In 2021-2022, 56% of K-12 educational institutions were affected by ransomware. This is an increase of nearly 25% from the previous year. This is a staggering number, and a clear sign that the threats to schools are only getting worse.
Risk assessments are one of the best ways K-12 schools can understand cybersecurity vulnerabilities and consider how to strategically defend against them, but this important tool is This is often the case. After all, they can be downright terrible to implement, take up valuable time, contain confusing terminology, and often don’t seem to solve any problems.
If this sounds familiar, we have good news for you. Yes, risk assessment is far from sunshine and roses. However, by following these guidelines, you can overcome them with less friction and pain, and ultimately improve your security posture.
1. Be specific about risk and tolerance
Let’s be clear: most risk assessments are unnecessarily tedious and time-consuming. If you’ve tried to go through this process before and found yourself wasting weeks or months of your time, you’re making the wrong assessment. Also, the valuation you have is written as a one-size-fits-all for all types of transactions, is too narrow in scope (and not tailored to you or your needs), or has unique terms. It’s quite possible that they don’t seem to understand. The nuances of working in an educational environment.
The security priorities of a K-12 school are naturally different from the security posture of a government agency or other organization. Risk assessments therefore need to be tailored to specific situations, risks, data types, and even language. Once you get started, identify which aspects of cybersecurity are most important to you. For schools, this typically means protecting student data. From there, you can determine your risk tolerance and inform your strategy and planning.
New school safety resources
2. Simplify the language
Let’s trace this. Although IT professionals perform risk assessments, managers are typically the ones who read risk assessments. This leads to verbal disagreements, general frustration, and subpar results for everyone.
Related:
Forget about flat networks and improve your security
4 ways to avoid cybersecurity snake oil
After all, how an IT person talks about security gaps is going to be very different than how a principal or superintendent talks about it. If the person authorized to approve security measures does not understand them, they are unlikely to be approved. Communication is key, so make sure your risk assessment is written by humans, for humans, and in a language that fits the school environment rather than a commercial company.
3. Looping in others
Risk assessments need to be thorough to be accurate, but that doesn’t mean one person has to carry the burden. In fact, the best evaluations are done through teamwork. When you begin your assessment, take the time to think through who on your team is best suited to answer specific questions or sections. Delegate that part to them, along with deadlines for when they need to complete it. Then rinse and repeat for all other questions and sections. This allows assessments to be completed quickly and provides more comprehensive insight.
4. Understand how compliance fits into the big picture
As educational institutions, K-12 schools must follow certain rules. While you may have invested time and resources to comply with minimum standards related to regulations such as FERPA, it is important to note that this does not meet your cybersecurity requirements. Compliance and security are not the same thing. Therefore, please ensure compliance as required. However, take the time to improve your security posture beyond compliance. To protect your most sensitive data, it’s important to cover all your bases.
5. Define what to do next
Finally, one of the most obvious problems with many risk assessments is that they simply point out many security holes without providing any guidance on how to prioritize or fix them. Anyone conducting a risk assessment should share their findings and take the time to guide schools on the path forward. We must keep your top priorities, risk tolerance, and available resources in mind as we help you create a workable and realistic plan.
When it comes to schools, cybersecurity is paramount. Risk assessment has been terrible in the past, but when properly managed it can be an extremely valuable tool. Make your school safer by following the tips outlined here and conducting a risk assessment designed for your school. These aren’t good times for everyone yet, but they will be more flavorful. And it helps protect your school and its sensitive data the way it should be protected.
Ryan Cloutier, CISSP, President of SecurityStudio
Ryan Cloutier, CISSP, is president of SecurityStudio, a company dedicated to solving problems in the information security industry through simplification. Ryan, a passionate cybersecurity thought leader, can be reached at rcloutier@securitystudio.com.
Latest posts by eSchool media contributors (see all)
Source link
