9 Questions You Should Ask to Ensure Cybersecurity in Your Schools

Over the past year or more, we have pointed out the many safety and security facets. Even with these discussions, many of us (sometimes myself included) think of safety and security as traditional threats: violence, fire, weather, infrastructure failures, etc. While I understand cyber security has also been discussed frequently, I want to discuss it and what it means to you. First, I am not a cyber security expert, nor can I help you with your technology once an attack has occurred. I can raise your awareness and give my perspective on what measures you should consider to mitigate the impacts before an attack. I strongly encourage everyone to contact their systems administrators and learn how to protect their systems from cyber-attacks.

As one can imagine, many cyber threats are present in today’s technology-heavy world. Much like any other aspect of safety and security, no one can guarantee that your systems are safe from attack. Two of the biggest reasons for cyber attacks are disruption of your systems and/or access to your data for the purpose of financial gain or terrorism.  Understanding the threats is essential to know, not only to prevent/mitigate the risk but also to prepare your staff to recognize the potential risk and respond to an attack once it has been identified. It will likely be your IT department's responsibility to take care of the recovery portion of the attack.

Does this process sound familiar to everyone? It should. This is precisely the same process for all the other threats to your safety and security we have been discussing: the FEMA model (Prevention/Mitigation, Preparedness, Response, and Recovery). A safety plan must be developed and implemented like every other threat to your organization’s safety and security.  A specific section within your emergency operations plan should address cyber security and safety, and specific instructions within your Continuity of Operations Plan (COOP). The COOP is the plan you should have in place that directs operations during a significant emergency or disruption of operations. For example, what is the action plan in a cyber attack to continue with educational services while a breach into your system occurs?  

Recently, there have been breaches in many schools where student and staff data and personal information have been compromised. When selecting a safety vendor to provide services for your organization, what can you do to ensure they do everything they can to protect your data? Ask lots of questions. As many as you need to make sure you are satisfied with their efforts to protect your data. Ask questions like:

• What safeguards are in place to protect your data?
• Do they subject themselves to regular independent security audits?
• Do they contract with a third party to conduct data intrusion and integrity checks?
• Do they have customers who need the highest level of security for their data?
• Have outside organizations like FirstNet and AWS verified them for their security and systems robustness?
• Do they have customers who require their vendors to subject themselves to high-level security audits contracted by the customer?
• Have they ever had a data breach (this is especially helpful when they have been in business for more than a decade)?
• What is their up time?
• Have they ever been sued for data breaches?

As is with all threats to safety and security, you must determine the level of security you require. Considering the potential for cyber attacks, it is your responsibility to ensure everything that can be done is being done to protect your organization. Good security, especially when it comes to protecting your data and technology, costs money. Consider that the next time you publish a “Request For Proposal” involving your safety systems requiring access to your information management systems. The cheapest system may cost you more in the long run.