Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

Facing a surge in cyberattacks, K-12 schools struggle with limited funds, expertise, and staff for cybersecurity. This leads to vulnerabilities that make them prime targets for hackers. Lack of dedicated cybersecurity resources and training exacerbates the risks, highlighting the urgent need for comprehensive security measures and governance in educational institutions.

• Cybersecurity
• K-12 Education
• Risk Management
• Cyber Attacks
• Data Security

betsy Follow

Uploaded on Apr 02, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Building a Resilient Shield: Cybersecurity Risk Management Strategies for Public School Districts-MSPLIP Jeff Schobel CEO, ResoluteGuard Room 103 3-4pm 6/15/2023

2. TODAYS SESSION Agenda K-12 Cybersecurity Challenges Cyber Attacks Cyber Insurance Importance of Executive Governance Today s Technology Director Cyber Action Plan & Strategy Policies and Guidelines Vulnerability Assessments Questions 2

3. K-12 CYBERSECURITY CHALLENGES 3

4. CYBERSECURITY CHALLENGES IN EDUCATION Cyberattacks are on the rise and outpacing even the most skilled IT professionals. Lack of Funds for Cybersecurity Tools Implementation of Basic Cybersecurity Tools Lack of Expertise and/or Dedicated Cybersecurity Professional Staffing Challenges Implementing Managing Monitoring 4

5. STATE OF OUR SCHOOLS School Districts face ongoing staffing challenges in implementing, managing, and monitoring the cybersecurity of their networks and systems. Lack of positions allocated to cybersecurity Inability to find and hire staff with cybersecurity skills and training Concentration of cybersecurity responsibilities on a single staff member and is not a dedicated cybersecurity resource Lack of training on resources to respond when a threat is identified At-home learning 1:1 schools-network devices 5

6. CYBER ATTACKS 6

7. CYBER ATTACK DATA Microsoft Study: 63% of all malware attacks worldwide happen within K-12 Average of 214 days a Cybercriminal goes undetected within a network Average of 72 days needed for recovery efforts 2021 Report: Over 1,000 K-12 cybersecurity incidents since 2016 K-12 Viewed as Soft Targets and Lucrative: Student and Employee PII with Cyber Criminal Sophistication! 7

8. HACKERS INFILTRATE SECOND-LARGEST U.S. SCHOOL DISTRICT IN GROWING TREND September 7, 2022 District staff recognized the breach quickly and took fast action that may have averted an operational disaster. When the district acknowledged the attack, officials also announced an array of measures to improve cybersecurity. These measures, the district said, "have been taken, will be taken immediately or will be implemented as soon as feasible. It requires all of us to work together to work to identify these threats and these actors and to take steps to mitigate the damage. District officials said they immediately established a plan of action to provide protection in the future, informed by top public and private sector technology and cyber security professionals. 8

9. CYBER INSURANCE 9

10. AS RANSOMWARE AND OTHER CYBER-ATTACKS INCREASE INSURANCE COVERAGE COSTS AND TERMS ARE ALSO INCREASING Lowering of Coverage Limits Increasing Premiums and Deductibles Limited or No Ransomware coverage Required Security Controls in place Insurance Carriers Are Requiring Detailed Questionnaires to Determine Insurance Renewal Costs and Terms 2022-2023: Recommendations or Few Security Controls 2023-2024: New Security Controls? 10

11. Cyber Insurance Coverage - Public Entity Minimum System Security Standards/Best Practices Patching- Updated within 30 days; 1-7 days for Critical & High Severity patching Guidelines/Policies- Incident Response; Disaster Recovery; Business Continuity Backups- Separate from Primary Network; Regular Backups; Testing; Encryption; Restore within 72 Hours, Anti-Virus Multi-factor Authentication (MFA)- 100% for Remote Access and Privileged User Accounts; Email Access Endpoint Protection, Detection & Response (EDR)- EDR Solution in place across Enterprise Remote Desktop Protocol- MFA Enabled VPN Remote access; Network-level Authentication enabled Employee Training- Simulated Phishing Email Training; Regular Cyber Security Training; Fraudulent Accounting Transactions Regular Vulnerability Scans/Assessments End of Life Software- Plan/Guidelines and Adequate Measures to Protect EOL Software 11

