How to Ensure That School IT Environments are Secure
Accessing and sharing information electronically is a fast and cost-effective way to get tasks completed. No wonder most schools, school districts, state education agencies, colleges and universities are using technology to manage student, staff and administrative records.
Unfortunately, safeguarding digital information is not as straightforward as tasking a technical staff person to verify that the “system” is protected. It takes time and expertise to create a customized school or district security policy.
Schools, whether higher education or K – 12, are prone to hacker and other attacks just as businesses are, and they face many of the same types of threats. And, because colleges and universities in particular have a relatively large number of mobile device users, they need to be vigilant about security threats related to mobile products and apps.
School security’s bad grades
Industry research shows that, to some extent, many educational institutions are falling short when it comes to delivering strong cybersecurity. A 2014 study of security in higher education by the SANS Institute, an information security cooperative research and education organization, pointed out several weaknesses in the industry. These include a lack of risk assessment practices, the existence of unclassified and unmanaged data, and the understaffing and underfunding of security programs.
The institute surveyed about 300 IT professionals at colleges and universities and only 45% said their organization has formal risk assessment and remediation policies in place. At smaller schools, only 31% have such policies in place. Only 57% of the institutions said they classified their sensitive data and provided guidelines for how to handle data safely.
Why school security doesn’t make the grade
One of the biggest problems is a lack of funding and staff for information security. About two-thirds of the survey respondents said they thought their organization needed additional staff, and 43% thought they could pay top rates for the skills needed. About three-quarters said the lack of budget was the reason they weren’t able to sustain or boost staff.
Furthermore, many schools don’t seem to have a good handle on how often they’re being attacked. A report from consulting firm PwC, conducted in 2014 with CIO and CSO magazines, showed that of the survey respondents in the education/non-profit sector, 22% said they did not know how many security incidents their institution had detected within the previous 12 months.
That compares with an average of 10% for survey respondents from all industries in the report, the Global State of Information Security Survey 2015.
Strategies for improving school security
Clearly, there’s room for improvement in information security efforts in the sector. For educational institutions, the first step toward creating a successful security program should be to conduct an assessment of the entire organization to identify threats, vulnerabilities and appropriate safety controls.
Research firm Forrester has developed a maturity model that provides functional explanations and evaluation criteria for all aspects of a complete information security organization. It provides the foundation for Forrester’s IT security and risk program assessment engagements and offers clients a comprehensive self-assessment tool.
The Forrester Information Security Maturity Model (October 2014) provides a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive maturity scale. This enables reporting the position to a level of detail that can be adjusted for various audiences.
Forrester says organizations can avoid oversights and omissions by using the model as a checklist. “Information security is a complex discipline, and CISOs need a checklist to ensure they haven’t overlooked a core control or function,” the firm says. “This maturity model acts as an independent reference guide that covers all key industry frameworks, defining all the necessary functions of an effective security program.”
Once schools have completed a thorough assessment, they can begin implementing security tools that make the most sense in order to address needs and vulnerabilities. They can do this on their own or bring in expert help from a security managed services provider that is familiar with the education market.
Security success through non-profit networks
As in other industries such as retail, the education sector is making efforts to bolster cybersecurity among organizations. For example, Educause, a nonprofit association of IT leaders and professionals committed to advancing higher education, created the Higher Education Information Security Council (HEISC) to provide coordination for the industry.
The mission of HEISC is to support higher education institutions as they aim to improve information security governance, compliance, data protection and privacy programs. HEISC accomplishes this through volunteer groups supported by professional Educause staff, as well as with collaborations among other organizations that address information security and privacy in higher education.
The group actively develops and promotes information security leadership, awareness and understanding; effective practices and policies; and guidance for the protection of critical data, IT assets and infrastructures. It has working groups and committees in areas such as awareness and training; governance, risk and compliance; and technologies, operations and practices.
Among its strategic priorities for 2015 are to advance information security strategies in higher education and to continue to build the information security profession.
Get in touch with Insight at 1.804.0757. Find answers to your pressing security questions and discover background information that will help you make a well-informed decision. Once you're ready, take the Forrester security assessment here.