Template designed to help school districts prepare to respond to security- or IT-related incidents
If we find a breach that affects your employees, we will send an email notice to the administrator(s) of your S2Team account. This will include the name of the breached site as well as the email addresses and data that were compromised.
Minneapolis, MN –May 24, 2022 –SecurityStudio, the provider of simplified solutions to secure organizations, has brought to market the industry’s first K12 Incident Response Plan Template, completely free of charge. Schools are one of the industries most in need of advanced cybersecurity protections, but are often without budget or resources to help protect data. SecurityStudio caters to underserved communities – such as schools and educational institutions – as part of its “mission before money” mantra.
Many schools and districts don’t have a formal cybersecurity plan in place. While they are well-prepared for classroom disruptions, severe weather or fire drills, remote learning, or bullying events, many do not have plans laid out for how to manage and respond to cybersecurity incidents, which are growing at a rapid pace. According to the Cybersecurity & Infrastructure Security Agency, cyber actors targeted K12 educational institutions throughout distance learning in an effort to cause disruption and steal data. As schools have come back to in-person instruction, the lack of existing cybersecurity readiness plans mean that educational institutions are at risk of everything from malware to ransomware attacks.
The K12 Incident Response Plan Template was created to help school administrators prepare to respond to cybersecurity incidents. The SecurityStudio K12 Cybersecurity Incident response Plan Template is a document that can be customized to each school district and provides a straight forward path for what to do in the event of a cybersecurity incident.
“Many school districts do not know how at risk they are, and many may have already experienced an active cybersecurity incident without their knowledge. This won’t do. Schools are full of privileged information – whether that is health data or personal identifiable information that can be stolen for identity theft purposes. It must be protected, which is why schools need plans both for how to prevent a breach or incident and what to do when one happens,” said Ryan Cloutier, president of SecurityStudio. “For cybersecurity programs to be successful, we have to simplify it. The K12 Cybersecurity Incident Response Template does just that – makes it simple for school and district administrators to know what steps to take if an incident happens.”
Cyber criminals are targeting U.S. schools at an increasing rate after remote learning during the pandemic left them more vulnerable to hacks, and the risk shows no sign of abating as students and teachers head back to the classroom this month.
The number of publicly disclosed computer attacks on schools has exploded since 2016 to a record 408 in 2020, according to the K-12 Security Information Exchange, a nonprofit that tracks such incidents, and those figures are almost certainly an undercount because many go unreported. While schools are opening back up across the country for in-person instruction, many are expected to retain virtual learning as an option and that means more access points for potential intrusion with financial consequences for districts that are already facing increased costs to bring students back.
https://securitystudio.com/wp-content/uploads/2021/08/k-12-cyberattacks.png567940SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2021-08-10 04:48:272021-09-01 21:30:01Schools Brace for More Cyberattacks After Record in 2020
Cybersecurity can be an intimidating field to people outside the industry. As Ryan Cloutier explains, when security professionals find themselves starting off conversations with users with “you’re doing it wrong,” they are already starting off at a disadvantage. In fact, this kind of dynamic only serves to further ostracize end users.
https://securitystudio.com/wp-content/uploads/2021/06/ryan-news-podcast.png321318SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2021-06-17 13:36:062021-09-01 21:30:23Ryan Cloutier on Avoid the Temptation to Start Cybersecurity Conversations with “You’re Doing It Wrong” Podcast
The North Dakota Information Technology Department is focusing on several new initiatives to increase cybersecurity across government agencies as well as for the individuals they serve.
The never-ending onslaught of cyber attacks against government is pushing the state of North Dakota to take proactive action on several fronts, including the education space and working with the public to understand these threats.
The state’s cybersecurity strategy, which was accelerated by the passing of Senate Bill 2110 in February 2019, has focused largely on giving the North Dakota Information Technology Department (NDIT) authority on cybersecurity matters for the state’s 400 public entities. In the past year, the strategy has broadened with targeted initiatives, such as a statewide awareness campaign, incorporating efforts to make individuals more resilient against cyber attacks.
In the education space, there was a significant effort to install anti-malware software on 45,000 Chromebooks used by students throughout the state, announced on Jan. 19, 2021. Prior to this undertaking, protective software needed to be installed to each device manually, but now school districts can manage the deployment centrally.
