0:04 

Hello, welcome today. Welcome to our discussion today on Cybersecurity in K 12. My name is Klaire Marino. I’m the Vice President of Product Marketing with Lightspeed Systems, And thank you so much for spending some of your time with us today. 

0:19 

I have an amazing panel here of experts for this webinar. Our webinar today is entitled: Cyber Nightmares: Attacks, Breaches and Leaks. 

0:29 

But I feel confident that you will leave this session today with insights and actionable, actions that you can take with your district as early as tomorrow. 

0:43 

Before I dive in, I want to remind you that we do have time at the end of the webinar for questions. We want to hear from you, we want to hear your questions. 

0:54 

Troy, and John will be ready to answer them, so please enter them into the chat as we go, and we will, we will leave time for that. 

1:03 

All. So, first, I want to introduce our panel. 

1:08 

Today we have Troy Neal. He is the executive director, Cybersecurity, and IT Operations at Spring Branch ISD in Houston, Texas. 

1:18 

And then, we also have John Genter, who’s the VP of Security and Cloud Operations at Lightspeed Systems. 

1:25 

I’m going to hand it over to you, Troy, so that you can kind of give a little bit of your background for our audience today. 

1:31 

Sure, so just were Spring Branch ISD we are located in Houston, Texas, We’ve got about 35,000 students with about 6000 staff members were what’s called a property rich school district, which means there’s some funding problems. We send about $75 million back to the state of Texas, which means challenges for people in IT. So, I’ve been in the IT industry for about 20 years. I’m on my third career, as I tell everybody started in the military, in the Marine Corps, owned my own business consulting, and then what I, So, everybody, I just wanted, enterprise. We’re larger than most enterprises in K-12. And so, I treat it an enterprise end of the day. we’re in education, and so, I spent years understanding the operational side of K-12. 

2:15 

Great, Thank you, Troy. And, John, please introduce yourself. 

2:19 

Hi, I’m John Genter, Vice President of Security and Cloud Operations at Lightspeed Systems. 

2:24 

I’ve been with Lightspeed coming on 17 years. So, I’ve been on this journey a long time with our, our Lightspeed folks. 

2:31 

I’ve done everything through customer service, customer success, support, and recently, most recently, as Security and Cloud Operations — came out of the fact that I did most of our privacy and security programs and things. 

2:49 

I also spent 22 years of my life as a school board trustee, and that was on a small school district of about 3500. So Troy a little bit smaller than your district, but I suspect many of the challenges are the same, funding certainly being one of them. And in those 22 years, was able to really play, I think, an integral part in the technology rollout of the district and making sure that we thought about the things and did the things. 

3:19 

Certainly the challenges today are much different than they were 20 years ago. 

3:24 

But I think that, uh, the thing that hasn’t changed is IT staffs are typically underfunded in schools and that’s a big challenge. 

3:36 

Definitely. 

Great, so let’s talk about those changes as we jump in here. 

3:45 

You’ll see in this graph, but there’s been this dramatic increase in cyberattacks, and, in the last, I’d say, what, 4 to 6 years? So, let’s start with this question: Why do you think K-12 districts are so appealing to these cybercriminals? And what are, what are you seeing? 

4:06 

What types of attacks are you seeing? 

4:11 

Sure, you can jump on it. 

4:13 

Yeah, yeah, I’ll definitely start with this one. Because you have the internal and external threats. So let’s start with the external. It’s, it’s about profit data, selling data, and now it’s back to public. 

4:25 

So at the end of the day, it’s profit and money. And especially in K-12, it’s identity. You’re getting someone’s identity, which there’s a high value for. So I think that that’s your threat,?And people know that. 

4:37 

And then you take the facts: underfunded, understaffed, don’t have tools, process, policy. So you’ve got that kind of external factor there. Then let’s go inside it. And if you look at the slide deck: data breach, DDoS invasion, 

4:53 

insider threat. We’re DDos’ed all the time, especially during testing windows. Because kids don’t want to take tests. Actually, no malicious intent, but they just don’t want to test. 

5:02 

But then, you have internal threats. Kids want to try to find access. So you have these kids that one could be bored in class to just want to try something to the ones that have malicious intent. So, insider threat and issues there are probably more concerning the external. But they’re both there and so you’ve got to factor all that into your strategy, your roadmap, buy-in training, et cetera, et cetera. But, end of the day for external, it’s money. 

