Understanding School Cybersecurity: How to Start & Stay Safe

If you’ve been following Avertere's blogs, you likely know a thing or two about online threats aimed at educational settings like schools. But, sadly, we’ve noticed that many school IT and Security departments are a bit behind. They often think, “Who would target a school?” Well, the answer is, many people would, and they do. So, what should you focus on to keep your school safe? Let’s break it down.

Why a Framework is a Must

The first step in ramping up your school's cybersecurity is adopting a recognized security framework. We at Avertere recommend starting with the Center for Internet Security (CIS) Version 8. This framework aligns with important CISA Cross-Sector Cybersecurity Performance goals and can serve as your blueprint for safeguarding school IT systems.

What is CIS?

CIS is a nonprofit organization with two decades of experience in providing globally recognized security guidelines. They also offer a Risk Assessment Methodology (CIS-RAM) and a handy Controls Navigator. These tools can help you understand the risks you face and what investments you need to make to mitigate those risks. If this sounds complicated, don’t worry—Avertere is here to help you get started.

Starting with Basic Cyber Hygiene

Now, if you go to the CIS Navigator page, you’ll notice a list of 18 critical security areas, 3 implementation groups, and a total of 153 safeguards. Don't let this overwhelm you. To begin, you only need to focus on a subset of these: CISv8 Implementation Group 1, which outlines 56 safeguards aimed at establishing "essential cyber hygiene."

Simplifying the Process

Here’s how to simplify things:

1. Go to CISv8 Controls Navigator
2. Select “IG1”: This narrows down the list to 56 safeguards you should look at.
   
   
3. Select Mappings: Check the boxes that relate to other relevant frameworks like "CISA Cyber Performance Goals," "NIST CSA Cloud Controls Matrix v4," "NIST CSF," and "MITRE Enterprise ATT&CK v8.2."
   
   
   By doing this, you’ll find that the list narrows down further to 9 control areas and 14 safeguards—a much more manageable task to start with if you are just beginning.
   
   
4. Click on the carrot (^) symbol next to "Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory."

When you click on the carrot (^), you'll see "Mappings to other frameworks" listed underneath.

What does this mean? It means you’ll see how this safeguard aligns with other security frameworks like CISA, NIST, or MITRE. This is super helpful because it shows that implementing this one safeguard helps you meet multiple security goals at once. Plus, you get a sense of how universally important this safeguard is across different frameworks.

More About These Frameworks

• CIS: One stop shop for security guidance and mappings to multiple frameworks.
• CISA Cross-Sector Performance Goals: These are guidelines designed mainly for smaller and mid-sized governmental entities.
• Cloud Security Alliance (CSA): Offers best practices for cloud settings that aren't tied to any particular vendor.
• MITRE Enterprise ATT&CK: Helps you understand the strategies that hackers may use, so you can better defend against them.

In Summary

Your school's IT and Security department can indeed secure your digital assets effectively. Start by understanding the risks we’ve talked about in previous blogs and establish a Risk Management program based on CIS-RAM. Try to reach basic cyber hygiene as laid out in the CISv8 guidelines.

If you find this info helpful, remember to subscribe and follow Avertere. Reach out to us for more guidance and learn about “no-cost” programs that can further secure your school.

Stay safe! 🛡️