Cybersecurity continues to be top of mind in new ways that we might not have considered during “normal” times. One area that needed our attention then and now is vendor management. Especially with the mad dash over the summer to get many districts ready for at least some remote learning, there are a lot of new third-party vendors on the scene.

Pre-COVID, third-party vendors for schools and districts meant everything from transportation systems and student information platforms to applications like PowerSchool, Quizlet, and Google Classroom. Post-COVID, the term references all of that–plus things like COVID tracking and tracing programs.

Regardless of whether we are talking pre- or post-pandemic, third-party vendor risk is a serious thing. Ponemon Institute found that in the United States, 61 percent of data breaches were caused by third parties and vendors.

Are you wondering if you should get rid of third-party vendors? There’s no need to take such a dramatic step, but you should plan to get more focused on knowing what third-party vendors bring to the table when working with your school or district.

Let the vetting begin

Vetting third-party vendors is like asking a teenager if they cleaned their room. As long as you don’t look under the bed or in the closet, everything looks good. The problem is, when you’re running a school, you have to really dig into those dark places no one wants to look at.

It doesn’t matter if you are hiring a new vendor or examining one the school has worked with for 30 years–the best way to get a baseline on a vendor is to run a risk assessment on them. Just like you assess physical risks to your school, best practice dictates that you apply the same rigor to the companies you work with and that have access to student or parent data.

While it won’t help you make sure the vendor contract is written fairly, a well-executed vendor risk assessment will help you understand how every vendor handle security and privacy. It will also uncover those vendors that pass all responsibility off to the school or district, and, conversely, those that will act as true partners that want to work with you if something goes awry.

4 key areas to focus your efforts

Once you’ve done a complete risk assessment and know who brings what to the table, there are four critical areas you need to focus your attention on to help minimize vendor risk:

1. The Contract: Your district is not going to cut a check to any vendor without first having a contract in place. But, when it comes to data privacy and breach specifics, what’s in that contract? Who owns student and parent data? If something does go wrong, what responsibilities does the district have vs. the vendor?

Questions such as these are critical to understand and agree upon before moving forward. State privacy laws vary, and you need to understand yours because they define what the school or district’s obligation looks like. For instance, in some states, if a data breach occurs, the party that notifies individuals of the breach is financially responsible for things like annual credit monitoring for the victims. This type of financial outlay can get very expensive for a district very quickly, so it is critical that you denote in your contract what obligations your vendor has to your district and school should a data violation occur.

2. Disaster Recovery: All of us have had the internet go out during a critical task. The same will happen at some point with your vendors. There is nothing wrong with asking – and in fact, you should ask – what happens if your service/product goes out? What’s the alternative? Your district or school is depending on your vendors, so work with vendors to create a responsible expectation for when services will be restored.

3. Data Destruction: Taking a page from Europe’s book, many U.S. states have adopted data privacy laws much like GDPR. California, Delaware, Illinois, Louisiana, Maine, and Texas are among those recognized as having the toughest data privacy laws in the country, and most have requirements stipulating that if data needs to be destroyed, it be destroyed everywhere – including with vendors and in backups. Work into your contracts that if data needs to be destroyed, you get it back from the vendor and do it yourself, or, if the vendor destroys it, they do so pursuant to NIST Special Publication 800- 88 guidelines. Either way, make sure there is proof that the data has been destroyed properly.

4. Vendor Privacy Policy: It’s an absolute *must* that your vendors show they are compliant with both the Children’s Online Privacy Protect Rule (COPPA) and the Children’s Internet Protection Act (CIPA). COPPA prevents vendors from collecting personal information from children under the age of 13, while CIPA blocks or filters internet content that is obscene or harmful to children. If a vendor can’t prove they are COPPA and CIPA compliant, find a different vendor. Period.

Third-party vendors help your schools offer fantastic services to your students. However, the fact that third-party vendor risk is one of the fastest-growing cybersecurity threats in the industry means that vetting your partners is more important than ever. You want partners that are in the arena with you, not just collecting a check. First and foremost, you have to assess the risk a vendor brings to your school or district. Then you have to get into the weeds to understand how they handle data, service delays, and privacy. If a vendor seems too in it for themselves and isn’t showing an interest in making you successful or keeping your students secure, keep looking.

Read the original post here

A recent survey says HALF of businesses say they’ve experienced an IT security issue during the pandemic. With so many people working from home, how do you keep your data safe? Take a listen.

Evan Francen Home Security

Original podcast

Ryan Cloutier joins CBS Minnesota to talk about Protecting Students Online

If a student from your school had someone knock on their front door, ask for personal information and offer to give them a treat in exchange for that information, what would happen? It depends on the child, but what you know for certain is that your district or school has been teaching stranger danger since that child was in kindergarten, so the odds are good that the interaction would raise a red flag for the student.

