Since the issuance in February of ENA’s latest white paper, Education Network Security in a Hyperconnected World, ENA staff members have been engaged in conversations with school administrators about the importance of optimizing network security. Merle Gruesser, ENA’s director of Customer Services, and I have presented at multiple superintendent study council meetings across the state of Indiana about this issue. We also attended the Cyber Threats Seminar hosted by Indiana School Boards Association and Indiana Association of Public School Superintendents on May 3. This topic was also a focal point of the technology seminar held earlier this year by the Indiana Association of School Business Officials and Indiana Chief Technology Officers Council in which Jay Power, ENA’s director of Solutions Engineering, presented on the components of the white paper.
The conversations resulting from these professional development and collaboration opportunities have been insightful and timely for presenters and participants alike. The escalating challenges faced in this arena are becoming more commonplace for the K–12 community. Furthermore, the lessons learned and key takeaways from these forums are applicable to any school district in the country.
Certainly a key message consistently articulated was the growing importance and urgency of network and student data security. As mentioned in my last blog, according to CoSN’s 2016 K–12 IT Leadership Survey Report, 64 percent of school technology leaders around the country agree that privacy and security of student data is somewhat or much more important than last year. Regarding network security, evidence does show that the occurrence of distributed denial of service (DDoS) attacks is significantly on the rise. In addition, anecdotal information shared at the Cyber Threats Seminar also suggests that the occurrence of cyber threats via social media is becoming more frequent. Captain Chuck Cohen, commander of Intelligence and Investigative Technologies for the Indiana State Police, gave an eye-opening presentation of how the techniques of cyber terrorists, scammers, and hackers have filtered down to become tools students are now using to bypass school web filters and ignore acceptable use policies while on a school network and using school-issued devices.
These realities of a globally connected environment illustrate that, while school districts continue to implement digital education and the number of users and devices accessing their networks expand, the capability to use these tools to initiate a threat, attack, or breach—along with the likelihood of staff and students unwittingly opening the door to hackers via viruses, malware, and spyware—will also expand. It is a virtual arms race for school districts to defend against such malicious activities!
Here are the key takeaways from these forums to consider as you strive to optimize network security:
- The best line of defense is adequate proactive planning and preparation.
- Executive ownership and leadership are needed and an administrative team should be designated to establish clear policies and procedures, implement relevant professional development, and develop meaningful digital citizenship curriculum (see Common Sense Media).
- Striking a balance between widespread accessibility and stringent security is difficult, but school districts should avoid making security so cumbersome and difficult that end users are incentivized to find workarounds or to choose not to adhere to acceptable use, remote access, and digital communications policies.
- Such policies need to be living documents that are always evolving with regular updates. These policies need to be shared and reviewed by staff and students at the beginning of every school year and during the school year as updates occur.
- Stolen login and password credentials remain a primary threat to security, and school districts should implement more routine or frequent changes to login and password credentials (every 90 days is recommended).
- An annual audit or assessment of the network of school districts is recommended and any vulnerabilities or weaknesses should be immediately addressed.
- An incident response plan (IRP) and related communications, as well as clear lines delineating roles and responsibilities, should be established well in advance of an occurrence. The IRP should align closely with the school district’s school safety plan and emphasize collaboration and communication with local law enforcement. East Allen County Schools’ Superintendent Ken Folks and Safety Manager Jeff Studebaker gave an excellent presentation on this at the Cyber Threats Seminar and they welcomed contact about their policies, practices, and resources.
To support the optimization of network security in the K–12 education community, we strongly encourage readers to access the Network Security Recommendations Checklist included in the white paper available at https://www.ena.com/network-security/. Proactive leadership and action now will save significant time, energy, and resources when a security issue arises. No network is 100 percent secure, 100 percent of the time. Are you prepared for the inevitable, and will you minimize and effectively mitigate the intrusion? Please use the recommendations checklist to consider these critical questions.