5:31 

Yeah, I think too, the threat actors believe schools are vulnerable and the underfunding they think they’re good targets, there’s, uh, payroll systems in schools that the bad actors want to have paycheck sent to them. And then, I think, at the end of the day, and Troy said this, there’s valuable information there. If you can get a kindergartener, social security number and information. You’ve got 15 years that, you can be running, and you’re not going to probably see credit checks run against those accounts, and the bad actors know that, and see, that is highly valuable data. 

6:09 

That makes me think I need to go in and check all of my children’s social security numbers shine. Some of the firms are actually offering that. Now, where you can monitor your kids, social security numbers and things, so not a bad idea to look into. 

6:24 

Yeah, definitely. Let’s see. 

6:29 

So, from a biggest threat perspective, what do you see? I mean, I think you touched on this a little bit, but is it malware, DDoS, Student data breaches? Where are we seeing them that’s happened with your peer institutions? And what are you talking about with your colleagues? 

6:51 

It’s all the above. I mean, I don’t think there’s not a specific one, It depends on the target, and the goal, So DDOs has common Especially internal versus external. I mean, you still there, but more that. Now it’s malware ransomware. 

7:06 

Because you want lateral movement in etcetera. So, I think, that external factor, I said, there, are always looking for your external vulnerability. First is how they get in the door, we all clicking links. 

7:18 

The number one vector in any organization is through spam. Somebody clicks on the link, and it’s gotten creative. Over the years, it’s harder and harder to find it. And that’s back to awareness, training, or training, and it’s everyone’s responsibility. And a little bit talking, kinda inside of things, we talked, and John talked about, elementary school kids. 

7:39 

It’s, as adults, we’re afraid of, no, kids can’t remember long passwords and all this stuff, kids are so far ahead of the visual world, the adult or in the way of some of this stuff. Back to education, digital citizenship, teach them the right and the wrong, and their responsibility to help this. 

7:57 

Because we’re all in this together. 

8:01 

8:04 

Yeah, I was gonna say, that’s kind of a good segue to my next question, which is about starting to think about, we’re moving from the threat to, or what are some of the things that districts could be doing? 

8:15 

And, if we, if we talk first about, I’m interested in just some immediate, kind of, simple, low-lift things. What would be kind of 2 or 3 in that area that districts should be doing, as, as soon as they get off this call? If they’re not already, what would be your recommendations there? 

8:36 

Number one is awareness, and it’s everyone’s responsibility, That’s our message in our organization, at the board level, senior leadership level, every level. It’s everyone’s responsibility. Training, training, training, and awareness. And don’t be afraid, ‘if I clicked on something, tell somebody.’ ‘See something, Say something,’ It, applies in technology as well. Patching, everyone, patch, patch, patch, those are simple things to do, that, low hanging fruit. 

9:02 

Passwords. And you get the wrong philosophy of password lists versus, cryptic passwords, phrases. I mean just have policies in place first. And then communication. Leadership buy-in. Don’t be afraid to speak up. Say something with senior leadership with your cabinet. They need to understand, because we’re in this together, and because they help drive some of this policy. They can help drive that change. Here’s why we’re doing it, in K 12, my role is risk awareness, risk mitigation. 

9:38 

There are certain things that I don’t believe we should do, in a security role, And our security function, or policy, because it’s not best for kids. And that’s a risk we take as an organization. 

9:51 

Because end of the day, we’re here to educate kids. And so, there’s mechanisms we won’t put in place because it’s not best for kids. But you have to be OK with that. But, leadership needs to understand what that risk looks. And don’t be afraid to say what it is. Because today, we all have to. 

10:10 

So, that’s just some low-hanging stuff. 

10:13 

I would add, to that, too, I think people can be intimidated by cybersecurity, and feeling like they have to be a cybersecurity expert. I like to share, you need everybody to be cyber aware. 

10:27 

And not cyber experts, Troy said it well, know who to ask. This doesn’t feel, this doesn’t look, right, ‘who do I ask?’ That’s cyber aware, you don’t need to know how to solve the problem. But cyber awareness for staff and students, I think, is very important. 

10:44 

I think another thing that can be done fairly straightforward wise is adding multifactor authentication at, say, the district levels, and on district systems. It’s a little harder to probably rollout across the school district of 35,000 students and all, but, if you tackle it as a small component, and just look at those business systems, I think that’s a big win. 

