Last month my colleague, Richard Quinones, wrote about the 5 Components of an Effective and Sustainable Cybersecurity Program for Large School Districts. I would like to speak further about the second point Inventory the Risk and Identify the Priority.
Having served as Chief Information Officer for Miami Dade County Public Schools, the need for a Risk Assessment became so clear that before I left the District, I recommended an outside agency conduct a risk assessment. The number of attacks, threats, and vulnerabilities experienced by Miami-Dade had been on the rise since our first cyberattack during our state online testing period in 2014.
These attacks occurred despite the use of threat management and filtering software, evidence that hackers are becoming very sophisticated. This level of sophistication is a fiscal challenge for Districts (most of whom have shrinking budgets) to manage, monitor, and purchase all the tools and resources needed to thwart these attacks.
In Miami-Dade we had over 300,000 district connected devices and users, we received over 204 million emails weekly with only 1.2 million considered clean. Even while filtering out massive numbers of malicious emails, the District was still susceptible to phishing attacks. This is not a hypothetical threat, just recently the DailyScoop published insight into the ransomware that has crippled Atlanta’s computer systems and infrastructure for days revealing it was compromised by phishing emails.
With the growing number of ways organizations can be attacked, it is understandable that your information technology group is always playing catch-up with new and zero-day threats. It is very difficult to take a proactive approach to cybersecurity but working with external experts to perform a is the first and most important action to take. The reasons are as follows:
- An external expert will provide an objective opinion
- The assessment will identify your critical business functions and associated risks and develop a priority of needs
- It will provide an inventory of what the is already in place and working well
- It will demonstrate that cybersecurity is not just an information technology function and will help in developing a communication plan to all stakeholders regarding the severity of the risks across the organization
- It will help you convince the Board and leadership why they need a cybersecurity strategy, budget, and resources
- It will provide next steps for making your cybersecurity plan operational and auditable by recommending threat management and prevention tools, incident response processes, and raising organization awareness
Debbie Karcher is a Senior Education Advisor for iboss. Before joining iboss she was chief information officer of Miami Dade County Schools, the nation’s fourth-largest school district in the United States. At Miami Dade County Schools Karcher directed the information systems and a network infrastructure that included more than 400 schools and administrative locations with over 390,000 connected devices.
Debbie has spearheaded cost-saving initiatives and system deployments that received worldwide recognition. She has led a wireless initiative that provided campus-wide wireless access to all 400 locations and 30,000 access points making it one of the largest wireless initiatives in the nation.
She has an award-winning background that includes recognition as a nationally-acclaimed executive and a history for setting trends in the K-12 Technology.
To learn more about how to secure large school district networks download our whitepaper "K-12 Cybersecurity Involves More Than Just CIPA Compliance