12. EXECUTIVE GOVERNANCE 12

13. CYBER RISK MANAGEMENT IS: Reactionary in Nature Focused only on IT Security Nonalignment with District Objectives Check the Box Mentality Senior Executives asking the Wrong Questions Compliance Security $ s Security Extremely Difficult to Quantify 13

14. BUSINESS DECISIONS K-12 Decision makers may be disconnected from the cyber realities. Decision makers are unaware an incident can lead to serious harm. This should be cause for immediate action. 14

15. BUSINESS DECISIONS What questions should administration be asking IT? What questions should IT be asking administration? 15

16. KEY BENEFITS OF GOVERNANCE Ensure Risks are identified and Addressed Ensure Value is brought to the District Ensure Systems and Policies are in Compliance 16

17. WITHOUT EXECUTIVE GOVERNANCE & IT Difficulty aligning District and IT strategies Difficulty achieving intended goals Less likely to realize value Higher IT related costs for continuity Less innovation Less trust between IT and administration 17

18. HOW DO YOU MEASURE THE VALUE OF INFORMATION AND TECHNOLOGY? Value as: Ensure Value is Brought to the District Benefits Realization & Resource Optimization 18

19. RISK MITIGATION How do you measure the mitigation of risk related to information and technology? Ensure Risks are Identified and addressed 19

20. RISK OPTIMIZATION Address risks associated with Information & Technology Focus on the preservation of value Integrated within risk management Ensure an IT security focus for the District Measured showing impact and contributions of optimizing Information and Technology related risk 20

21. TODAYS TECHNOLOGY DIRECTOR 21

22. TODAYS TECHNOLOGY DIRECTOR No Time Lack of Advanced Capability Lack of Funds Too Many Daily Operational Needs Lack of Shared Plan 22

23. THE ROLE OF THE CISO A CISO is the executive level manager who directs strategy, operations and the budget for the protection of the enterprise information assets and manages that program. Governance of I & T Cyber Risk IT Compliance IT Assessment / Audit Cybersecurity Awareness Related Policies/Guidelines 23

24. CYBER ACTION PLAN & STRATEGY 24

25. CYBER ACTION PLAN & STRATEGY You must have a plan with a strategy of continuously improving your cyber-security profile to meet todays ever-evolving cyber security challenges 25

26. CYBER ACTION PLAN & STRATEGY Leverages your Cyber Plan & Strategy to Align Your Executive Governance, Administrative and Technical Activities with Regulatory and Insurance Requirements and/or Considerations, To Guard Against A Cyber Disruption Of Service Support Continuously Improving Your Cyber-Security Profile 26

27. CYBER PLAN SAMPLE 27

28. BENEFITS Increased alignment between Cybersecurity and District Objectives Development of Information Security that is nimble and flexible Reduction in wasted efforts and resources, and improvement in efficiency of security and the district as a whole Opportunity to identify new, secure innovations and technology True synergy between security and district leadership, where the goals of both groups are being met 28

29. POLICIES AND GUIDELINES 29

30. IT IS NOT IF, BUT WHEN PRIORITIZE INCIDENT RESPONSE READINESS Build a Comprehensive Incident Response Plan Implement Solutions to Build WHEN Attacked Resilience Manage the Activities That Fortify Your Readiness Support Maintenance Listed in IRP Guideline Schedule Incident Response Tabletop Exercise Protect Incidents From Becoming Disasters to Manage Potential Loss And Avoid a Disruption of Critical Community Services 30

