Information security is a top concern in every industry. In 2015, the percentage of reported data breaches caused by hacking incidents increased 8.4 percent over 2014 numbers to reach the highest value in nine years (37.9 percent), according to a report from the Identity Theft Center. Cyber crime is a sophisticated criminal enterprise, and billions are lost annually through breaches of businesses, healthcare organizations, and government entities; and yes, educational institutions too.
Hampered by tight budgets and lean IT departments, K-12 schools often are forced to put off implementing tighter security defenses or, in some cases, to forego implementing them at all. That’s a concern for school administrators and IT directors who are charged with protecting the names, addresses, social security numbers, and other forms of personally identifiable information (PII) of students and staff members. And it should be. Cyber thieves are aware of the challenges K-12 school districts face—and that’s why they consider them attractive targets.
In February 2016, Horry County Schools in South Carolina experienced a ransomware attack, resulting in the shutdown of more than 100 systems and servers to stop the spread of the virus. In April, Arlington Public Schools in Virginia reported a data breach that exposed personal information of employees to an “unknown party.” That same month, Northeast Independent School District in Texas was hit with a ransomware attack that affected all 20 of its campuses.
The best way to protect your school district against the impact of similar attacks is to implement an effective security program. As you evaluate your current program, make sure you haven’t overlooked these ten elements:
- Strategy. Do you have a well-defined security strategy and plan? Is it documented? If so, how often is it updated? Surprisingly, many organizations don’t have a documented plan. Your security strategy document should address your security mission, objectives, initiatives, and governance model. A documented plan that is updated appropriately when new threats emerge is essential to protect against modern cyber incidents.
- Processes, policies, and procedures. A successful security program includes people, processes, and technology. Too often, processes and procedures are given only a cursory glance with most attention directed toward security technology and tools. But products alone are not sufficient to guard against advanced threats. Security processes must be defined. Policies must be written. And then products can be selected.
- Vulnerability assessments. Do you have a process for identifying vulnerabilities and do you perform assessments frequently? Unfortunately, many organizations perform vulnerability assessments only once a year. But the threat landscape continually changes, requiring more than just an annual assessment. Make sure you have a process that works and perform assessments quarterly at a minimum—monthly would be even better.
- Critical systems patching. Updating critical systems requires planning and testing to make sure patches work without introducing other application problems, and the process is an essential component of an effective security program. Don’t get behind on software maintenance, or you could put critical systems at risk. Make sure you have a process to patch and to test critical systems to ensure you are protecting those systems against vulnerabilities.
- Penetration testing. You can’t close a gap if you don’t know it exists. Penetration testing will help you identify where your security gaps are located so you can take steps to eliminate the exposure.
- Risk identification and treatment. How do you identify and assess risk in your organization? What action do you take when a risk is found? Make sure you have a process that describes how you detect, document, and formalize security risks—and the steps you will follow to define a treatment plan.
- Incident response. Do you know how you will respond when an incident is detected? Have you defined what actions will be taken by whom? Whether the result of a hack, a process failure, or an unintentional mistake, security incidents will occur. The key is to respond with the appropriate actions quickly and thoroughly to minimize the damage. For that to happen, a well-written incident response plan that has been tested and communicated is essential.
- Next-generation firewall. Next-gen firewalls provide advanced level protection by combining traditional firewall functions with intrusion prevention capabilities and policy-based application control. Without exception, every organization should have a next-gen firewall implemented.
- Malware detection and response (network and endpoint). Malware continues to be the most often-used method for instigating breaches. According to The 2016 SANS Incident Response Survey, 69% of respondents said malware was the “underlying cause” of their breaches. Make sure you have malware detection and response capabilities, both at the network level and the endpoint level, to ensure you are protected.
- Continuous risk management philosophy. A “set it and forget it” approach to security is risky in today’s digital environment. An effective program treats security as a continuous lifecycle, assessing vulnerabilities throughout the year, evaluating risks, and taking decisive action to mitigate exposures proactively.
Without question, cyber security is a serious challenge, and staying abreast of the latest threats is a full-time job. New exploits are discovered almost daily. And it seems as if a new security product or SaaS solution springs up every week to offer better protection than the multitude of tools already on the market. But a product-based approach alone will not provide adequate protection against modern threats. Information security is a continuous lifecycle that requires ongoing attention to identify vulnerabilities and to close gaps, before a breach occurs.
For information on how ePlus can help you implement a holistic security program that is right for your organization, visit www.eplus.com/security, email firstname.lastname@example.org, or contact your ePlus Account Executive.