15 Budget-friendly Cybersecurity Tips for Schools

Your organization’s finance professionals make tough, sometimes unpopular, decisions come budget season. Funneling funds to one initiative could mean scaling back, postponing, or eliminating other initiatives. Here are 15 tips that will help fortify your digital defenses without busting your budgeted.

1. Identify Security Gaps

The first step in improving your network is to identify your weaknesses via a vulnerability assessment. This can be done independently, or you can get help from CISA or DIR.

2. Vet Your Vendors

Approximately 75% of all K-12 data breach incidents in the U.S. were the result of security incidents involving school district vendors and other partners. Vet your vendors to ensure they're reputable and committed to protecting your data.

3. Leverage Data Protection Agreements

Data protection/privacy agreements can go a long way in ensuring that companies you do business with value your sensitive data as much as you do.

4. Back Up Your Data

Back up your data regularly and ensure that backups are viable. New ransomware hunts for on-premise backups to lock up, so consider off-site, off-line, or powered-down data backups for better protection.

5. Don’t Take the Bait

Fraudulent instruction attacks steal millions from districts. Protect your district’s funds by verifying requests to change direct-deposit or financial routing numbers before acting. 

Related Resource: Share this phishing cheat sheet with your finance professionals.

6. Patch Your Software and Firmware

Install updates and patches to your anti-virus, operating systems, and other software platforms as soon as they are available. You’re only as secure as your most recent update, so implement a policy (automated or manual) for routinely running updates. The same goes for your physical hardware, which runs on firmware. Like software, firmware requires routine updates and maintenance. 

7. Don't Trust Everything You See

Artificial intelligence is making social engineering attacks easier by aiding attackers in impersonating the voices and even faces of familiar people. Teach your team to navigate AI-powered risks.

8. Enable Multi-factor Authentication (MFA)

Enable MFA on business and personal accounts to receive authentication codes via SMS or secondary email.

9. Use a VPN for remote work

Make sure your home Wi-Fi is on the latest security standard and that it is password protected. Avoid doing sensitive business on unsecured or public Wi-Fi. If you must use public or unsecured Wi-Fi, it’s important to use a virtual private network (VPN). VPNs provide a layer of encryption that could prevent network compromise.

10. Embrace Zero-Trust

A zero-trust model means that no user or device can be trusted by default within a network. Zero-trust is becoming a dominant network model to help avoid cyberattacks.

11. Implement Endpoint Detection/Network Response (EDR)

EDR is a sophisticated cybersecurity platform that monitors and protects every device in your network and helps prevent infection. If your district has fewer than 50,000 students, you can get EDR at no cost from TEA.

12. Defend Against DDOS Attacks

Distributed denial of service (DDOS) attacks happen when hackers flood a website or server with too many requests for the system to handle. Often, public security utilities like the low orbit ion cannon are used in these attacks. Block the IP ranges associated with these platforms to protect your network.

13. Manage Administrative Privileges

Hackers who gain access to your system can’t do much without administrative privileges. Privilege-access management tools will help you maintain control of who can do what in your network, and possibly prevent a costly cybersecurity incident.

14. Protect Cloud Storage

Many organizations are moving their storage and other services to the cloud due to affordability and ease of use. Use an identity and access management utility to ensure only invited guests have access to your cloud space.

15. Implement an Acceptable Use Policy

Make sure staff knows your expectations for safe use of technology by developing and promoting an acceptable use policy (AUP).

Bonus Tip Exclusively for Fund Members

Fund members with Privacy and Information Security coverage benefit from expert support at no additional cost. Let us train your team to build a state-mandated cybersecurity plan, avoid common scams and attacks, and recover from incidents.

Editor's note: This article was originally published in November 2021. It has been updated for accuracy and comprehensiveness.