11:08 

Yeah. I’ll add one more low hanging fruit that we do. We have a very stringent onboarding process for software. 

11:13 

And in that is an entire technical requirements section that we vet from integrations to standards, to where’s the data can live? Destruction of the data, and then we even had the cybersecurity pieces of do you have insurance, and we had a breach, what, what models Do you follow us?. we’re asking our vendors the same exact questions that we want to ask ourselves. 

11:39 

Yeah, that’s great When you say vendors? Who do you mean there? 

11:45 

So any any kind of vendor fiscal vendor or vendors. If the, Fortunately, a couple of years ago, or Texas passed legislation which required, the having a cybersecurity coordinator, adopted cybersecurity policy, reporting a breach, and then we added cybersecurity awareness training. 

12:07 

And, so, we would hire contractors do the same training, because if you’re going to access the system, then let’s make sure they understand the basics of what to look for. 

12:14 

I mean, it’s actually back to awareness and training, but yeah, all parties involved If they’re going to either access the system or want any kind of information or data from us, here are the requirements. 

12:27 

Yeah, great, great. Let’s move from the low hanging fruit to kind of more longer-term plans that you have implemented Troy maybe, or something that you’ve seen. Johnson, some of the, some of the steps districts might be thinking about for the next 12 months plus. 

12:45 

Sure, I’ll start with some of those. Backup backup, backup, backup, I’ve got a five tier strategy. I’ve got Air Gap Solutions. And our Colo and our DR site. I’ve got good old USB hard drives, the most critical. I’ve got a Cloud copy as well in multiple cloud providers, backups, everything, also, validating your backups, and the strategy. But, I mean, overall, you’ve got to start with a strategy and a roadmap. And your frameworks, where do you want to go on? The big, the big thing now your trust is how do you get to zero trust? 

13:15 

The best you can in K-12 because there’s certain things you’re not going to be able to do in K-12 with zero trust. Visibility, information, how to use that information. 

13:24 

Automation and process, what tool sets can you do and bring in to help automate and orchestrate those things, so you take the human factors out of it. 

13:34 

Pretend I’m, I’m sure you might agree with this, too. That it can feel overwhelming when you look at how to do all of this. But you have to begin by really identifying what are the most critical systems that you need to protect, and then focused on protecting those, and then expand out from there. 

13:51 

Clearly, backups of that most critical data and air gap, those are paramount to being able to recover quickly, should something happen. 

14:00 

So, I think, if somebody hasn’t started down this journey already, making sure that they start by understanding what is the most important thing to protect. 

14:10 

Yeah, and then I’ll add, incident response plans. You’ve got to tabletop exercise, incident response plan. You identify your source systems for your organization, and then, who owns those systems. And then you didn’t have conversations with those owners of, actually ‘what does that mean?’ And then how do you vet those? How do you make sure your privacy policies change with some of your providers. How do you stay on top of that? It’s a village. We’re all in this together. 

14:38 

There’s help out there, partners, or vendors, there’s vast resources information, and people to help you, ask for help. 

14:49 

We had a question set up around, your edtech provider and privacy policies. Lightspeed did an Edtech app record just recently that found that 91% of the application students used, changed their privacy policies at least once in the past school year. 

15:14 

So, why, why is monitoring privacy policies important? 

15:20 

Is that a part of your cybersecurity strategy, Troy? 

15:24 

Oh absolutely, we own CatchOn, Lightspeed Analytics, I think is what we call this now, shadow IT. We have over 4000 applications being used. And so, it’s a vast catalog of applications. And there’s great use, and need for those, but you need to know what they are. So: privacy policy, governance. Who has the data? Who has access to data, and one of the facts that we talked about now, especially in this climate, is our external factors are parents. The world of, no transparency, ‘What are my kids doing?’ all that now expanded out to parents.  

15:58 

Parents are more involved and what their kids are doing inside the school, from every facet. So, knowing what those updates look like because, there’s been some changes, even, say, Google where it’s gone from, 13 and up to now 18 up, And so are you use those applications? Have you made those adjustments? But, if you’re not paying attention, you are not watching these. And, so, some of these policies and changes might have happened, and now, you’re out of compliance, from a regulatory standpoint, from a legal standpoint. And, so, you’ve got to have that kind of visibility. 

