Building a Cyber-Resilient School

Hi, everyone.

Welcome to another Atlas webinar.

We are super thrilled to have our partners at knowing technology with us, um, and we're grateful for their support.

Uh, we keep hearing a lot about the importance of data protection, um, the impact on your school's reputation, um, with data privacy, data leaks, um, and so knowing technologies is here to talk about the leadership role, um, in that vein.

So without further ado, I'm going to ask Tom to go ahead and take it away.

All Right, great.

Thank you so much.

Good to see you again.

Hello, everybody.

Uh, I'm Tom Wildman.

I'm the, uh, CEO of Knowing Technologies.

And today we're gonna talk about, uh, how you as school leaders can build a cyber resilient school and what your role in kind of cyber awareness and cyber protection is.

So, uh, uh, first of all, you know, I wanna make sure we're that, you know, we're talking about cyber resilience and not just cyber protection.

And I'll get into the difference here in a second.

But, uh, before I do this presentation is kind of targeted for not really technical people.

Um, and you'll understand why very shortly.

But we're gonna talk about some specific risks as well as kind of categories of cyber risks.

But, uh, this certainly is not a discourse on cyber protection or compendium on, on, uh, cyber risks, uh, entirely, but really about how you build cyber resilience into, uh, into your leadership program.

So, um, these are kind of the roles that, you know, this is targeted for.

It's really people that are responsible for bearing the risk of, uh, of a cyber attack that is the people that actually have to be accountable when there is an incident, a breach, data loss, um, that kind of thing.

So, rarely it is responsible and rarely it, uh, uh, has to present the public face of responding to, uh, to a, an incident.

Uh, and it's typically these roles.

So, is it, is this, uh, really a problem that is worth talking about? So, I I, I'm gonna give you a few, a couple of, uh, pieces of data here.

Uh, one is that, uh, yeah, it's a problem.

About 82% of schools, uh, of K 12 schools experience a cyber incident in this timeframe of, uh, 18 months from July, uh, 2023 and 82% is a lot.

Um, schools, uh, K 12 schools report about a little bit more than 4,000 attacks every week.

And, um, that's per organization, which means, you know, as you're in this webinar, you're gonna get attacked 10 times, or someone's gonna try 10 times to attack your school.

Um, there are, uh, about, uh, four and a half months, a little more in the four and a half months it takes to report data breaches after there has been a ransomware, uh, event, and I'll talk about that as well.

And, um, in 2024, there were 116, uh, confirmed ransomware attacks, which is down from 2023, uh, among all educational institutions that's lower, uh, a primary lower, uh, upper and, uh, and college.

So, um, the cost of an incident to recover from an incident, uh, if you are attacked, uh, is averaged about $2.28 million per incident.

And the most common vector means the common way that the attack is initiated is through, uh, email 45% in, um, business email accounts like business office, uh, adult accounts, and 19% in student emails.

So, what this means for private schools is, um, is this, most of that data kind of aggregates all K to 12 schools, both public and private.

Um, because we don't really have good segmentation of data sources.

There are some studies that focus just on, uh, private schools, but, uh, private schools have a few challenges.

One is they tend to underreport, uh, because of their, um, because of the families and their reputational damage, and they're not required to, um, and they don't, um, they, they may under classifying the event too, as like an incident rather than a full data breach.

So that means we don't really have, we're not, we don't have, and we're not likely to have a good insight into real data.

Um, one thing to be aware of is that private schools are, uh, are kind of easier targets.

And the reason is that they have, um, uh, they have some challenges typically, like under-resourced.

It maybe like legacy systems for data protection, legacy networks, legacy devices on the network.

Um, so usually private institutions, but that aren't really, they don't have a whole lot of oversight, regulatory oversight, um, or centralized support.

They tend to be a little bit more vulnerable.

And then, uh, and then finally, um, many schools re report confirmed attacks, uh, which does really underestimate exactly what the full, uh, what the full fort is.

So, um, I'm gonna, I'll be happy to take questions on that later, but I want to kind of get through to a few more cases, uh, case studies here.

So, uh, I have two that I'll bring up.

Um, there was, there's a, there was a breach in PowerSchool.

I'm not sure if everyone knows PowerSchool, that's a leading SIS provider, but just last December, uh, they were breached and it was a big one.

There were millions of, uh, data records from personnel and staff, uh, that, uh, that, uh, were taken.

