Curtis Carver is Vice President for Information Technology and Chief Information Officer at the University of Alabama at Birmingham, and a member of T&LU’s advisory board. He has spent decades in educational IT, including stops at the University System of Georgia and West Point.
In the second of this two-part series, he looks at practical steps school leaders can take to improve cybersecurity.
Although districts already deploy personnel and invest in resources to fend off cyber attacks, there are other more practical actions that can be undertaken to help protect schools.
1. Take a human-centric approach to security.
You have to put your employee who is trying to do work for your district at the center of the conversation. Try to figure out how you can protect them, and in the least intrusive possible way.
Avoid putting security at the center of conversation, or using fear, uncertainty and doubt (FUD) as the organizing principle of the case to improve security.
The role of security is increasingly important, but there needs to be increasing rigor around how it is deployed so that it’s effective and practical.
2. A common mistake is believing that if you improve cybersecurity policy, that’s all you need to do.
For example, a CIO may think that ransomware attacks don’t work if you have a backup, so they’ll write a policy that everyone should have a backup of their current work. Well, that’s meaningless. What would be meaningful would be to deploy a backup system that’s easy to use for everyone, and then that policy can be implemented.
Do we still need the policy? Absolutely. But enable the right behavior for the policy with the right technology deployments.
You want security to be actionable by all your employees, and it’s not going to be actionable by everyone if you’re just writing it down in a policy and then saying, ‘Go do this,’ and then not providing the appropriate resources to do it.
3. Build a positive security culture.
You want to build an environment where all staff buy in and have accountability.
It’s one thing to say, ‘Don’t click on phishing messages.’ When I first started here, when we had a report of a phishing attack, it took us about 800 minutes to close out that attack, meaning we went in, deleted it from all 25,000 mailboxes and we built an access control list that went into the routers to block that attack from coming in. Today we do it in 2 minutes--from the moment it’s reported, we delete it from 25,000 mailboxes and block it at the perimeter. So if you check your email more than 2 minutes later, you’d never even see the attack.
Ask your employees to help you build a positive security culture. Say ‘Hey, help be a champion of the organization and report phishing attacks.’ We did this and got a large spike in both people not clicking and in people reporting phishing attacks immediately.
It’s one thing to not click, but it’s another thing to be part of a community that defends, a part of a neighborhood watch that protects the entire district.
4. With less funding for resources, school leaders should focus on practical solutions in terms of deployment.
That ability to improve the speed of how you handle certain circumstances and the agility to handle attacks becomes increasingly important.
5. As school districts typically can’t pay for the talent they need and need to rely on outside consultants, it’s important to be careful in regard to which ones are brought on board.
Any potential partner needs to have to have an understanding of what it really means to teach at the K-12 level, who the students and faculty are, and what time constraints exist--they need to be aware of the annual K-12 cycle and be respectful of the tremendous pressure on faculty and students to maximize classroom time once the school year begins, and how any window to introduce change just evaporates.