16:30 

Yeah. 

16:31 

And, I think in the privacy world because the landscape is changing daily, states are passing privacy laws, internationally there’s new privacy laws. 

16:41 

We look at privacy policies that haven’t been updated in the last two years and throw a red flag. It’s, Whoa, they haven’t got an update here. What are they doing? Are they paying attention?  

16:51 

So, these updated policies are going to happen more frequently, because companies are trying to react to the changes in the laws and all. 

17:01 

I know, when I was a trustee, my IT staff was horribly overworked. They didn’t have the resources to go chase, and, and all of a sudden now, they’re going to have to keep up with privacy policies and the changing on a regular basis can be a little bit of an overwhelming thought and process. 

17:22 

Then the other thing is, they’re probably not legal experts. So, how do I read through all of these privacy policies and even figure out what changed. That’s a big deal. So, glad Troy mentioned our Lightspeed Analytics CatchOn edition, because it’s been part of that product is to try to surface these and to make sure that schools can easily see when a privacy policy got updated and be notified of that. And then I think maybe, more importantly, to highlight the sections of the policy that changed, and then to evaluate that and say, does that mean something to us? Does that conflict, with what our district policies are or aren’t? And if it does, then maybe there’s a decision point there. If it doesn’t, it’s still within the guidelines? Great. You can quickly use it or continue to use it. 

18:06 

But it’s a very quick assessment, kind of, brought to you, instead of having to keep on top of every one of your vendors, and then going through did it change? When did it change? What do I have to do? 

18:18 

Let me add one more thing to that, too. Is also, making sure the right people are involved in it, so with no Analytics CatchOn, our academic leadership teams have access to it. So they’re actually, they’re looking at the data. They’re looking at the usage, so that way they’ve got that visibility. And then we have our edtech team was involved as well, because they help onboard our software or figure out when we stop using software. So I said, it’s still back to that team effort. We’re not in silos, is not an IT function. It’s multi-function, multi-departments and just making sure, here’s how to use the data. And sit down and have the conversation. I meet with my peers, the exec directors, curriculum support, superintendent of technology, superintend of academics, once a week to, we have dual team alignment between the two core functions of academics and technology. So it’s that partnership, that means everything. 

19:16 

Yeah. I was just looking at, there’s a question came, that came in here. So this is actually related to parents,Troy, you were talking about parents being such an important part of the Education community, especially after COVID, and all that we’ve all been through. One question from our audience, is, “do you involve parents in cybersecurity training? And, if so, how?” 

19:41 

Yeah, so, when we do back to school nights, and the back to school events or parent nights, whatever, it’s, we offer those kinds of training. And we, stick a lot of the, the external factors versus the internal things. And then I run our content filtering committee, which is made up of technology staff, administration, principals, teachers, community members, and parents, and we talk through a lot of our policies. Not just filtering, but just in general, around security of our kids in digital citizenship and usage twice a year. So that way, they’re involved in the conversation, because there are, there are advocates as well. 

20:18 

Yeah, exactly. 

We run what’s called the scam or the week. I’m sure you’ve probably seen that. Where we’re actually paying attention to what’s happening in the world today, and what the bad actors are using. And we send that out to all of our employees, and we encourage them to send them out to their families, and friends, and everyone else. 

20:37 

Because it’s just the way to be informed of what’s happening, and what’s going on in the world. 

20:44 

So, I think, there’s opportunities there to engage the community, as well in a proactive kind of cybersecurity awareness without it being a heavy lift. 

21:00 

We do a quarterly newsletter, and it actually comes from our Chief of Police, Director of Safety Security, and myself. That way, we’re talking about the late in the quarter of, here’s the thing, Cybersecurity Awareness Month. So, we’ll have tidbits of, here are the holiday seasons. Here’s what to look for. We bucket all that together in this little newsletter that goes out to our entire community. 

21:25 

Yeah, that’s great. 

21:26 

A question also came in “Does Spring branch have MFA?” 

21:36 

Yeah. So, it’s a great question. So, I’ve been at Spring Branch for three years. I wanted to do MFA. The first year I started. But, I spent, for six months, just do a gap analysis. So, the way we do anything at Spring Branch from a change management perspective, is what we call New-November initiative. 

