Cybersecurity in School Systems: Interrogating Processes, Not Pointing Fingers

As leaders, we are entrusted with the safety and integrity of our school systems—not only in terms of physical security but increasingly in the realm of digital security. The ever-evolving landscape of cybersecurity poses significant challenges for school districts across the country. Yet, when vulnerabilities are exposed the natural reflex may be to find fault, point fingers, and assign blame. However, this approach is not only counterproductive but can also deepen systemic failures. Instead, we must focus on interrogating our systems to identify and address gaps, ensuring robust and comprehensive cybersecurity.

Understanding the Threat Landscape

Our school systems are treasure troves of sensitive information. From student records to staff credentials, financial data, and even strategic plans, the amount of data managed daily is vast. This information is increasingly targeted by malicious individuals who exploit weak links in our digital infrastructure.

As technology continues to advance, our school systems must stay aligned with the latest methods for cybersecurity protection. We ought to recognize that dedicated funding is essential for enhancing cybersecurity in schools—funds that are allocated specifically for this purpose and not diverted elsewhere. Cyber breaches are a constant threat and can originate from various sources. They may come from external attackers who steal data and sell it on the dark web, or from internal threats, such as disgruntled employees with easy access to network systems, who target specific areas of vulnerability. This is not an area where districts can afford to have "loose systems"; rather, these are critical areas where districts must implement and maintain "tight systems."

Many districts are alarmingly underprepared. A lack of proper cybersecurity measures—such as Virtual Private Networks (VPNs), multifactor authentication, and effective password policies—often leaves us vulnerable. As superintendents, it’s crucial to recognize that these issues aren't about individual failings or isolated errors; they are systemic issues requiring systemic solutions.

The Need for Systems Thinking

One of the most important lessons I’ve learned in navigating cybersecurity in school systems is the value of systems thinking. In a crisis, it can be tempting to look for someone to blame - whether it's a member of the IT team, a staff member who inadvertently clicked on a phishing link, or even ourselves for not being aware of every detail. But the more valuable approach is to ask, “What are the systems that allowed this vulnerability to exist?” and “How can we fix the root causes?”

By interrogating the systems, we shift the focus from blaming individuals to understanding how processes, policies, and structures either protect or expose us to risk. It is within these layers where our attention should be focused, allowing us to shore up defenses rather than alienate those who are key to our success.

Identifying the Holes

Effective cybersecurity begins with identifying the vulnerabilities in our systems. Here are some critical areas to consider:

• Virtual Private Networks (VPNs): VPNs provide secure access to internal networks, especially for staff who may work remotely. Without a VPN, sensitive information is at risk when accessed from public or unsecured networks.

Question a Superintendent MUST Ask: "Do we have a robust VPN solution in place, and how frequently is it monitored and updated to ensure secure remote access for all staff?"

• Multifactor Authentication (MFA): Requiring more than just a password, MFA adds an essential layer of security. Many breaches occur because a single layer of security (such as a password) is easily compromised. MFA significantly mitigates this risk.

Question a Superintendent MUST Ask: "Is multifactor authentication enabled for all critical systems and accounts, and how are we ensuring that its implementation is user-friendly and widely adopted by all staff?"

• Password Policy and Regular Updates: Stale and weak passwords remain one of the most common entry points for cyber attackers. We must establish stringent password policies and regularly push out mandatory password changes to ensure that access credentials are consistently renewed and reinforced.

Question a Superintendent MUST Ask: "What is our current password policy, and how often are we requiring mandatory password updates to prevent unauthorized access through weak or compromised credentials?"

• Access Controls and Authority: Understanding who has access to what information is vital. Far too often, access controls are too broad, and too many individuals have authority to enter sensitive areas of our networks or even see the credentials of others. We must conduct regular audits of access levels to ensure only those who need access have it.

Question a Superintendent MUST Ask: "Who currently has access to sensitive information and network systems, and when was the last time we conducted an audit to review and adjust these access controls?"