31. IT IS NOT IF, BUT WHEN BUILD YOUR RESPONSE READINESS TO PREVENT AN INCIDENT FROM BECOMING A DISASTER 31

32. IMPORTANCE OF DOCUMENTING GUIDELINES TO MANAGE MAINTENANCE ACTIVITIES AND CONTINUOUS IMPROVEMENT Data Backup Guideline Documented Guidelines and Procedures Incident Response Plan Business Continuity & Disaster Recovery Plan Information Security Policy Data Backup Guideline Multi-Factor Authentication Security Awareness & Training End-Point Detection & Response Firewalls and Anti-Virus Vulnerability Assessment 32

33. TRACK REQUIRED GUIDELINE MAINTENANCE ACTIVITIES 33

34. IDENTIFY STRENGTHS & WEAKNESSES IN ALIGNMENT WITH REGULATORY OBJECTIVES in Accordance with the United States National Institute of Standards & Technology Cyber Security Framework (NIST-CSF) Universal Gold Standard Framework Mandated / Recommended as a Basis For All Government Programs Continuously Updated With Newly Identified Cyber Risk 34

35. Vulnerability Assessments 35

36. IMMEDIATE ACTION LIST Asset Documentation- Hardware and Software External Vulnerability Assessments Internal Vulnerability Assessments Risk Prioritization and Mitigation Penetration Testing (Pen Testing) 36

37. IMMEDIATE ACTION LIST 37

38. NETWORK SCANS ARE CONDUCTED TO DOCUMENT YOUR CURRENT INTERNAL AND EXTERNAL SOFTWARE AND HARDWARE STRENGTHS AND WEAKNESSES Anti-Virus, Anti-Spyware, Patching, Firewalls, Data Backup, MFA, Password and Access Management, Email filtering, Employee Training, Inactive Computers and Users, External Listening Port Vulnerabilities, Operating Systems and Software No Longer Supported, etc. 38

39. HIGH SEVERITY ISSUES Points Issue Description of Risk Fix Unsupported Microsoft Office Version Unsupported software no longer receives vital security patches and present an inherent risk Unsupported operating systems no longer receive vital security patches and present an inherent risk 97 Upgrade Office 97 Unsupported Operating System Upgrade OS or Replace Computer 94 Anti-Spyware not installed Potentially exposes computer to malicious software Ensure Anti-Spyware is installed 94 Anti-Virus not Installed Potentially exposes computer to malicious software Ensure Anti-Virus is installed Ensure Anti-Spyware definitions are up to date Ensure Anti-Virus definitions are up to date 90 Anti-Spyware not up to date Potentially exposes computer to malicious software 90 Anti-Virus not up to date Potentially exposes computer to malicious software 4 or more missing security patch levels exposes computer to malicious software and access 90 Excessive Security Patches Missing Implement security patching program 39

40. MEDIUM SEVERITY ISSUES Points Issue Description of Risk Fix Indication of an error caused by an improperly de-commissioned Domain Controller or a fail-over condition that should be remediated 88 Offline Domain Controller Investigate/remove offline controllers 77 Account lockout not enabled Password less than 8 characters allowed No account lockout allows brute force password attacks without interrupton. Allowing users to pick extremely short passwords are vulnerable to brute force attacks Enable Account Lockout for all users Enable enforcement of password length rule 75 Enforcing password complexity limits the ability of an attacker to acquire a password through brute force Enable enforcement of password complexity rule 75 Password complexity not enabled Password history not Remembered Automatic screen lock not turned on Short password histories allow users to rotate through a known set of passwords which may have been compromised Set password history remember to at least 6 72 72 Having no screen lock enabled allows unauthorized access to network resources Enable automatic screen lock 68 Disk Space Issues Low disk space makes computers unstable and succeptible to malicious software Free or add disk space Open or insecure WiFi protocols by SSID Open or insecure WiFi protocols may allow an attacker access to the company's network and resources 50 Ensure WiFi is secure 40