As described by Steve Palmer, K-12 information systems security analyst for NDIT, this project has been in the works since August 2018, and will decrease the risk that exists anytime these laptops leave the schools. All of this comes at no cost to schools.
Palmer stressed the importance of securing these devices as distance learning continues to shape the education space. NDIT will also be working with administrators and teachers to provide training or help if needed while implementing the software, Palmer noted.
In addition, NDIT is also increasing cybersecurity awareness for the general public with a new tool it announced Dec. 10, 2020. Tony Aukland, cybersecurity education and public awareness manager, said the defend.nd.gov program provides free online cybersecurity risk assessment to citizens, who are increasingly responsible for their own online security.
Chief Information Security Officer Kevin Ford said the department has received positive feedback about the platform.
“Defend.nd.gov provides a range of tools, resources and opportunities that empower organizations and citizens in North Dakota to defend against cyber attacks and significantly impact our safety and privacy,” said Ford.
The free tool, created by SecurityStudio, allows individuals to learn about potential security risks while instructing them on how to secure mobile devices and Wi-Fi, back up data, authentication and even physical security. It also provides a report with recommended actions to individuals that can further decrease risks. Aukland said cyber criminals aren’t generally after top-secret data as much as they are valuable personal information, highlighting the importance of protecting it.
The most overarching effort might be the Joint-Cybersecurity Operations Command (J-CSOC), which will allow North Dakota to partner with other states to share intelligence. The multistate partnership will help cement best practices and establish a secure technical method of sharing this type of intelligence to work together with other states to counter threats. Currently, there is no such mechanism in place.
The project will be developed and operationalized through a series of phases. When paths are proven, outreach will begin to expand the J-CSOC and involve other states.
SecurityStudio is pleased to highlight our new, sub entity functionality inside S2Org. Complex organizations can now leverage S2Org to measure, track, and report on the information security practices of their various entities.
HOW IT WORKS
Associated entities will have their own S2Org assessments that can be completed independently or with oversight by the lead organization. To ensure consistency and reduce workload, shared controls can be copied and/or linked. Once individual assessments are completed, the results will feed into the Sub Entity Panel where comprehensive scores are calculated for the organization overall.
WHAT TO DO
Build out your list of sub entities in the Company Profile. Administrators can set the business significance for each entity and even assign users with limited access. Determine which controls are shared amongst entities and make use of the copy and link capabilities. Finally, sit back and relax. The Sub Entity Panel will track all entity performance, allowing you to focus on the bigger picture.
With our sub entity functionality, managing a complex organization doesn’t have to be complicated.
Click here to read more about managing sub entities inside S2Org.
SecurityStudio is pleased to announce the addition of threat monitoring inside S2Team.
HOW IT WORKS
If we find a breach that affects your employees, we will send an email notice to the administrator(s) of your S2Team account. This will include the name of the breached site as well as the email addresses and data that were compromised.
WHAT TO DO
Log into S2Team and review which employees were affected. Instruct your employees to go to the breached site and change their passwords for that account. This is a great opportunity to discuss the importance of unique and strong password criteria. If your organization doesn’t already have one, consider installing a reputable password manager that can help your employees create and store strong passwords.
If you prefer not to receive email notices, you can log into S2Team and unsubscribe. You will always have access to the Threat Monitoring tab, where you can see the full list of breaches your employees have been affected by.
Make threat monitoring an integral part of your security awareness program.
https://securitystudio.com/wp-content/uploads/2021/01/ThreatMonitoring.png4631030SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2021-01-27 10:21:482021-09-01 21:32:20Threat monitoring is available in S2Team
Cybersecurity continues to be top of mind in new ways that we might not have considered during “normal” times. One area that needed our attention then and now is vendor management. Especially with the mad dash over the summer to get many districts ready for at least some remote learning, there are a lot of new third-party vendors on the scene.
Pre-COVID, third-party vendors for schools and districts meant everything from transportation systems and student information platforms to applications like PowerSchool, Quizlet, and Google Classroom. Post-COVID, the term references all of that–plus things like COVID tracking and tracing programs.
Regardless of whether we are talking pre- or post-pandemic, third-party vendor risk is a serious thing. Ponemon Institute found that in the United States, 61 percent of data breaches were caused by third parties and vendors.