• Training and Awareness: Even the best systems can be compromised by human error. Regular training for all staff on recognizing phishing attempts, social engineering, and other common cyber threats is crucial. The more informed and vigilant our staff, the stronger our front line of defense.

Question a Superintendent MUST Ask: "What ongoing cybersecurity training programs do we have in place for staff, and how do we measure the effectiveness of these programs in preventing human error-related breaches?"

• Incident Response Planning: It is not a matter of if but when a cyber incident will occur. A well-documented and rehearsed incident response plan is crucial. This plan should outline the steps to take immediately after a breach is detected, including who to notify, how to communicate with stakeholders, and how to recover data. Superintendents should ensure this plan is in place, reviewed regularly, and that all relevant staff are aware of their roles within it.

Question a Superintendent MUST Ask: "Do we have a comprehensive incident response plan that outlines clear roles, responsibilities, and communication strategies for different types of cybersecurity incidents, and is this plan regularly tested through simulations or drills?"

• Regular Audits and Penetration Testing: Routine checks and audits of cybersecurity protocols are essential to identify potential weaknesses before they are exploited. Hiring outside experts to conduct penetration testing can provide a fresh perspective on vulnerabilities and areas that need attention.

Question a Superintendent MUST Ask: "How frequently are we conducting regular audits and penetration testing of our cybersecurity systems, and what are the findings from the most recent assessments?"

• Data Governance and Retention Policies: It is crucial to manage data throughout its lifecycle, from creation to deletion. Districts should have clear data governance policies that define how data is classified, stored, accessed, and disposed of. Data that is no longer needed or outdated should be securely deleted to minimize risk.

Question a Superintendent MUST Ask: "What are our current data governance policies, particularly around data retention and disposal, and how are we ensuring compliance with these policies to minimize risks associated with outdated or unnecessary data?"

Moving to Solution

Pointing fingers may temporarily alleviate frustration, but it does nothing to solve underlying problems. Instead, as leaders, we should cultivate a culture of learning, transparency, and continuous improvement around cybersecurity. When breaches or vulnerabilities are identified, the conversation should focus on, "What do we need to do in order to improve our systems to prevent future incidents?"

This shift not only prevents a culture of fear but also empowers staff to be proactive in identifying potential risks and bringing them forward without fear of retribution. A blame-free environment encourages openness and collaboration, which are essential in addressing cybersecurity challenges effectively.

Building a Cybersecurity Culture

1. Leadership Commitment: As superintendents and elected officials, we must lead by example. Demonstrating a strong commitment to cybersecurity from the top can set the tone for the entire district. This involves not only understanding the technical aspects but also advocating for necessary resources, training, and policies.
2. Collaboration Across Departments: Cybersecurity isn't just the IT department's responsibility—it involves every department and every employee. Collaboration across departments is essential to create cohesive strategies that align with the district's broader goals and ensure everyone understands their role in maintaining security.
3. Communicating with Stakeholders: Keep stakeholders informed about cybersecurity measures, potential risks, and incident responses. Transparency builds trust, and being upfront about potential vulnerabilities can foster a more collaborative and proactive approach.
4. Investing in Tools and Resources: Cybersecurity is an evolving field, and staying ahead requires continuous investment in both people and technology. Districts should allocate budget resources to cybersecurity training, hiring experts, and deploying advanced tools that can detect, prevent, and respond to threats more effectively.
5. Reviewing and Updating Policies: Technology changes rapidly, and so do the threats. Regularly review and update your cybersecurity policies to stay aligned with the latest best practices, legal requirements, and technological advancements.

Leading the Charge

As leaders, we set the tone for how our districts handle cybersecurity. By approaching these challenges with curiosity, openness, and a focus on systemic improvement, we model the behavior we wish to see. It is our role to lead the charge in implementing comprehensive cybersecurity plans that address the root causes, ensure our digital safety, and protect our communities.

Cybersecurity is not just an IT issue; it's a leadership issue. It requires our attention, our understanding, and our commitment to building robust systems that protect our schools from harm. Let's lead with a focus on fixing systems, not assigning blame.

Only then can we truly secure the future of our schools in an increasingly digital world.