It was a ransomware attack.

And so the, um, the ransomware, um, were paid and they claimed to have deleted the data, but, uh, it did resurface later.

In fact, uh, someone associated with the attacker actually contacted individual schools and tried to extort additional money.

So, um, what we take away from this is that even though, uh, cloud providers or third party providers do have better security practices, and certainly a lot more budget than an independent school will ever have, they still do, they still do pose a risk.

I think this presentation will be available.

But I have a link there to some more information about, um, about the person who was, uh, convicted of that attack and just, uh, last week, gosh, maybe even this week, uh, he was sentenced to only four years in prison.

Now, I think also, uh, like a $14 million fine would be difficult for him to repay and, uh, some other civil penalty or a criminal penalty of $25,000.

But anyway, he had a very short, a small sentence, um, but does have an obligation to make restitution as well as a fine.

So that is one case.

Another case is Harvard Westlake, a school in the LA area, LA area where, um, they had a data hack.

And, uh, in that hack, uh, alumni and student records were exposed.

And that's, that goes back quite a ways.

That includes like transcripts, current transcripts, old transcripts, transcripts for students that had long since left recommendation letters and other documents that were associated with their academic performance.

Um, and it looks like what happened is there was a, uh, there was an administrator account, um, that is used really on all data management system, but this administrator account had been, uh, breached and they used the, the, those credentials to log into the database and leak the data.

Um, uh, there's a kind of a technical understanding about the availability of, and the simplicity of understanding, uh, administrative accounts or accounts with, uh, privilege access, because there are really very high value targets.

Um, and one of the remediations that, that, uh, is common is to limit the exposure of those accounts or the excess, the data to which, uh, those accounts have access.

So, power, uh, PowerSchool, Harvard Westlake, both some pretty, uh, pretty, uh, big data breaches.

So I wanna talk a little bit about this idea of cyber resilience, which is the subject of the discussion today.

Uh, and compare it to cybersecurity.

They're not, they're not the same thing.

And really what it means is that cybersecurity is predominantly focused on, uh, prevention, but it's not necessarily focused on response recovery, adaptability.

And it's really more about, um, cyber resilience is more about like continuing operations, uh, communicating clearly, um, uh, withstanding the, uh, the attack withstanding attempts.

And, uh, and then analyzing what happened during the attack, uh, for, uh, the purpose of increasing, uh, the protection and improving the resilience of the school.

So cyber security, more about prevention, uh, and cyber resilience is more about, uh, continuity, uh, when the attack is going on, or, or, or just thereafter.

So here's a little, uh, graph to show you sort of the difference between cybersecurity and cyber resilience.

Uh, where the goal of cybersecurity is to stop attacks.

And the goal of cyber resilience is to make sure that you're able to continue to operate despite the attack.

So the approach in cybersecurity is to be defensive, to make sure you have a, a reasonable barrier against the attack.

And cyber resilience is more to be adaptive, to live with it, to understand, uh, what has to happen when it does, uh, occur.

And, uh, and cybersecurity is very much about getting that boundary to minimize the surface that is used to make cyber attacks.

And, and you measure the effectiveness of cybersecurity by the number of incidents, and you measure the effectiveness of cyber resilience by, you know, how long did it take you to recover? Uh, how effective was the communication? Uh, what was the continuity of the business? Other, other risks were, was there downtime or systems that were not accessible during the attack? And how adaptable were you to the, to the incident while the attack was going on? So there are, um, this is by the way, the next, this slide, the next few slides are the meat of the discussion.

This is what I really want you to understand about cyber resilience.

And so I'll, I'll go over it in a little bit more detail, and then afterwards I'll talk about some different kinds of risks, um, that you should be aware of.

And I'll open an, I'll open up for a question, but let's get to the really important content here.

And there are, there are four pillars of cyber resilience.

The, the pillars are, um, prepare for an attack, withstand an attack.

So, uh, uh, while it's happening, make sure that nothing breaks down.

Uh, respond to the attack clearly and then recover from the attack.

So those are the four pillars.

And, um, the general thesis here is if, maybe we should say, when a cyber attack does occur, you wanna make sure that you are able to continue to operate just as normally as possible.

Now, in internally when that, when an attack happens, it's, you know, it's, it's crushing and it's, um, it's panic inducing, but you wanna make sure that you, you keep a, a, uh, a, uh, solid stance and you communicate effectively and you, um, maintain operations as much as you possibly can.