21:53 

So, in November, we’ll go in front of senior leadership, and say ‘here’s the new changes we want to roll out next school year’ that way we are getting their buy-in, their feedback, and concerns. And then if they approve it, in December we’ll have an administrator meeting where all administrators in district, are involved. And then we as each division, talk about what’s changing next year. So, I’ve fully gotten there. So, we’re actually rolling out MFA next year, school year, for all staff across the board. And so, that actually, in a couple weeks, I’ll go to senior leadership. They already know it’s coming. Because we all know cybersecurity insurance requires it now, all the mechanisms around there. And so, you’ve got to figure out what, what it means for you, what does it look like, what makes sense for your organization. Because, there’s different ways to approach it in different schools have done it differently. 

It’s also perception, because a lot of people will say “I can’t do, and I don’t want a dual factor” on their site. 

22:54 

90% of people in this world have a smartphone, they already doing it. So, we have this misnomer in misperception about oh, that’s too difficult. If your’re online banking you’ve done it. But I think just making sure people are aware of actually what that is. You say, MFA, multi factor, just tell them what that actually means. Just a normal terms. Yeah, and it’s changing All the time now on any anything we’re using, We’re doing with our bank accounts… 

23:23 

 so, it’s not any different the expectation to do it for your school. 

23:30 

I like how Troy said that. Kind of help people make the connection. 

23:35 

I always like to teach people to be secure in their personal life and understand why that’s important to them, because I feel they show up to the office prepared to carry those same habits. And, you can’t hardly update your Hulu account nowadays without MFA, and you certainly can’t get into your banking account, and it doesn’t need to be a horribly complicated process. It just needs to be a process that’s put in place on the right systems and things, so that you just add that extra layer of security against someone accessing that critical data that you don’t want them to access. 

24:12 

Yeah, OK, another question, I’m moving us on from this, but you can jump back in time. OK, so, this is about layers of protection. 

24:22 

Is a firewall efficient enough protection? Or, do we need further protection? 

24:30 

Further, lots and lots of further. I mean, and this is actually, one, the roadmap: where do you go, and this is actually having tools that integrate, how do they work together. Because there’s more, there’s so many tools out there. The firewall is just the baseline. I mean, it does a lot. And especially Nixon firewalls, as long as you bundle those ended up purchasing the firewall and not just basics, But that’s just identity management. 

24:57 

How do you defined identity? Privilege access management is out there, now, what mechanisms are in place, EDRs then the next thing everyone’s got to have user requirement. Endpoint Protection, authentication, visibility. 

25:14 

Vulnerabilities– are you aware of all your vulnerabilities? There’s tools out there that help you identify what’s actually there? 

25:19 

Patching– How do you patch on network, off network? 

25:23 

There’s so many mechanism out there, but it’s back start with strategy roadmap first. Where do you want to go? How do you get there, then what’s out there, and what’s available, Next, great, partners and tools, that’s just one, backups as well. But, the firewall is just the beginning of things. 

25:39 

Layers is the key here. And, I believe it’s difficult to secure what you can’t see, and you might get lucky once in awhile and stumble onto something and then figure out how to secure it. But, if you don’t know what’s running in your network, it’s really hard to secure it. 

25:55 

And I think that’s one of the things that CatchOn Analytics from Lightspeed addresses, is trying to bring that visibility, making those apps visible, helping folks even know what’s running in the network and what’s going on there. 

26:09 

And, being able to look at those security policies and privacy policies have a level of confidence if that matches what they need in the district Lightspeed Filter adds a layer of protection as well, because it’s blocking the malware sites and other sites that students and staff might stumble into. And depending on how you have it set up and what you got it configured for. It could block command and control websites from actually being able to be communicated with should ransomware attacks there. So, I think every security person would tell you, it is about layers, and, again, I think, from the very large schools, to the very small schools, it’s really understanding which of those layers give them the biggest bang for their buck and, and which ones they can implement. And actually manage in their, in their environment to give them the best protection. 

27:02 

Yeah. And I’ll add to that, too, you gotta know all your assets. 

27:06 

And I mean, all your assets, and that’s just not just hardware, collect all your assets. 

27:11 

And you said, it’s layer upon layer, and then what, how do you minimize risk. Because it’s not if it’s when, and then back to, can I restore? Can I know? How quickly can I get back? 

