Cybersecurity Tips & Insights for International Schools

By Rob Zangara, ISS Director of Information Technology

It is safe to say that cybersecurity should be a concern for all types of organizations. International schools in particular come in many forms and sizes, and available resources can vary significantly, so it’s important to establish a sensible IT security posture that is a good fit for the organization.  

While there are many resources available related to general best practices, most of these tend to focus on enterprise companies with sizable budgets. For many international schools, budget can be an especially limiting factor, so we’ve highlighted some of the common sense areas to consider when deciding what can and should be done to protect school organizations from cybersecurity risks. 

Security Awareness

Cybersecurity incidents very often originate because of an inadvertent human action, like clicking on a malicious link in an email, falling for a phishing scam, or sharing passwords. Security awareness training can be one of the most important steps to consider for schools to prevent breaches. Depending on budget, this can be offered at the most basic level by distributing educational videos and links related to security risks. Ideally, security awareness training service subscriptions that provide regular up-to-date training resources and testing can be very helpful.  

It is important to include staff and students in this type of activity; anyone that has access to sensitive electronic information can potentially put the school organization at risk. 

Vendor Management

It increasingly common for schools to utilize cloud-based systems instead of hosting their own servers and applications, particularly when it comes to Learning Management Systems (LMS), Student Information Systems (SIS) and backend Enterprise Resource Planning (ERP) systems.  

In terms of cybersecurity, this means that schools should be focused on managing vendors. Since these systems typically include most of the sensitive data for schools, taking the time to perform due diligence around cybersecurity when selecting new vendors can be very helpful towards ensuring good practices and stability. For existing vendors, regular reviews should take place with some emphasis on updates and changes to their security posture. It is important to ask for documentation related to their infrastructure, incident response plan, testing and disaster recovery process but perhaps even more important to know what proactive steps they are taking to protect data and prevent attacks and breaches.  

All vendors should also be expected to provide and/or support strong password policies and multi-factor authentication (MFA) for all applications. Should an incident or breach occur, insist on detailed incident reports from the vendor(s) involved, including root cause analysis, response efforts and preventative steps taken. 

Third-Party Support

While basic endpoint protection against viruses, malware and other attack vectors on user devices is the norm for most organizations, additional steps can be taken to proactively monitor the cybersecurity attack surface of a school. Unified security management solutions can provide deep security inspection, detection and response capabilities. However, these tend to be expensive and require some expertise to implement and maintain. As significant security incidents are (hopefully) not every day occurrences for most schools, onsite technology staff expertise is typically limited.  

It often makes sense to look for a trusted third party security service provider that can be engaged from time to time for overall planning assistance as well as if an incident occurs and a response plan is needed. These partners can also usually assist with penetration testing, vulnerability scans and product selection. 

Tabletop Exercises 

Finally, tabletop exercises can be very helpful for schools to think through cybersecurity scenarios in a role-playing environment. Many organizations schedule these annually to facilitate the determination of key risks and appropriate responses to cybersecurity incidents. While it can be helpful to have a third party facilitator for these types of activities, it is not required.  

For schools, these can be included in a broader security planning session and discussion. Since many schools frequently review and evaluate physical security in this way, it is natural to also introduce a cyber component to the overall analysis. Tabletop exercises should result in strong policies, response plans and an overall better understanding of risks and priorities for the organization. 

For Consideration

When it comes to cybersecurity, there is not a “one size fits all” approach for international schools. Depending on the size, risk tolerance, and budget for a specific school, the above-mentioned steps can be considered to protect data and organizations from accidents as well as bad actors. We hope that some combination of the these can be useful in defining a strategy that is the right fit.