Jim Corns is executive director of information technology for Baltimore County Public Schools.
Reports of ransomware attacks against schools are becoming all too commonplace. The increasingly complex threat of cybercriminals poses unique challenges to district IT departments. To borrow a phrase, school systems need to be at 100%, and a cybercriminal only needs to get lucky once.
In the face of this threat, every school system should have a plan that focuses on mitigation, communication, training and remediation.
Mitigation
Organizations like the Cybersecurity and Infrastructure Security Agency, National Institute of Standards and Technology, Center for Internet Security and Consortium for School Networking have amazing resources to assist in crafting mitigation plans. At the highest level, the key to a successful mitigation strategy is not in its contents but buy-in from the organization.
Security of digital assets is truly an organizational responsibility. With buy-in from leadership and stakeholders, IT and security officers can create plans that address the security needs of the system and support the instructional practices of the district.
Password complexity, multifactor authentication and network segregation are great first steps if not currently present. All three require efforts of the IT department, but also support of stakeholders to access the change. Above all, the most important step in any plan is to create it and begin implementation.
Communication
Communication planning does not have to be solely designed for cyberattacks. The best way to have a functioning communication path is to make it a standard part of the daily operations of the system.
Networks and technology solutions unfortunately experience outages. Using a standard communication path for these smaller issues will create known paths to receive updates. Using the same message on a variety of platforms allows individuals to both receive information in a favored method and also builds in redundancy.
One of the hardest things we dealt with when Baltimore County suffered a ransomware attack was the loss of our website and primary email as communication. While the email system was functional, most other agencies blocked receipt of messages from our domain. We quickly established a second email domain and created a temporary website, but these actions took time.
Having them in place before they were needed would have been a huge benefit. Use of social media to distribute consistent messaging also provides a communication path outside of the network if the network cannot be used.
Training
Cybersecurity is a responsibility of everyone in the organization. Users of the system need to have relevant, accessible and approachable trainings on good cyber hygiene and data protection.
Relevant, ongoing trainings should contain practical applications of best practices with rationales that explain the “why” of security. Partnerships with instructional staff can lead to greater accessibility to the content for both teachers and students. Helping staff to question the validity of online resources and emails and incorporating security thinking into their daily practices adds to the security of the system.
Remediation
One of the largest impacts of a cyberattack on a school system is the disruption of normal operations. Students rely on the school system for more than instruction. Meals, social-emotional support, health services and many other services are provided to students daily.
A remediation plan is crucial to minimizing the impact of an attack. Reliable, current, restorable backups become the most valuable asset in the event of an incident. Deliberate service restoration in order of system importance allows for continuance of operations.
From an instructional perspective, Baltimore County Public Schools restored access to its learning management system and video meeting platform first so students and teachers could remain in contact as the event occurred at the height of the pandemic. While other systems were being restored over a longer period of time, instruction resumed with only three lost instructional days.
Overall, the main priority a school system should be to have shared ownership for security. Creating a culture of ownership is the only true way to weave security into the daily practices of the system. Once this happens, it is easier to make the first right step in creating a layered defense against cybercriminals.