So, uh, cybersecurity, our cyber resilience matters, um, because, uh, it's inevitable.

Like you're, you know, you get attacked all the time.

It doesn't usually get through, but you are always under attack.

And so, um, when you are attacked, um, is inevitable.

And there are different kinds of attacks that affect you, either directly by ransomware, uh, phishing or indirectly by interrupting supply chain or a source of information that you need or a third party service.

Um, many independent schools find data loss to be, um, to be catastrophic because there's a loss in revenue in enrollment, there's a loss in reputation.

And some schools even feel like after they've had a severe cyber attack that their, even their ability to maintain operations, if it was on the fence, it pushes them to the other side and it risks closure of the school.

Um, the another reason cyber resilience matters is if you've ever tried to get cyber insurance, they ask, uh, I mean, historically they've asked a series of questions that you may have just passed on to it to answer, some of which you may have passed on to it to answer.

But, um, now, now insurers are asking for more, um, framework based information.

In other words, you need to present to them the results of an assessment that you've taken about precisely where your cyber risks are.

And so there, there are many frameworks of that assessment.

The most common one is, uh, nist.

And, uh, and there's also a framework for assessment that is really affected, that's provided by Atlas itself.

Uh, and then finally, a reason cyber resilience matters is that, uh, families trust organizations, um, that are resilient.

Alright, let's get into the four pillars and talk about what they are.

This is, again, the, the crux of the issue here.

Uh, the first pillar, uh, oh, before we get into that, uh, so the, the core idea is that there's a sort of a formula for, uh, cyber resilience, which is, uh, the aspect of security plus continuity, plus adaptability.

And while you'll never get a number, it just tells you that there are components of cyber resilience that are based on, uh, these three formulas.

So again, cyber resilience is not about stopping attacks 'cause it's gonna happen.

It's about surviving and thriving despite those attacks.

All right, let's get into the four pillars.

So the first pillar is prepare.

Um, and this is by the way, uh, I, I'll show you kind of a responsibility matrix because, um, one of the points I want to drive home here is this is not a problem that you pass off to it and you have satisfied the requirements of requirements of cyber resilience.

It really requires participation across the entire, uh, uh, leadership, uh, stratum of the, of your school.

But let's talk about the first pillar.

This one is, is, uh, typically done, uh, or led by it.

And the first, uh, the first part of the pillar here is to identify the critical aspects.

I'll give you some examples later, but this is sometimes called the crown jewels.

It's identifying where the data that would cause the most damage, if it were to get out or to be altered, uh, where, where that data is like student, um, uh, success data, personally identified, uh, information, uh, those kinds of things.

So the first part of this pillar is to identify the data that you always want to be aware of, to make sure you know who has access to it, what kind of access, how it's protected, how it's backed up, and how quickly you can recover from it if it were to be lost.

The second is to assess and protect.

And this means using a framework like, uh, like CIS or NIST or Atlas, to measure precisely what your risk is and to make sure that you are remediating the highest risks that that measurement system has told you exist.

You wanna remediate the highest risk items first, we'll talk about that again in a second.

Uh, the, the third part of this is to build awareness, which means, uh, understanding having users, uh, uh, uh, experience repetitive and ongoing training of current cyber threats.

Uh, where they're actually tested, they call it like phishing, or they're tested to see how they respond if they get, uh, if they get an email that could otherwise have been a threat, and to make sure that they're able to identify a legitimate email versus, uh, uh, a, a, uh, a, a cyber threatening email.

And remember, uh, that, uh, 45% of attacks came from emails to adult users in schools.

So building that awareness is a key part of this.

Uh, the fourth part is to develop disaster recovery plans, which means, um, what happens if the data is suddenly unavailable? Do you spin up servers or services elsewhere? Um, those are parts of a disaster recovery plan that, in that indicate a higher degree of preparedness that some schools, uh, miss.

Uh, the next part is obvious, backing up critical data.

Uh, what isn't always obvious is this is the idea of air gapping them to make sure that if there is an attack, if there is a ransomware, that your backup data isn't lost as well, and that, uh, that actually happened, uh, to Blackbaud, uh, several years ago.

And then the the next one is to have policies that are clear that make sure that you're prepared, such as lease privileged access, um, lease privilege, a uh, yeah, sorry.

