A portrait headshot photograph of Lorrie Owens smiling

from the field

by Lorrie Owens

Five tips to protect your LEA’s data


ybersecurity is one of those topics that falls into the same category as writing a will or going to the dentist — you know it is something that must be addressed, but you’d rather deal with it later. That is the approach many K-12 entities have taken towards cybersecurity preparedness.

A digital illustrative representation of numerous secured key locks signifying cybersecurity

And, for many years, it worked. The financial industry, healthcare and even higher education have been hammered by cybersecurity bad actors for years. But now their attention has turned to K-12, and for good reason.

First, as student data moved from cumulative folders to the digital space, cybercriminals realized the treasure trove of information we have in our systems. Student records are easily sold on the dark web to people who steal identities for a living. With all the information available on students from our systems, all it takes is the changing of one digit in the student’s year of birth, and you now have an identity that can be compromised for years without anyone knowing. The Social Security numbers of minors cannot be monitored for credit purposes, not even by their parents. Thus, the first time a student may realize his or her identity has been stolen may occur only when he or she applies for a job, a student bank account or completes a FAFSA [Free Application for Federal Student Aid]. A student’s information may have been compromised for up to 10 years by that point.

Cybercriminals have also increased their attacks on K-12 because they realized that, unlike other industries, most K-12 entities cannot afford a team focused strictly on cybersecurity. In most California districts and county offices of education, cybersecurity is just one of a plethora of responsibilities assigned to their IT departments. Some districts don’t even have an IT department. Cybercriminals spend all day, every day, with the sole purpose of breaking into our networks. K-12 IT departments spend a significantly smaller amount of time, with significantly fewer resources, than the bad guys in protecting our networks and our students.

There are many things K-12 leadership should know about cybersecurity; much more than can be discussed in this article.

A landscape close-up photograph of a person using their hand/finger to interact with a laptop clicking on the mouse toggle button underneath the keyboard area
However, there are five points that every K-12 leader should know:

  1. Cybersecurity is not an IT issue. It is an organizational issue. While IT should be responsible for recommending and implementing the technical components of a cybersecurity mitigation plan, the plan should be based on decisions made by the leadership of the organization, based on the organization’s risk tolerance and the organization’s technology priorities.
  2. Have an incident response plan in place before the incident occurs. Everyone in IT and/or the appropriate support vendors should know exactly who is doing what in the event of a cyberattack. It should be discussed and mutually agreed to with cyberinsurers that the organization’s first priority is to stop the attack. Only then can the organization move forward with remediation, restoration/business continuity and forensic evidence preservation activities.
  3. The most vulnerable components of a network are the people who use it. Although cybercriminals are constantly looking for software and firmware vulnerabilities, the easier point of entry into any system is through a user of the system. Cybersecurity training for all users should be required at least annually, like other mandated trainings. Cyberinsurance carriers are a good source of information about companies that train users on becoming and remaining cyber-safe.
  4. The Internet of Things (IoT): More than ever, products that are not initially thought of as IT are running across organizations’ networks. If a vendor states that certain features of their product can be managed or monitored remotely, and they ask for an IP address (an address on the organization’s network) to install the product, get IT involved immediately. These products are rarely designed with cybersecurity in mind and provide an excellent way for cybercriminals to gain access to your network. One large company was breached through its HVAC system. Buy and use whatever technology enhances student experiences or organizational efficiencies but do so in a cyber-safe way.
  5. Air-gap your backups. Your IT staff will know what this means. Ensure backups of your critical systems are taking place daily, that you test to ensure the data are being copied and that you can restore from them, and that the backups are not reachable through your main network from anyone outside of your network. If you are attacked and your backups are protected, you can restore your network without engaging the cybercriminal to regain access to your files.

Although no one can eliminate cybercrime, just as no one can completely end crime in general, there are ways to mitigate the effects of a cyberattack if it happens. Organizational planning is the key to protecting the organization’s network and especially the organization’s student records.

Lorrie Owens is the chief technology officer at San Mateo COE and CoSN (Consortium for School Networking) board member.