Are you doing this to tackle cybersecurity attacks in your school district?
California K-12 districts are no stranger to cybersecurity threats. In fact, LA Unified, the second largest school district in California, has suffered two massive ransomware attacks just in the past year. These attacks, which have compromised the most sensitive school district data (e.g social security numbers, payroll information, and home addresses), put student and staff well-being at risk.
Hackers target districts of all sizes, posing a threat to small and large districts alike. Yet larger California school districts are more likely to report cyber attacks. As a result, Governor Newsom recently signed the K-12 Cyber Reporting bill in order to yield a higher number of reported incidents.
School districts not only have to secure their internal environment, but their third-party vendor software as well. Carl Hooker brought up this important point, writing, “You could have the most safe internal environment, but what happens if a company you are working with gets hacked?” This indicates that pre-procurement and renewal vetting creates an opportunity to improve district security.
Here’s what should be considered during the third-party software acquisition process:
1. The location you’re hosting from
Since it intuitively allows for greater control and visibility, on-premise third-party software seems like a safe bet. But this strategy is likely to fail when you consider how overworked IT staff is in most districts.
Instead, a third-party software hosted in the cloud and integrated with major providers such as Microsoft Azure, Google Cloud Platform, or Amazon Web Services, enables school districts to have scalable native security tools, physical and administrative safeguards, and automatic security updates.
2. Does the application layer have adequate security?
Third-party software applications should ideally use a web application firewall (WAF) to prevent ransomware attacks. A WAF filters, monitors, and blocks any malicious traffic traveling to the web application. WAFs also prevent any unauthorized data from leaving the app, which makes the application and its data protected in the future.
3. Is it externally validated?
To see how secure a vendor’s security measures are, K-12 districts can investigate their standard compliance procedures. If the vendor has been tested and certified in SOC 2 and ISO 2700, you can most likely assume that your data is accurately protected. If the vendor hasn’t been certified, districts can make up the protection difference with routine PEN testing from an external security company.
4. Encrypt your data and back it up
District data should always, always, always be encrypted. K-12 IT teams have a choice of either 2-way or one-way encryption, but encryption is key to data security. Additionally, K-12 IT teams should determine if their third-party vendor has redundancy procedures to backup data, in case a ransomware attack occurs. If the data is located in different locations, school districts’ data won’t be completely compromised if one location is attacked.
5. Consider non-technical factors
There are some non-technical efforts the vendor must utilize in order to support the district in the unfortunate event of an attack. It’s important to ask: has the vendor made any contractual service agreements for security? Any service agreement that protects the vendor from liability in the event of an attack should trigger additional scrutiny from school districts.
Furthermore, it’s important to understand the vendor’s insurance coverage around cyber-liability, in case a cyberattack were to occur. Having insufficient insurance runs the risk of harm for the district if the vendor becomes the source of an attack or data breach.
Lastly, it’s important to make sure that the third-party software understands FERPA requirements and has data protection capabilities that are aligned with student and family privacy needs.
Our recommendation for third-party software that takes K-12 cybersecurity seriously
Incident IQ has always kept student and district data security top-of-mind, as it was specifically designed for the needs of K-12. Incident IQ integrates with SIS and SSO platforms, and Incident IQ ensures that it meets FERPA compliance standards so it doesn’t compromise the integrated data from its secure platform.
As a cloud-hosted platform, Incident IQ integrates with all the most trusted names such as Microsoft Azure, Google Admin console, Jamf Pro, and so many more.
Additionally, Incident IQ hosts data through geo-redundancy measures so that data is backed up on multiple offsites. All personal data is protected with best encryption practices, whether it be hashed or 2-way encrypted.
Incident IQ also invests heavily, with time and resources, in internal employee training (e.g., phishing training) and external PEN testing to validate and solidify security measures.
Click to learn how we support teaching and learning in California K-12 school districts.