27:23 

And so, I mean, all, those are factors, Yeah. You’ve got a layer everything, and, how you take, least privilege access. you’ve got to look at everything that’s out there. And then I said, you’ve got to apply to organizations and philosophies, but it’s got to start with leadership and those conversations. Because it’s still going to cost a lot of money. 

27:45 

Great. So, a couple more questions that are coming in, but there’s one that I wanted to just ask you to respond to this additional question. 

27:59 

It moves from how you protect yourself to, what happens if there is some type of an incident, and, sure, you mentioned incident response, but, from our research, the average downtime for a school network after a cyberattack is four days with an additional 30 days, on average, for total recovery. 

28:19 

So that’s a lot, and that’s an, and a lot of IT resources, time, and headaches. I’m sure. 

28:26 

I can just imagine, but, what should you do if you fall victim to a cyberattack, and what would be immediate steps you would take within the first 24 hours? 

28:41 

This goes back to the first incident response plan. 

28:43 

You’d have to make sure it actually works, and you can execute it. And if you’re not testing, you don’t know, because communication is going to be number one. What’s communicated external versus internal. There is a huge difference there, and then there’s tons of resources out there that are willing to help. State of Texas, they have a volunteer incident response team. You’ve got partnerships. You’ve got to know who those people are ahead of time. And then that plan, you should actually have all those documented. Because there are certain steps, and certain people that you want to call them immediately. 

29:14 

Don’t be afraid to ask, people are willing to jump in and help, we’re all in this together, I’ve been through a breach in my career, years ago. It’s resources and it’s health. Is it expensive? 100%. And you restore times and you know back to full functional depending on how bad it is. Back to, if you have layers and you have tools, in that plan, you can kind of know and set those expectations because the organization. Of the business needs and understand actually what that means. It’s not going to be normal as is, even if it happens and you restore. There’s never normal after, after this happens. There’s no normal in our world. 

29:52 

Anyway, yeah. 

29:56 

You’re not alone, and there are all these resources, Don’t think that you have to do everything on your own. I’m sorry, go ahead, John. 

 I think Troy’s right here, there are a lot of resources. CISA has the cybersecurity framework, which gives you a nice, kind of, layout of how to, how to go through this. 

30:15 

I think one of the keys is preparing upfront, at least, knowing who you’re going to call, what, what’s your insurance carriers’ number, and who do you call? What, what’s the FBI number, in case you need to get them in, and who’s your FBI contact. And all of that, in a spot, so that if you find yourself in the middle of a breach, you’re not chasing around trying to figure that out, you have it. And I think, the basic steps are going to be, once you realize you have a breach, you want to contain it, you want to mitigate it. You want to, do, you want to stop it from spreading. And once you’ve stopped it from spreading, it’s really then deciding what are the next steps, and what is the damage. And you know what, what does recovery look like. 

30:51 

And to Troy’ point, having thought through that ahead of time and having practiced it, kinda exercises those muscles, So when you’re in the midst of a breach, and Troy having gone through when I’m sure you can tell us, this is a very stressful situation. You’re not sitting around, relaxed going through your incident response plan. I mean, if it’s out in the public, you hope it’s not, But if it’s gotten out in the public, everybody’s phone’s ringing non-stop. It is extremely high stress, and that’s not the time to try to be figuring out who’s phone number, you got to call. 

31:28 

So, taking a little bit of time and, and start small. Start with an incident response plan. That has 2 or 3 things on it, and then iterate on it, and iterate on it, and iterate on it. And get better at it in time as you practice through it. It is really important. 

31:46 

I’ve found, even in my own journey through this. 

31:49 

Sometimes when you’re staring at a blank sheet of paper, and you’re thinking, I’ve got to create an incident response plan, feel overwhelming, because if you searched the internet, there’s 40 page incident response plans. But, I think start small. Use some of the resources there, Troy said, and really, lean on your colleagues and ask them for advice and suggestions. 

32:09 

And the great thing about K 12 education, everybody loves to share, and it’s a wonderful place to be. 

32:16 

Yeah, ask your neighbor district, for example, work together on those policies, on that plan, do the exercises together, that way you’ve got that bond and you kind of have a good understanding of each other’s environments, we’re all here for the same reason, the kids. Exactly. 

32:37 

OK, so another question came in for you, Troy, and it’s about apps that aren’t submitted to IT for review. 

32:44 

So I guess this would be educational apps or potentially administrative apps that maybe you end up in this system? We call them rogue apps sometimes, what do you do? 

