Understanding School Cybersecurity: How to Start & Stay Safe
If you’ve been following Avertere's blogs, you likely know a thing or two about online threats aimed at educational settings like schools. But,...
7 min read
Rebecca Meyer-Worthen Apr 5, 2023 3:17:17 PM
Chart Credit: David Riedman (K12ssdb.org/all-shootings)
At Avertere, we understand that writing about active shooting is an incredibly sensitive and emotional topic for many people, as it involves the safety and well-being of our loved ones and communities. We share those same feelings of empathy and concern, which is why we came together in the first place - to take action and make a difference. We recognize the gravity of the issue and the need for meaningful solutions that can help prevent and mitigate the devastating effects of active shooting incidents. Rest assured, and we are committed to working tirelessly to promote safety and security and to support schools in making meaningful changes to their systems and infrastructure.
The safety and well-being of students and any perceived threat to their safety can be emotionally charged for parents, teachers, and the community as a whole. Additionally, discussions about school safety can be politically contentious, as they often involve debates around issues such as gun control, mental health, and school policies and procedures. Avertere can provide evidence-based solutions to any campus or district nationwide as a neutral and objective platform.
Avertere can help address the sensitivities through their proven best practices that meet a school where they are today.
By partnering with experts in school safety and security, Avertere can provide accurate and reliable information to its audience and help foster informed discussions and debates around the issue of school safety. Additionally, Avertere can help promote the development and implementation of effective school safety policies and procedures and provide training and resources to schools and communities to help prevent and respond to incidents of violence or other threats to student safety.
Avertere will focus on the opportunities to improve. We'll emphasize the need to budget for and develop a cyber workforce and converge physical security programs with cyber security resilience. Schools should purchase technology based on risk priorities and develop people-run programs to create efficiencies between technology's capabilities, detection, and threat response. Proactive detection and response cannot be accomplished in a silo between physical security and cyber security programs.
For those interested in statistics, after-action reports, and more. We recommend following Mr. David Riedman (Educator, Criminologist, Emergency Manager) and founder of the K-12 School Shooting Database.
Avertere is comprised of cyber security and physical security veterans. We are a knowledge-based organization that has relationships in emerging technologies. We develop programs, contribute to relationship building, and provide services. We'll even support schools that need funding; everyone deserves to feel safe in schools, and we'll work with the schools to find funding in grants and other vehicles. Our goal is to be an ally to administrators and faculty members in developing programs for school safety and security. We want to remove as much burden off of their shoulders so they can focus on teaching students. A key performance indicator for success is the decline of teachers leaving the education business because they no longer feel safe teaching students in school buildings.
Technology connects the world, unlike in the 80s and 90s. Students are influenced even inside the classroom walls. Influences outside of the curriculum distract from the school's primary duty: educating.
As a result, technology-driven distractions can lead to poor test scores, cyberbullying, suicide, child predators grooming kids away from schools, and even active shooters. Cyberbullying, suicide, and active shooting are all behavioral responses. We must implement a strategy to reduce distraction and proactively identify students needing non-punitive intervention.
Finally, Parents can vote or elect the School Board of Directors who oversee the district or charter school's management and ensure the superintendent implements and monitors district operations. Unfortunately, adopting technology in schools has added complexity to safety and security.
If School Districts need help with where to start or are along their journey and need support, consider Avertere. Avertere provides Leadership as a Service. Our executives work alongside the Board of Directors to create a risk-based program to reduce overspending, identify budget requirements for a cyber/physical security workforce, and establish efficiency between technology and people in detecting and responding to threats.
A typical pattern at a district level is that buying habits are often ad-hoc and siloed between the IT and Physical Security organizations. Those with Cyber security organizations are focused on Digital Cyber Cyber security threats, and only some are bridging the gap between the Physical and Cyber security operations teams.
We'll use Ransomware as an example. When a school is a victim of Ransomware, the School SuperIntendent is the leader, often to assure the Board of Directors and Parents that school technology will return to delivering school services. In the background, an IT organization is focused on Business Continuity, getting things back to running normally. What is often not discussed is how the privacy breach will follow students for the rest of their lives and how Ransomware risks school technology. Ransomware could even destroy physical security controls, which means the cameras and the door locks. Unfortunately, as humans, we are naturally reactionary, and when things are back up and running, it's business as usual.
The School SuperIntendent typically gets a framework of "things to do" to reduce cyber risk. Often lacking is "who will do the work," Unfortunately, that responsibility becomes IT, administrators, and faculty members' extracurricular duty. Many IT organizations default to compliance or organizational risk transference. At Avertere, we believe it's time to hire a Cyber workforce that is led to evangelizing a risk reduction program and bringing the teams together.
