Article by Bob Olsen, Compass Cyber Security
Hundreds of schools have reported data breaches in recent months. How can your school avoid being next? An ideal time to shore up cybersecurity efforts is when building new or remodeling. Not only does construction provide a clean slate on which to implement solutions, but even relatively simple renovations can involve industrial control systems that invite cybersecurity risks. A new automated HVAC system, for example, ties into a school’s IT infrastructure. And every new vendor to your campus presents a potential threat. Thinking through cybersecurity challenges during the planning process will save costs and headaches in the long run.
It’s especially important to consider cybersecurity implications when beginning larger capital improvement projects, which usually roll around only every 20 or 25 years. One of our clients took this opportunity when "tech enabling" older classrooms — that is, updating with Wi-Fi, LED screens, laptop docking, etc. In this case, starting from scratch and implementing entirely new systems proved less costly than patching up older ones. On the other hand, schools must sometimes integrate legacy systems with brand new ones, such as when connecting building controls in a new facility with those in a nearby older building.
Asking these questions will help you assess cyberthreats and prevention when developing a master plan:
- How will we use technology in the future and what does that mean to our security program? Are we moving to a cloud application environment? Will we outsource more of our information technology needs to a third-party service provider?
- How do we keep our staff up-to-date on the latest cyberthreats, and on trends that are unique to our environment?
- Who has organizational responsibility for managing our cyber risk?
A risk management and strategic planning model can help you develop robust and useful answers to these and other questions. One that I recommend for its user-friendliness is ISACA’s Business Model for Information Security. This model helps organizations prioritize data protection activities and ensure that their plan focuses on the most important threats. A planning committee, for instance, might use it to identify the pros and cons of different security options and the effect of changes on end users.
It’s especially important to consider cybersecurity implications when beginning larger capital improvement projects.
Cyberthreats affect the entire range of functions within an organization, and cybersecurity is a team sport. Do not rely solely on your IT department when evaluating cybersecurity risks. A more effective, integrated approach includes the head of school, trustees, business officer and facilities director along with the IT director. We often offer schools up to four solutions to a problem, none of them black and white. Whoever is evaluating these options must understand the end users. Moreover, those end users must understand any changes to existing processes and systems to avoid help desk tickets, headaches and especially data breaches — all outcomes with direct costs.
Bob Olsen is CEO of Compass Cyber Security, which provides a variety of services to protect the data of independent schools and other organizations.
Download a PDF of this article.