Why is it, then, that students are posting videos and photos on TikTok, Instagram, and Snapchat without any concern that their school name or home address is displayed prominently in the background?

The reason is simple: we – parents and educators alike – aren’t adequately teaching our kids cyber life skills designed to protect them online.

Read full article

Cybersecurity has always been a high priority for K-12 administrators and staff, but with the rapid push to remote learning brought on by COVID-19, school leadership has had to consider how to educate through the lens of cybersecurity.

While school years are closing up for the 2019 – 2020 year, it’s still unknown what our learning environments will look like for the 2020 – 2021 school year. Let’s look at 10 things that K-12 schools must focus on – whether the next school year takes place in person on via remote learning.

1. Perform A Risk Assessment
You’re already doing risk assessments for severe weather, fire, or other types of crises and emergencies. Do the same for your technology resources. This will give you the visibility you need to identify areas of concern. Don’t be surprised if your assessment finds that you have more systems than you realized. For instance, many administrators are surprised to learn that computers are controlling other systems such as door locks or cameras.

Read the other 9 must-dos in the full article

Ransomware attacks increased 65 percent increase between 2018 and 2019.

The bad actors in this situation are business people who are attacking using campaigns like a sophisticated marketer: with catchy subject lines, smart keyword analysis and even compelling calls to action. They prey upon topical issues – such as the current Novel Coronavirus-19 pandemic – to take advantage of our fears, uncertainties and doubts. But, unlike COVID-19, there is nothing novel about their attack tactics. They use the same approaches that they have for decades for one simple reason: because they work.

Today’s environment is a perfect storm for attackers. Our teams are scared, tired and overwhelmed, leading them to be more distracted than usual. This includes all our IT and cybersecurity teams too. We’re not in our normal office environment where we can more readily watch systems for nefarious traffic.

Following are three approaches to help manage cyber risks.

Find the ‘Three steps to improving your cybersecurity’ in the full article

Security Company Aims to Provide Practical and Actionable Information in an Easy-to-Understand Manner

Minneapolis, MN –April 6, 2020 – SecurityStudio, the provider of simplified solutions to secure organizations, employees and individuals, today announces the launch of its K12 Cybersecurity Podcast. The podcast, hosted and created by SecurityStudio’s Principal Security Consultant, Ryan Cloutier, aims to provide timely, practical and actionable cybersecurity tips and advice in an easy-to-understand manner for the K12 audience.

“The K12 Cybersecurity Podcast is a passion of SecurityStudio’s and mine. By hosting this podcast, we’ll be able provide extremely practical information that’s easy for school administrators, IT staff and educators to act on. We want to avoid the tech jargon because, let’s be honest, it’s too much to take in,” said Ryan Cloutier, Principal Security Consultant at SecurityStudio. “Our mission with the podcast is to further awareness and protection for everyone.”

With a focus on risk and doing what you can to protect students and schools, K12 Podcast listeners will be able to enhance their security aptitude quickly and easily. Through discussions with top experts and thought leaders from the K12, higher ed, state and local government and information security, listeners will receive practical and actionable advice that’s easy to put into practice. At 20 – 30 minutes each, the episodes are designed to provide the right dose of security to keep listeners on their toes and safe from cybercrime. Initial discussion topics include:

  • Current events impacting K12
  • Information security 101 – discussed in regular words
  • How to prepare for ransomware
  • School board policy, IT Security policy, guidelines and procedures why are they different
  • Cyber-liability insurance

Do you have a topic that you want to discuss? Or would you like to propose an expert to join the discussion? Send your questions and suggestions to: Q4K12SEC@securitystudio.com

The K12 Cybersecurity podcast is a part of SecurityStudio’s mission to fix the broken information cybersecurity industry while serving those most in need of protection. The podcst is available on Apple Podcasts, Spreaker, Spotify, iHeartRadio, Google Podcsts, Castbox, Deezer, Podcast Addict and Podchaser.

About SecurityStudio

SecurityStudio exists to fix information security industry problems through simplification. The company understands that information security is not about information or security as much as it is about people. SecurityStudio empowers people to understand, measure and manage information risk by developing and providing simple tools and scoring systems that are cost-effective.

Media Contact:
Sarah Hawley
Mockingbird Communications for SecuirtyStudio
480.292.4640
sarah@mockingbirdcomms.com

Cybersecurity company puts mission before money to help people work from home safely

Minneapolis, MN – March 18, 2020 – The Coronavirus (COVID-19) pandemic is forcing organizations of all sizes to close offices and shift operations. In order to limit the spread and impact of the disease, employees are working from home in unprecedented numbers. It’s clear that information security must become a high priority at home, and SecurityStudio is committed to meeting this challenge head-on.