Yes, do the cyber security activities recommended to reduce risk. However, consider budgeting for a cyber workforce with the knowledge, skill set, and abilities to perform the duties required efficiently. At Avertere, we can help define job titles, descriptions, and budgets for hiring talent to achieve risk reduction activities. Fortunately, a Government entity known as the Cybersecurity & Infrastructure Security Agency has provided a framework known as the Cyber Workforce Development Framework. https://niccs.cisa.gov/workforce-development/nice-framework
By adopting a Cyber Workforce framework, SuperIntendents will know what jobs to hire and how much to ask for in budgeting for these jobs. Additionally, there will be a reduced burden on IT, Administrators, and Faculty members. Finally, by hiring the skillset in risk reduction across security domains, the district benefits by having an objective point of view on vendor effectiveness to meet the district's risk priorities with their capabilities.
We have observed that many schools that purchase cameras do so in an ad-hoc fashion. For example, the Tik-Tok challenge of devious licks was the catalyst for influencing the impressionable to vandalize school bathrooms for laughs or follows. Some schools immediately sprung into action by purchasing cameras to monitor bathroom facilities' ingress and egress to identify who might have vandalized facilities. Due to this procurement behavior, we learned that some districts have different cameras with different capabilities across all of the school campuses. Therefore, efficiency leveraging cameras for biometric detection and response was not considered part of implementing the camera on the campus.
An example of doing things differently is by the Board of Directors publicly announcing the top 5 Safety and Security priorities and evangelizes the superintendent and other operational teams to deliver on these priorities. Let's start with a few examples:
The above are examples of priorities that may be based on likelihood and impact on human lives. Rather than buying cameras for an event in a single time and moment, consider all of the priorities. Cameras can use biometric data to detect potential risks to humans, identify concealed weapons, automate door locks, automate communication, provide threat visibility, and even be used with non-optical sensors to detect and identify students partaking in drugs or vaping. Avertere's School Security Operations Center (SSOC) could be the school's ally or the professional cyber security team who provides eyes on the glass to monitor for human threats behind the cameras and on systems to prevent ransomware impacts on operations. Avertere's SSOC even performs Open Source Intelligence Gathering, which collects public data for early warning indicators of threats to the school, like an active shooter.
Technology without humans is a paperweight waiting for a reactive investigation. For every technology investment, ask yourself the following question. What job titles and job descriptions are responsible for ensuring interoperability between technology investments and the team's school safety and security processes as it applies to meeting the district risk priorities? If you cannot answer that, the strategy has a gap.
Avertere can help establish a strategy, identify the budget to hire a cyber workforce, and ensure interoperability between technology and the school's safety/security programs.
Who is responsible for leading safety/security efficiencies across all organizations? Who is responsible for ensuring technology investments are being used at its most total capabilities to enable efficient human response to school safety/security risks? Typically, we receive answers indicating the responsibility is the SuperIntendent, the Physical Security Director, or the Technology Services Director.
In industry, the CISO evangelizes an understanding of risk to the business and corrals buy-in from across the organization to adopt a culture that enables risk reduction through people and technology. The CISO influences the highest-level policy for the school district’s best interest.
Regardless of who the leader is, that CISO purpose needs to happen at the Board of Directors level to have a trickle-down effect on all school campuses. A good leader clearly understands the school's priorities, can support budgeting/hiring talent, and can influence measurable success in reducing risk or harm to others. The number of assets to consider in business is the safety and security of people. Schools are unique, especially K12. If we can deliver safety and security to our kids, there will likely be a beneficial impact on our future economy.
It is essential that teachers feel safe to teach our kids in school again, that students are less distracted by outside influences, and that schools deliver programs that efficiently detect and respond to threats. School districts should be transparent in this effort by providing measurable results to Parents, Administrators, Faculty members, and students.
Avertere is technology agnostic. Our mission is to bring school safety and security to all schools. We are an ally to the school district. We are determined to reduce the burden of safety and security off the shoulders of administrators and faculty members so they can focus on their primary mission, teaching our students.
If you’ve been following Avertere's blogs, you likely know a thing or two about online threats aimed at educational settings like schools. But,...
Greetings, K12 School champions! Our recent explorations, “How to Spot Cyber Threats that Could Harm Schools” and “Cyber Threats to Edu Cloud...
In a previous blog, we delved into identifying cyber threats to schools and how they cause impact using MITRE ATT&CK. Today, we narrow down our focus...