyberattacks targeting schools. Here are 15 simple, budget-friendly tips that will help fortify your digital defenses.
1. Develop a culture of cybersecurity
Lead from the top, and train your employees to recognize and respond to cyber incidents. Reinforce training with drills that prepare your team to react quickly to threats and attacks.
2. Vet your vendors
Last year, security incidents involving school district vendors and other partners caused 75 percent of K-12 data breaches in the U.S. Vet your vendors to ensure they are reputable and will protect your data. Take the next step by entering data protection/privacy agreements with vendors.
3. Don’t take the bait
Strange email requests, even from trusted contacts, could be malicious. If it smells phishy, contact the sender through an alternate method, and report the suspicious request to your IT/security staff.
4. Back up your data regularly
New ransomware hunts for on-premise backups. Consider off-site, off-line, or powered-down backups for better protection.
5. Use passphrases
We all know the importance of creating strong, unique passwords; we’re just not very good at it. Let’s say you choose a seemingly random password like "aaaaaaa." A human probably won’t crack it quickly, but a computer will—in about 10 milliseconds. Consider using passphrases instead.
6. Never share login credentials
A password management system eliminates the need to write passwords and account credentials down cuts the risk of them falling into the wrong hands. Remind employees to be careful about entering passwords or PINs or viewing sensitive information in public places. Criminals could be looking over their shoulders.
7. Enable multi-factor authentication (MFA)
8. Use public Wi-Fi sparingly
It’s not usual for coffee shops, libraries, and other public places to provide free Wi-Fi. It’s also not usual for free Wi-Fi to be unsecured, so avoid using it for sensitive business. Similarly, make sure your home Wi-Fi is on the latest security standard and that it is password protected.
9. Use a VPN for remote work
It’s especially important to use a virtual private network (VPN) if you’re on public or unsecured Wi-Fi. VPNs provide a layer of encryption that could prevent network compromise.
10. Watch out for fraudulent instruction attacks
Cybercriminals masquerading as legitimate vendors, and even as employees or staff, have tricked unsuspecting districts into sending money to them. Verify changes to financial routing numbers or direct-deposit accounts with a colleague or a designated external contact before acting.
Share this phishing cheat sheet with your finance professionals.
11. Patch your software
Ensure there is an automated or manual policy for installing updates and patches to your anti-virus, operating systems, and other software platforms as soon as they’re available. Remember, you’re only as secure as your most recent update.
12. Get the most from security platforms
Make sure your antivirus, firewall, and email security appliance are up-to date, configured correctly, and most of all, turned on.
13. Segment sensitive information
Talk to your IT team about departments that work with sensitive information. If possible, provide a distinct, more secure network segment for those departments. The fewer people who have access, the safer the data.
14. Tap into information-sharing networks
The K12 SIX, Texas Information Sharing & Analysis Organization, and other information-sharing organizations provide forums for districts to alert each other about cyberthreats and share best practices.
15. Lean on data loss prevention
Employees are your first line of defense against cybercrime. No matter how informed and prepared your team is, however, cybercriminals constantly find new ways to attack. In many cases, their schemes rely on human error. Data loss prevention tools help ensure that when employees make mistakes, technology has your back.
Bonus tip exclusively for Fund members
Well trained employees are your best defense against cybercrime. Fund members with Privacy and Information Security coverage benefit from our expert's services at no additional cost. Let us train your team to build a state-mandated cybersecurity plan, avoid common scams and attacks, and recover from incidents.
Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance.
Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.