With cybersecurity a ballooning top concern for ed tech leaders, the severity and scope of K-12 cyberattacks is also growing. Districts are also sorting through a time when school officials remain on high alert a year after 19 students and two teachers were massacred at Robb Elementary School in Uvalde, Texas.
School safety protocols vulnerable to cyberthreats can include building maps, evacuation plans, security camera layouts, network architecture and more.
Should these plans leak to the public following a cyberattack, there are strategies districts can use to avoid or better handle such a situation. We spoke with school safety and K-12 cybersecurity experts, who shared the following four approaches for navigating the threat.
Store safety plans on a separate, more secure server
In a lot of cases, school safety documents go into a file share server, which is a computer that stores and manages data files allowing others on the same network to remotely access, said Amy McLaughlin, an information security expert with the Consortium for School Networking.
“They may have limited access, but people don’t necessarily plan in advance for what level of security and separation do we need for those items to have from the rest of our systems,” McLaughlin said.
When planning how to store and protect a school safety plan, McLaughlin suggests districts start to consider a clear list of goals: “What are your requirements? Does it have to be secured to only five people? Does it have to be accessible 24/7? Do you have to have access from multiple locations?”
Once those requirements are established, districts can then decide where to keep the records, she said. One option is to put the plans in a separate cloud environment from a school’s typical network storage. Leaders can then limit access and own that storage space very carefully, McLaughlin added.
Storing physical copies of the plans is an option, as well, she said, but that can pose several risks. Hard copies can be subject to fires, accidental recycling or overall potential exposure.
However, districts could also consider implementing both, McLaughlin said. “An option is to have it secured in a separate location in the cloud or segmented off in your network with very tight controls, and have a physical copy stored in a safe deposit box in a bank or a fireproof safe in another location.”
Train staff or hire a virtual CISO
School IT departments have historically hired former teachers, librarians and principals, said Kenneth Trump, president of consulting firm National School Safety and Security Services.
“While their passion, interests and efforts are certainly unquestionable in terms of doing the best that they can, oftentimes, No. 1, it’s from an instructional perspective,” Trump said. But “they don’t have that level of network security education, training and experience.”
On top of that, districts have difficulty finding full-time employees dedicated to school network security. That’s why it’s important to put more investment into staffing and training for school cybersecurity, Trump said.
Having trained cybersecurity staff is helpful for thinking through the requirements and implementation process of protecting school safety plans, McLaughlin said. It’s especially helpful if a district’s IT staff has high-level training in data segregation and sensitive data management, McLaughlin added.
But if full-time cybersecurity staffing is a challenge, she suggests working with a virtual chief information security officer to help walk through the steps for securing school safety plans as an alternative.
Balance publicly shared information
While it is most certainly not recommended, Trump said he has seen several cases where districts still put their emergency plans on their websites.
But even on a smaller scale, districts still share their class or bus stop schedules for the public to easily find, he said.
“Who needs to be able to get that information?” Trump asked. “Someone with ill intentions can now identify kids are in transition for these three minutes.”
Overall, Trump often asks districts to reevaluate the kind of information they share on their websites.
McLaughlin said this issue also reflects the challenge districts face when trying to balance between being a public service organization and being secure. If a school principal or superintendent publicly shares their schedules online, for instance, that can pose a cybersecurity risk from the information being manipulated, too.
“Fantastic information for the public, like ‘I’m out there, I’m doing things,’” McLaughlin said. “Horrible information in terms of protecting your district from phishing attacks because of how easy it is to scrape that data.”
Evaluate if plan is exposed
It’s also important to periodically revisit safety plans, McLaughlin said, especially if that information is exposed. That can include changing evacuation routes or remapping where cameras point.
“Rethinking what our patterns are in these safety plans is going to be really important,” she said. “Maybe have a couple of different safety plans that you’re rotating through.”
Trump also advises against moving school security cameras if a plan has been leaked and exposes their location. “You can’t do that. If it was where it was located and supposed to be in the first place, it was there to serve a purpose.”
Following a leak, schools just need to focus on preventing it from happening again while promptly communicating with the broader community, Trump said. He also agreed with McLaughlin about the overall importance in school security to constantly evaluate your operations.