32:57 

Well, for the best part, with CatchOn, Lightspeed Analytics, for us, the whole shadow IT, the rogue apps. Now, we have visibility to them. So, our policy, if they’ve not been vetted through our approval process, we actually now block them. But, that’s a lot of conversation with leadership first. And alignment with academics. Because, maybe you might discover an app that actually really good, it’s not approved. Alright, let’s go get it approved because actually we do need to use it, because there’s value to it. That aspect of communication and the alignment between academics and technology. But, we take a block approach to protect the organization, for lots of reasons. Not, and not just from a cyber perspective, its governance, policy, privacy, data concerns. But, you’ve got to have the leadership support, to be able to do that first. 

33:47 

Yeah, that’s actually a really good point about leadership support and lots of conversations to get to that point, but having the visibility of all of the apps and tools that are used across the district is probably step one, if you don’t have it. 

34:04 

How do you get that. 

34:06 

Yep, yep, got to have the visibility first. And then you can have the conversation. Or have the conversations of, we’ve added the visibility, here are the reasons why we need this visibility. And, I said, there’s a cost perspective to this. 

34:20 

From the funding standpoint, duplication of adaptation, concerns around privacy, governance, then cyber, those are your start conversation starters. 

34:29 

If you start that direction and then go figure out, How do you solve I didn’t know. How do you identify? What do I need to do to be able to discover those things? 

34:38 

I’m going to just say to the audience, we have we try and only take about 45 minutes of your time through these webinars, so we want you to get your questions answered And if there’s any topics that we haven’t covered that are burning and you really would some insider resources, please type those in now. 

34:58 

We’ve been answering questions throughout, so now, hopefully, we’re getting to some of these. 

35:04 

There was one, Troy, that also came a bit earlier. 

35:07 

And this was probably pertinent to prior answer you had, but it was around, how often do you rotate or flip your tickets, KGBT? 

35:22 

So it’s a great question but I won’t answer it publicly.  

35:32 

If they want to reach out directly, we can talk through some of the policies and things we do internally. 

35:39 

That’s a big deal, but yeah. There are certain things that I wont say publically. 

35:46 

Great. That’s a wise move. 

35:49 

Yeah, just I don’t do QR codes at conferences. 

35:54 

I know we’ve talked about this in a couple of different ways, but one or the other, one of the other questions that we had was around, we’ve talked about technical solutions, but, and we’ve actually covered some of this. 

36:07 

But, are there any other protections districts can implement to keep their systems safe, and maybe it is about not sharing some things publically? 

36:18 

Yeah. I mean, say, internally. We definitely should be sharing. 

36:23 

Yeah. Because, I mean, back to, we should be sharing with our neighboring school districts what we’re doing. Because we’re in the same fight, and we can learn from each other. So there’s that part of it. I mean, it’s back to, what’s your roadmap? Where do you want to go. Because, zero trust is our next thing. And how do we get there? 

36:39 

 We have some tools in place for us. Its vulnerability how we patching our systems were diligent, but we’ve got to identify we’ve gotten internal tools and help identify all the vulnerabilities. And then back to John mentioned, Cyber Hygiene has got free services, we get their weekly report of our external IP scans, we do their NDBR. So, it’s open block, watch system requests, even though we have our internal tools assistant; back the layers. 

37:08 

So, there’s first free resources, know, there’s so many tools out there, it’s just, what’s your priority? Low hanging fruit versus the complex technical things and the path to get there. You’ve got to start with those. Because otherwise, you might try to solve one problem, and cause another problem. 

37:29 

I think, too, it’s, uh, several states actually have requirements. Districts have to publish all of their vendors in their apps, on their websites. Which is a goldmine for the bad actors. Because they know exactly what you’re using, and that’s a tough place to, I understand why the laws are what they are. We certainly want to give our parents that visibility. 

37:50 

So sharing as much information as you need to share, to stay compliant with the law and all, But also understanding what information you could potentially put there that can be very harmful in the hands of the wrong people and then crafting that message on that website. 

38:07 

So it informs the community in a way they need to be informed, but doesn’t give away more information than you need to give away. 

38:21 

One more thing real quick, around, and it’s not a tool, it’s people. Invest in your people training, bringing everyone to the table, everyone’s involved. 

38:30 

Get students involved there, the kids that pique interest, kids think different than us. 

