I don't want you to get wiped out by the bad guys. The entire Acture Solutions team works extremely hard to keep our clients safe 24x7x365.
However, Acture Solutions, myself, my co-workers, or any other vendor cannot keep you safe on our own.
You, your team, your district administration, and your staff must actively participate in any cybersecurity effort.
I am still seeing through our various security tools that many of you still have users who are local admins! You still have Windows and Mac firewalls turned off! You have teachers, a number of Superintendents, and possibly other users with unmanaged devices *inside* your network. You have Superintendents with personal, unmanaged machines on your network. You have district office staff loading confidential, personally identifiable, and financial information onto laptop endpoints without EDR clients, without any vulnerability management or patch management, and without utilizing BitLocker or FileVault encryption.
These behaviors are a death wish. They are totally irresponsible.
Somehow, you must shut down all of these behaviors.
I've heard from some that they are afraid to walk up to the Superintendent and tell them no. I was in a situation last week where it appeared the technical staff was too intimidated to inform the Assistant Superintendent of Business what the rules even were. (Once he heard the basic security requirements of the district, he was very willing to be part of the overall security framework.)
I am not afraid to have those hard conversations with you.
We have seen multiple, recent, local examples of Superintendents, Assistant Superintendents, building administrators, and other Business Officials being targeted and sometimes breached. I'm happy to share what's actually going on.
This is not theoretical.
These actions increase the district's risk of a breach and may compromise its cybersecurity insurance policies. I suspect that you specifically didn't indicate that your district administration and other staff are not adhering to basic, best practice rules when you signed your name to that form.
Remember the Travelers Insurance lawsuit, where they claimed they wouldn't pay a claim because the client stated they had MFA deployed and configured in a certain way, but it was proven that it wasn't configured as stated. The insurance company's forensic analysis attributed the breach to the misconfiguration.
"Rules for thee and not for me" does not work in keeping your district safe from the growing number of threats.
I want to prevent you from being breached, having your name in the paper, protect your staff and students, and keep the district and the administration from being embarrassed.
Sometimes I feel like I'm chasing windmills.
We all must do a better job at this.
No one is immune.
Acture can help. If you need assistance, please don't hesitate to call us.
Scott Quimby
Senior Technical Advisor
vCISO
CISSP
You must be logged in to post a comment.