AUSTIN (Nexstar) — Texas schools are beefing up cybersecurity programs, following new state regulations to strengthen districts against digital attacks.
At the Texas Association of School Administrators midwinter conference in Austin this week, technology leaders from Round Rock Independent School District shared how they developed their cybersecurity program— from staffing to risk management.
“We are under increasing cyber security risks and because of that, we really need to start taking taking action in order to provide much better protection,” Mark Gabehart, Round Rock ISD’s executive director of technology and information services, said.
The Round Rock ISD presentation was one of the conference’s nearly 250 sessions focusing on school safety, college and career readiness, and instructional leadership.
In their presentation, Gabehart and the district’s information security officer Clarence Campbell said schools are the second largest pool of ransomware victims nationwide. Only local governments tops the education world. Healthcare organizations rank third. Their presentation highlighted information from CyberVista, which indicated the education industry ranked worst in cyber security.
Texas lawmakers passed legislation last year enhancing cybersecurity requirements for school districts.
Senate Bill 820 requires districts to craft a cybersecurity policy to “secure cyberinfrastructure.” Districts must also perform risk assessments and “implement mitigation planning.” Superintendents will designate a cybersecurity coordinator as a liaison between the district and the state and parents.
According to the Texas Education Agency, the cybersecurity coordinators appointed by the local education agencies will report incidents to TEA via email. A TEA official said correspondence will go to an inbox specifically designated to receive incident reports.
According to TEA, local education agencies are still in the process of determining the most efficient way to implement the district-wide cybersecurity infrastructure planning requirement.
House Bill 3834 requires certain state and local government employees and state contractors to complete a cybersecurity training program certified by the Texas Department of Information Resources. Gabehart said school staff and even school board members fall under that category because of their access to sensitive data.
Gabehart said one area of concern is budget. Neither SB 820 nor HB 3834 allots any state funding to accomplish its requirements.
“It costs a lot of money to hire appropriate staff as well as tools and resources to protect our K-12 schools like they’ve been doing at state agencies and federal agencies and in businesses,” Gabehart said.
“We are behind the curve in terms of protecting us from attacks such as the recent ransomware attacks that are occurring in school districts and local state agencies as well,” Gabehart added.
Round Rock ISD was one of 13,000 districts across the country affected by what Gabehart called a “data incident” with third-party vendor Pearson Education, in which names, birthdays and email addresses of users between 2001 and 2016 were compromised.
Campbell said no program is perfect, so he appreciated collaborating with other districts at the TASA conference to share best practices.
“It’s a combination of layers and methods and and what might fit for one district and be the best for one district or one organization may not be the best for another another district,” Campbell said.
Gabehart said he was working on a student data privacy initiative for lawmakers to take up next session. Under his proposal, which is still in development, Texas would adopt a statewide data sharing agreement for all districts to use and “force vendors to make sure they do a better job of protecting our data.”