Cyber Liability – Risk Management Best Practices for Montana Public Schools
By Matt Komac, MSGIA Assistant Director for Property & Liability Pool Operations
The hacking community has increased its focus on public entities that typically hold sensitive data and that lack the necessary resources needed to invest in cybersecurity. As a case in point, August 2019 it was reported that the computer systems for 23 small Texas towns had been hacked, seized, and held for ransom in a widespread, coordinated cyber-attack. To be sure, this is the type of event we wish to help prevent in our K-12 public schools in Montana.
One of our primary risk management focuses the last few years has been cybersecurity, which continues to hold a top spot on our radar. In addition to sponsoring speakers at various conferences, we also worked with the Center for Internet Security to develop a Network Security Survey that was distributed to all of MSGIA’s Property & Liability Pool members. We then followed-up with your IT Staff last year and had them complete the survey for a second time and were pleased to see some of the changes that had been implemented in that 12 month period.
Most schools have spent considerable effort analyzing the sensitive data that they have in their systems and determining the best methods to protect that information from unauthorized disclosure but there is almost always room for improvement. I have outlined below relevant concepts and considerations that school districts can employ to help them better evaluate data-gathering strategies and to aid them in determining if that data is, in fact, safely stored in the system.
- Know where you keep PII (Personally Identifiable Information) and PHI (Private Health Information) on your computers and network servers. Personal information is defined in MCA 30-14-1704.
- Only keep data required in these two areas, and be certain to delete the rest, as it quickly can become a liability for your district if there is a loss of that data through un-authorized access in a data breach.
- Segment your computer network if possible to keep IEP, health, and PII records in a part of the network not connected to the internet.
- Apply all software patches when they come out. Patches come out to fix problems in software that can be exploited by bad actors. Having an automated distribution system for patches can help increase the speed and compliance with this recommendation.
- Require strong passwords that can be changed on a periodic basis – remember, longer passwords are stronger passwords.
- Have your internal IT director or contract vendor maintain good network logs; and, as part of this effort, instruct them to be vigilant about watching for unusual activity on your network, such as login attempts at unusual times of day or days of the week. The District’s surveillance system should identify multiple unsuccessful login attempts resulting in access being denied when a certain number has occurred.
- Staff will need to be trained on phishing scams followed by a live test to gauge understanding and compliance. The goal is for staff to resist that urge to “click” on that shiny penny link in an email.
- Conduct periodic penetration testing for your district’s computer network. Hiring a “white hacker” group to test your system for vulnerabilities can cost a couple of thousand dollars, but it can also provide very valuable information and thus help your team address improvements in your district’s digital security platform.
- If your District utilizes cloud-based services that track student information and/or the school finance systems, then consider contract language that does the following:
- Asks for indemnification from the cloud provider if the cloud suffers a data breach resulting in litigation due to an individual’s loss of information;
- Includes additional language stipulating that the cloud service provider’s cybersecurity policy covers those actions; and,
Additionally, though the service provider may not agree to such clauses, remember that negotiating these important points in a contract is in the District’s best interest.
- Because network backups need to be maintained and tested regularly, you should determine the benefits of having a back-up system not permanently connected to the network. Having built-in breakpoints allows the district to restore to backups if data or devices are corrupted from unauthorized access.
- Block known malicious IP addresses/countries unless whitelisted for specific school district needs.
- To assist in preparing for and responding to events that can occur in this critical area, be sure to review your cyber liability coverage with your insurance provider and utilize the resources available.
The ideas presented above are meant to create a base program to address many of the key areas for school cyber risks, as you develop other new aspects of your risk management plan reach out to the MSGIA so we can share your good ideas with all MSGIA members. Because the cyber liability risks for schools are continually changing, schools need to continue to keep this area of risk a constant point of focus. The MSGIA will be here to assist our members with this risk and all of the risks related to your school operations. Back to Fall 2019 Newsletter