From phishing scams to data loss to outside vendors misusing remote access, the digital world is rife with risk for schools. But, as anyone who has ever created policies knows, the users are the weak link. When it comes to cybersecurity, “your technology department can help, but they’re only part of the solution. Firewalls, VPN, all that techy stuff does help protect you, but it's usually failures of people making mistakes that are the root of many cybersecurity issues,” said Shandor Simon, director of technology, The Latin School of Chicago, in a recent NBOA webinar.
Team Effort
Who should be on board to support IT? Schools should have a team made up of folks involved with risk management, crisis management and communication, insurance, policies, and training, suggested Simon and co-presenter Alex Inman, founder and president of Educational Collaborators, based in St. Louis, Missouri. “These people should come from all around the school: you need your communications team, your leadership team, your HR team, your business and finance team to all be part of the solution,” Simon said.
These people should come from all around the school: you need your communications team, your leadership team, your HR team, your business and finance team to all be part of the solution.
Shandor Simon
The Latin School of Chicago
In one scenario presented by Simon and Inman, a school nurse inappropriately shared sensitive data. Simon and Inman suggested that the first thing a school do is activate its crisis plan and then get on the phone with an attorney “pretty fast” to learn about the school’s liability.
They suggested that preventative measures in this case would include cybersecurity training that occurs more than once a year and updating and publishing internal privacy and confidentiality policies that focus on handling secure data. They also stressed the importance of “bi-directional communication between the business offices, staff offices, and IT to make sure that that sensitive information is appropriately tagged as sensitive information.”
Again, everyone needs to be in the loop and understand what’s at stake.
To figure out where some of your problems occur, it’s worthwhile getting a cybersecurity assessment, Simon suggested. “You’ll get a handful of recommendations usually in the form of smart goals that are specific, measurable, achievable, relevant, and time-bound, so you can actually do something about them.”
Available Resources
Simon and Inman suggested taking a look at the following resources to help schools keep up with cybersecurity:
- The Department of Homeland Security, which offers free cybersecurity assessments. “They'll look at your network. These are available to all non-profits so if your school runs as a 501c3 organization, you can request these assessments,” Simon said.
- ATLIS’ (Association of Technology Leaders in Independent Schools) document, “Cybersecurity Recommendations for Independent Schools,” which offers threat-level-based solutions in the following areas: configuration/technical; personnel procedures; and general policies.
- NAIS’ legal advisory on cybersecurity, which discusses team efforts and mitigation strategies.
For more on this topic, visit the webinar archive and read the articles below.