Are you wondering if you should get rid of third-party vendors? There’s no need to take such a dramatic step, but you should plan to get more focused on knowing what third-party vendors bring to the table when working with your school or district.
Let the vetting begin
Vetting third-party vendors is like asking a teenager if they cleaned their room. As long as you don’t look under the bed or in the closet, everything looks good. The problem is, when you’re running a school, you have to really dig into those dark places no one wants to look at.
It doesn’t matter if you are hiring a new vendor or examining one the school has worked with for 30 years–the best way to get a baseline on a vendor is to run a risk assessment on them. Just like you assess physical risks to your school, best practice dictates that you apply the same rigor to the companies you work with and that have access to student or parent data.
While it won’t help you make sure the vendor contract is written fairly, a well-executed vendor risk assessment will help you understand how every vendor handle security and privacy. It will also uncover those vendors that pass all responsibility off to the school or district, and, conversely, those that will act as true partners that want to work with you if something goes awry.
4 key areas to focus your efforts
Once you’ve done a complete risk assessment and know who brings what to the table, there are four critical areas you need to focus your attention on to help minimize vendor risk:
1. The Contract: Your district is not going to cut a check to any vendor without first having a contract in place. But, when it comes to data privacy and breach specifics, what’s in that contract? Who owns student and parent data? If something does go wrong, what responsibilities does the district have vs. the vendor?
Questions such as these are critical to understand and agree upon before moving forward. State privacy laws vary, and you need to understand yours because they define what the school or district’s obligation looks like. For instance, in some states, if a data breach occurs, the party that notifies individuals of the breach is financially responsible for things like annual credit monitoring for the victims. This type of financial outlay can get very expensive for a district very quickly, so it is critical that you denote in your contract what obligations your vendor has to your district and school should a data violation occur.
2. Disaster Recovery: All of us have had the internet go out during a critical task. The same will happen at some point with your vendors. There is nothing wrong with asking – and in fact, you should ask – what happens if your service/product goes out? What’s the alternative? Your district or school is depending on your vendors, so work with vendors to create a responsible expectation for when services will be restored.
3. Data Destruction: Taking a page from Europe’s book, many U.S. states have adopted data privacy laws much like GDPR. California, Delaware, Illinois, Louisiana, Maine, and Texas are among those recognized as having the toughest data privacy laws in the country, and most have requirements stipulating that if data needs to be destroyed, it be destroyed everywhere – including with vendors and in backups. Work into your contracts that if data needs to be destroyed, you get it back from the vendor and do it yourself, or, if the vendor destroys it, they do so pursuant to NIST Special Publication 800- 88 guidelines. Either way, make sure there is proof that the data has been destroyed properly.
4. Vendor Privacy Policy: It’s an absolute *must* that your vendors show they are compliant with both the Children’s Online Privacy Protect Rule (COPPA) and the Children’s Internet Protection Act (CIPA). COPPA prevents vendors from collecting personal information from children under the age of 13, while CIPA blocks or filters internet content that is obscene or harmful to children. If a vendor can’t prove they are COPPA and CIPA compliant, find a different vendor. Period.
Third-party vendors help your schools offer fantastic services to your students. However, the fact that third-party vendor risk is one of the fastest-growing cybersecurity threats in the industry means that vetting your partners is more important than ever. You want partners that are in the arena with you, not just collecting a check. First and foremost, you have to assess the risk a vendor brings to your school or district. Then you have to get into the weeds to understand how they handle data, service delays, and privacy. If a vendor seems too in it for themselves and isn’t showing an interest in making you successful or keeping your students secure, keep looking.
A recent survey says HALF of businesses say they’ve experienced an IT security issue during the pandemic. With so many people working from home, how do you keep your data safe? Take a listen.
https://securitystudio.com/wp-content/uploads/2020/10/evan-home-security.png5391030SecurityStudiohttps://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.pngSecurityStudio2020-10-06 09:10:002021-09-01 21:34:07FRSecure CEO Evan Francen on protecting your computer data at home
We are committed to providing free resources to help keep you, your business or organization, safe. We protect your information and never give it out to vendors.
Please also follow us on Linkedin to catch our latest updates. If you found this information helpful, please share with your community.