41. LOW SEVERITY ISSUES Points Issue Description of Risk Fix Persistent passwords are more easily compromised than passwords that are routinely changed. Set all passwords to expire. Schedule service account changes 30 User Password Set to Never Expire Operating System in Extended Support Extended Support is a warning period before an operating system is no longer supported by the manufacturer Computers not actively connected to the Domain are at risk of missing security updates. A user that has not logged in for an extended period of time could be a former employee or vendor Open port use should be minimized as much as possible to prevent the spread of malicious software Unpopulated Organizational units may indicate a miscunfiguration of Active Directory 20 Upgrade Operating Systems 15 Inactive Computers Investigate/remove inactive computers 13 User has not logged in 30 Days Computer with Insecure Listening Ports Disable or remove inactive users 10 Investigate/close open ports. Remove or populate empty organizational units. 10 Unpopulated Organizatonal Units 41

42. PERCENTAGE OF K-12 WITH ISSUES Percentage of K-12 with this issue 71.4 85.7 71.4 71.4 85.7 57.1 71.4 0.0 71.4 42.9 28.6 71.4 57.1 57.1 85.7 100.0 71.4 100.0 100.0 100.0 85.7 Points 97 97 94 94 90 90 90 88 77 75 75 72 72 68 50 30 20 15 13 10 10 Issue Unsupported Microsoft Office Version Unsupported Operating System Anti-Spyware not installed Anti-Virus not Installed Anti-Spyware not up to date Anti-Virus not up to date Excessive Security Patches Missing Offline Domain Controller Account lockout not enabled Password less than 8 characters allowed Password complexity not enabled Password history not Remembered Automatic screen lock not turned on Disk Space Issues Open or insecure WiFi protocols by SSID User Password Set to Never Expire Operating System in Extended Support Inactive Computers User has not logged in 30 Days Computer with Insecure Listening Ports Unpopulated Organizatonal Units 42

43. AVERAGE OCCURRENCE OF ISSUES PER K-12 Average Occurrence of Instance Type 4.0 18.1 9.4 8.7 56.7 6.3 15.6 0.0 57.1 12.4 4.7 62.9 53.3 1.3 6.3 147.1 19.9 117.0 166.0 62.4 21.0 Points 97 97 94 94 90 90 90 88 77 75 75 72 72 68 50 30 20 15 13 10 10 Issue Unsupported Microsoft Office Version Unsupported Operating System Anti-Spyware not installed Anti-Virus not Installed Anti-Spyware not up to date Anti-Virus not up to date Excessive Security Patches Missing Offline Domain Controller Account lockout not enabled Password less than 8 characters allowed Password complexity not enabled Password history not Remembered Automatic screen lock not turned on Disk Space Issues Open or insecure WiFi protocols by SSID User Password Set to Never Expire Operating System in Extended Support Inactive Computers User has not logged in 30 Days Computer with Insecure Listening Ports Unpopulated Organizational Units 43

44. PROGRESS & CHANGE Internal / External Scan Updates Your Strengths and Weaknesses Incorporates Progress Made and Any Newly Identified Risks Update & Re-Prioritize Cyber Action Plan Activities by Risk of Loss Plan & Strategy Supports Continuous Improvement 44

45. IN SUMMARY Executive Governance- Collaborative Relationship Translate Technical Language into Easy-to-Understand Reports and Guidelines Customized to Validate Compliance with Specific 2023-2024 Insurance Company Requirements Prevent a Cyber-Incident from Becoming a Disruption of Critical Community Services Disaster Identify and Document Internal and External Strengths and Weaknesses Align Continuous Improvement Objectives with Evolving NIST-CSF Based Control Requirements 45

46. QUESTIONS? PRIVATE AND CONFIDENTIAL NOT FOR DISTRIBUTION 46

47. tel 201-563-9899 jschobel@resoluteguard.com resoluteguard.com