As educators, you have a crucial responsibility to protect your students so that they can learn in a safe environment. Your school IT security practices are one part of the picture. Your physical security measures are another part. To prevent theft and misuse of your school’s IT assets and data, you need to apply a critical assessment to your situation. We will guide you through the assessment process and identify options to improve your security.
The Dangerous School IT Security Mistake You Must Avoid
When we talk with IT security professionals, we see them struggle with one issue over and over again. They tell us they have not had a security event. They assume all of their processes are effective. They may even find a way to “make it work” when their budget is reduced. This whole attitude – IT security complacency – is dangerous. Assuming your security is robust because you have not suffered an incident is dangerous. Let’s examine this misconception and determine how you can avoid the curse of IT security complacency.
Uncovering The True State of Your School IT Security
Use this self-assessment process to evaluate your school’s vulnerabilities to IT security risk. As you go through each step, feel free to consult other people on your team.
1) Do you have an IT security policy?
Let’s start with the basics: policy. An IT security policy lays out the overall expectations and requirements for your school. If your policy has not been reviewed and updated in the past 12 months, it is time to update it again. To help you benchmark your IT security policy, take a few minutes to review these policies from other educational institutions
-Information Security Policy (Bowdoin College). Note that the policy emphasizes risk assessment as a critical process.
-Grand County School District Technology Security Policy. Take note that this policy covers a range of areas, including physical security and remote access.
Tip: An effective IT security policy should provide principles to guide everyone in the organization in IT security matters. Therefore, strike a balance between tactical details (e.g., password rules) and big-picture principles that increase security.
2) What IT security monitoring tools and reports do you use?
How do you know if your school IT security program is working? One critical strategy: use monitoring reports to detect external threats and other problems. Since it is easy to become buried under a mountain of IT security alerts and reports, we recommend analyzing each report for value. Specifically, consider who uses this report and how it is used to make decisions. Only reports that help you improve security, detect threats and implement your IT policy should be retained.
3) How often do you use external IT security consultants and assessments?
It is difficult to spot flaws and oversights in your school IT security. To detect those gaps, it is best to bring in an outside perspective. In the past two years, review whether you have made use of external IT security assessments to check your systems. For instance, have you hired a firm to conduct penetration testing on your organization? This type of testing is eye-opening because it tends to highlights parts of your systems that you may have neglected to test for security vulnerabilities.
If your organization has never worked with an outside security consultant, it is highly likely that you have significant IT security vulnerabilities.
4) What IT security guidance to you provide to new students?
Whether you have college students or younger students, you cannot assume your student population understands IT security risks. In particular, they will not know your institution’s security requirements, acceptable use policies and related points until you provide guidance. Offering training sessions to your entire population may not be feasible, but ask yourself whether you are providing the following:
-Do you provide easy-to-understand IT security tips and tricks documents for students?
-Do you offer IT security information as part of the orientation program offered to students?
-Do you conduct surveys or similar processes to measure whether or not students are secure?
5) Which “digital crown jewels” have you identified for extra security protection?
In IT security, some assets are more important to identify and protect than others. For example, you may want to apply enhanced protection for student personal information such as academic records and financial data. It is a best practice to define these “crown jewels” and build a plan to protect them. Once you identify these assets, look for ways you can enhance protection. For example, you may choose to add multi-factor authentication so the data is more difficult to access.
6) What IT security automation tools does your team have?
Without IT security automation solutions, it is very difficult to systematically protect your organization. In a college or school, it is common to have a small IT security team. If you want to avoid burning out your security staff, evaluate whether they are properly supported with software solutions. To save time, we recommend implementing tools like an IT security chatbot.
Review Your Vulnerabilities To Cyber Threats and Take Action
After completing the above assessment, you will have a good sense of your critical vulnerabilities. For example, you may find that your IT security staff are overworked with administrative tasks like managing password changes. In that situation, your IT security staff simply do not have the bandwidth to take on a dozen improvement projects. The solution? You need to get more capacity. To make that happen, demonstrate to your management that you are efficient with what you already have.
For the best results, here are the next steps we recommend. Start by choosing a short-term project that will provide immediate value to your organization. For example, reduce inactive user account risk by quickly deactivating accounts from former students and employees. Once that win is accomplished, you will have increased credibility. Next, you will be able to take on more complex projects, like introducing new security software for your school. There’s no such thing as “complete” IT security. Instead, you need to commit to continuous improvement. Keep returning to this article every few months to find additional ways to optimize your school IT security program so that you can keep attackers at bay.
