With cybersecurity a ballooning top concern for ed tech leaders, the severity and scope of K-12 cyberattacks is also growing. Districts are also sorting through a time when school officials remain on high alert.
School safety protocols vulnerable to cyberthreats can include building maps, evacuation plans, security camera layouts, network architecture and more.
Should these plans leak to the public following a cyberattack, there are strategies districts can use to avoid or better handle such a situation. We spoke with school safety and K-12 cybersecurity experts, who shared the following four approaches for navigating the threat.
Store safety plans on a separate, more secure server
In a lot of cases, school safety documents go into a file share server, which is a computer that stores and manages data files allowing others on the same network to remotely access, said Amy McLaughlin, an information security expert with the Consortium for School Networking.
“They may have limited access, but people don’t necessarily plan in advance for what level of security and separation do we need for those items to have from the rest of our systems,” McLaughlin said.
When planning how to store and protect a school safety plan, McLaughlin suggests districts start to consider a clear list of goals: “What are your requirements? Does it have to be secured to only five people? Does it have to be accessible 24/7? Do you have to have access from multiple locations?”
Once those requirements are established, districts can then decide where to keep the records, she said. One option is to put the plans in a separate cloud environment from a school’s typical network storage. Leaders can then limit access and own that storage space very carefully, McLaughlin added.
Storing physical copies of the plans is an option, as well, she said, but that can pose several risks. Hard copies can be subject to fires, accidental recycling or overall potential exposure.
However, districts could also consider implementing both, McLaughlin said. “An option is to have it secured in a separate location in the cloud or segmented off in your network with very tight controls, and have a physical copy stored in a safe deposit box in a bank or a fireproof safe in another location.”
Balance publicly shared information
While it is most certainly not recommended, Trump said he has seen several cases where districts still put their emergency plans on their websites.
But even on a smaller scale, districts still share their class or bus stop schedules for the public to easily find, he said.
“Who needs to be able to get that information?” Trump asked. “Someone with ill intentions can now identify kids are in transition for these three minutes.”
Overall, Trump often asks districts to reevaluate the kind of information they share on their websites.
McLaughlin said this issue also reflects the challenge districts face when trying to balance between being a public service organization and being secure. If a school principal or superintendent publicly shares their schedules online, for instance, that can pose a cybersecurity risk from the information being manipulated, too.
“Fantastic information for the public, like ‘I’m out there, I’m doing things,’” McLaughlin said. “Horrible information in terms of protecting your district from phishing attacks because of how easy it is to scrape that data.”
t’s also important to periodically revisit safety plans, McLaughlin said, especially if that information is exposed. That can include changing evacuation routes or remapping where cameras point.
“Rethinking what our patterns are in these safety plans is going to be really important,” she said. “Maybe have a couple of different safety plans that you’re rotating through.”