38:35 

Internship programs, take advantage of their brainpower. Because they say, definitely that we do as adults, use them to your advantage. Create this, this pipeline of internal talent. Give them their next, you, know, opportunity kind of thing, give people a chance to learn, and what I always tell my team, my job is to enable, empower, and get out of the way. 

38:58 

I love it. 

39:00 

Yeah. That’s a great. I’m going to ask each of you for, one of your favorite resources. From a cybersecurity perspective. It could be a conference that you attend. It could be a site, framework, that you recommend the audience go check out.  

39:26 

I mean, I spend most of my night and weekends reading LinkedIn articles because, vast network of resources out there.  

39:36 

I mean, just reading and listening, there’s tons of subscriptions. MSISAC. you got to subscribe to those that easy material, reference stuff, conferences, we’re going to that next year as a group. 

39:49 

There’s some, things about that part, but it’s also what local? Host your own event. Partner with the schools and internal learning opportunities, but I don’t have a top favorite, I’m just, any resource, or information that’s out there, I can find and read. I spend a lot of my time. 

40:07 

Yeah. 

40:08 

I think, a great choice, LinkedIn, is that fabulous resource. It’s a, it’s easy to join the cybersecurity groups, that best line up with what you want, and then they push information to you, and you can get that on a regular basis, and then use that to go elsewhere. I think, if someone is starting out on their journey, probably my favorite resource is CISA and the Cybersecurity and Privacy Frameworks. 

40:35 

Because this is a large community that’s come together and try to put a plan, that almost any organization can follow, and it kind of lays out that roadmap on where to start and how to go through it. So, for anybody that’s new, I highly recommend checking out CISA. they also do a great job of keeping updated vulnerabilities and patching. 

41:03 

Great. Thank you. that those were good. Those are good resources. And Troy has there you might need to relisten to this. But it’s a final question, and I will say, if there’s any final questions, just type them in. But thank you, for those of you who have asked a number of questions, today. It’s been great. 

41:25 

But do you have any predictions around trends, on cybersecurity for education? 

41:30 

Anything that you see coming in the future in the next few years, or things that you’ve heard about starting to think about.  

The cybersecurity act Biden just passed recently at the federal level. And, it makes the State level, Then they’ll make the school district level. 

41:53 

You know these things are coming, of course, by the time they get to us its way outdated, but, I mean, the whole privacy stuff, states are passionate. The whole GDPR, it’s coming, so how do you get ahead of it. You got to look at those things, those are, trends that are coming. 

42:10 

And it’s, Privacy, privacy, privacy. That’s always an evolving target, But, I said. And then what’s your state doing. Because you don’t know what the State doing, So, you got to follow up with them, and have those interactions. But, the whole GDPR relevant to the US, it’s on its way. 

42:26 

And then, the mandatory, tool of all that part, It depends on what organization and entity at the government level involved. How bad it goes. 

42:35 

So, don’t wait on them to do things, you just got to innovate yourself what’s best for your district. 

42:42 

Yeah, great. John, anything last, any last thing to add there? 

42:47 

For folks to think about security here, the one thing I’d to leave folks thinking about is we have this image of the black hoodie, can’t really see the face, sitting behind a computer hacking away. And while that’s a good image and prints up really nicely on a t-shirt, the reality today is cyber criminals have organized themselves very efficiently. And they have a level one support that tries to get the resources, and then they escalate it to a level two, who has more skills to get to the next level. And then they escalate to a level three, who really knows how to get and break into things. 

43:26 

So, I think the key here is for people to realize that cyberattacks on schools are probably on the increase over the next few years at an exponential rate just because they’re valuable targets and what they’ve done is they have really organized themselves to take advantage. 

43:49 

Absolutely. 

43:50 

All, so, so keep working, keep working towards better cybersecurity profile. 

43:56 

OK, well, we’re going to end there, Troy and John, thank you so much for your time today, we appreciate it. And to the audience members, thank you for joining us. 

44:08 

We at Lightspeed Systems do have ways that you can help, that we can help you in this journey, and we’d love for you to take the survey that will pop up afterwards. You’ll also get a recording of this, so you can share this with others in your teams if you found this valuable. And also, I would say please feel free to download our cybersecurity guide. It’s a really good walkthrough of the different layers of defense and things to be looking at. But, again, thank you for your time, and have a great, great day.