SecurityStudio is making available two first-of-their-kind tools at no cost, S2Me and S2Team.

S2Me is SecurityStudio’s personal information risk assessment tool. This unique tool is designed to assess, educate, and motivate home users to adopt good information security habits. S2Me will be available at no cost indefinitely. S2Team is SecurityStudio’s risk assessment portal that gives organizations unprecedented insight into employee information security habits at home without violating their privacy. S2Team will be no cost to all organizations for (at least) 90 days.

We’re in the midst of a perfect information security storm. First, people are justifiably preoccupied by the pandemic which makes them less likely to be paying attention to information security. Second, attacks are always more frequent during large-scale events like Coronavirus. Third, protections at home are not as well understood or managed, generally, as they are in a corporate setting,

Making our tools freely available is one of many efforts we’re undertaking to help people where it matters most. Our mission always comes before money, and right now our mission is to take care of each other by making sure people can work at home as prudently as possible.

Evan Francen, CEO of SecurityStudio

S2Me and S2Team were first introduced in mid-2019, and both tools have received strong customer support. The company is expecting to issue its latest gamified and mobile-friendly version of S2Me in Q2 2020. To learn more about S2Me, please visit S2Me. To learn more about S2Team, please visit S2Team.

About SecurityStudio

SecurityStudio exists to fix information security industry problems through simplification. The company understands that information security is not about information or security as much as it is about people. SecurityStudio empowers people to understand, measure and manage information risk by developing and providing simple tools and scoring systems that are cost-effective.

Learn more at www.securitystudio.com

Media Contact:
Sarah Hawley
Mockingbird Communications for SecuirtyStudio
480.292.4640
sarah@mockingbirdcomms.com

At SecurityStudio, mission always comes first. Most significant to our mission is the well-being of the people we serve. That’s what information security is all about—it’s all about people. We often preach that information security isn’t about information or security as much as it is about people. If people didn’t suffer when things go wrong, then nobody would care.

Over the past few months, the rise of the coronavirus pandemic is something that’s gone terribly wrong. People are suffering, and we at SecurityStudio care. The reality in today’s world is that information security, privacy, and safety cannot be treated as separate issues; they are blended together and inseparable.

SecurityStudio must and will remain vigilant in doing all we can to serve each other and our customers as well as we are able.

Our organization has always been more than an information security consulting company; we are a partner with our customers. Partners are there for each other in times of need, and SecurityStudio is here for you now. Sadly, attackers will take advantage of the coronavirus pandemic for their own selfish gain. Attackers know that many of us are preoccupied, and they will strike at their most opportune time. I’m writing to assure you that SecurityStudio stands ready and to share how we intend to serve you during the pandemic.

In accordance with the most recent World Health Organization (WHO) and government advice, SecurityStudio will be taking the following precautionary measures to reduce risk to our personnel and our customers:

  • SecurityStudio offices will remain open; however, we have instructed all personnel to work from home whenever possible. SecurityStudio personnel have always enjoyed the advantages of being part of a mobile workforce, so this is no disruption to normal business operations.
  • If any SecurityStudio employee or employee’s family member recognizes even the slightest coronavirus symptom(s), that person has been instructed to seek medical attention as soon as possible and NOT come into physical contact with anyone until receiving clearance from qualified medical personnel.
  • SecurityStudio will conduct customer work remotely as much as is possible. If there are occasions when work cannot be done remotely (rare), SecurityStudio may postpone or delay the work for a time period necessary to ensure everyone’s safety. SecurityStudio will never encourage anyone (employee or customer) to do anything that they are not comfortable doing or something that may cause harm.

The most common services we get asked about during and after significantly disruptive events (including the coronavirus pandemic) are securing remote access, business continuity planning, disaster recovery planning, incident response, and risk management. We will be providing as much free stuff and writing as much content as we can for you in the coming days/weeks. If there is something specific that you would like to see from us, let us know!

Additionally, here are two resources that you might find helpful now:

  • The Centers for Disease Control and Prevention (CDC) Interim Guidance for Businesses and Employers
  • The free S2Me tool. S2Me is our personal information security risk assessment. With the increase in people working from home, personal information security is more important than ever. The S2Me tool helps people learn to protect themselves and their families better.

In closing, I want to thank you for the trust you’ve put in us as your information security partner. SecurityStudio does not expect any significant disruption in services during and/or after the coronavirus pandemic. The only significant change will probably be our inability to see you in person (for now).

Please contact us if there is anything we can do for you, including if you have any questions about the contents of this message.

Thank you and God bless,

Evan Francen
SecurityStudio CEO, on behalf of the SecurityStudio Team