So, uh, lease privilege access makes sure that, um, uh, only you users only have access to the information that they absolutely have to have, and only for as long as they need to have it.

All right, let's go talk about the second pillar.

And this is withstand, it says, are you able to withstand and attack? And the three parts of this are, uh, to design systems that are redundant, uh, and segmented.

So if one part of your, of your infrastructure is attacked, the others don't, uh, crumble.

So, um, the next part is using what we call zero trust principles to, uh, limit damage.

If that same ha same thing happens, and there are a few parts of zero trust, it really means that you are explicitly verifying, uh, each, each attempt to access a device and a system, uh, and that you also don't, uh, you don't trust that the person that is trying to get access is in fact, uh, that person you expect them to be until you verify.

Um, and then the final part is to, um, maintain, uh, maintain UpToDate, UpToDate defenses like, uh, MFA, which is multifactor authentication.

So that if you, if, uh, you, uh, you wanna make sure that every time you log into a critical system that, uh, a response is sent back to another device like a telephone, uh, or a specific email, uh, to make sure that the user responds from the place where the user expected to be before you allow them access.

And finally, uh, EDR is just simply like endpoint detection and response.

It's like, um, it's, uh, it's antivirus anti-malware in a very simple, uh, permutation of definition.

And that's typically something that it manages, pushes out and monitors.

And those, those defenses are built on laptops, on servers, uh, mobile devices, uh, uh, that sort of thing.

Okay.

So that's pillar two withstand.

And then the third pillar is how do you respond when a, an incident occurs? Um, and the important part of this is to have an incident response plan.

And this is what automatically kicks in when there is an incident.

Who is in charge of communicate communication? Uh, what do you communicate? Uh, what, what role does your legal counsel play in this? Where where are they in the communication chain? Uh, and if you have any reporting options, say to board members, that should also be in, in the incident response plan.

And incident response plans, um, are, uh, it's not typically rote knowledge of how to build them, but cyber insurers are very, very good at either providing resources to help you to develop incident response plans or give you templates for incident response plans, or pointing you to consultants who can help you to develop incident response plans.

But the, I, you know, I've been involved in a few, uh, cyber security breaches and those that went the smoothest, or those that followed, uh, a process that had been predefined and tested.

And an incident response plan is the best way to know that you're prepared and that you're communicating, uh, accurately and, uh, timely.

Uh, second is, um, the second thing is to, is if there is a threat, you wanna make sure you detect and contain it.

And the third part is to keep forensic data, uh, available, which is really important to, um, to understanding how the breach occurred and how broad it occurred.

And these kinds of logs are things like firewall logs that showed, you know, how the, how the breach got through to, to the network, if that was, if that was a path, uh, maybe server logs, um, system access logs that show what credentials were used to access a system, and what did they do once they logged into the systems.

Uh, that's often, uh, uh, uh, that story is often told through what we call audit trails.

So that forensic data is really important to understand and to, uh, and to keep available when you're responding to an incident.

And finally, the fourth pillar is to recover from the incident.

And so, you know, remember we're trying to work on business continuity, uh, clear communication while investigating the path of the error and, uh, then ultimately recovering from it.

So, um, there, these are the different parts of that recovery process.

One is, if there's data loss or service loss, get those data back from verified backups.

Um, and I didn't really get into this 'cause of more technical part of the part of the process, but we wanna make sure that those backups are not just verified backups, but they're air gapped backups that they, that they represent the latest possible, uh, set of data that's available, uh, rather than, uh, scrambling to try to find tapes that may have been stored in the basement somewhere.

Uh, the, the second part of this recovery process is to communicate clearly with customers.

This is where schools make a lot of mistakes.

Um, I mean, it's, it's embarrassing.

Um, and it's, uh, as I mentioned before, it's panic inducing when there's a data lost incident.

But, um, the schools that stumble or drip out information of increasing severity are always, uh, uh, perceived as being non resilient.

And, uh, and concern they're, uh, they stakeholders significantly.

So, be clear, be decisive, be complete.

As soon as you know what information, make sure you understand what you're allowed to communicate and how, um, don't dribble out communications to stakeholders.

Uh, finally conduct, uh, a review of what happened in the incident so you can find out what processes failed, and then work to close those gaps and re and then adjust that strategy based on, uh, what you learned.

So I'll just pop back through this.

The, the pillars are, uh, prepare, withstand, respond, and recover.

That is, that's the essential part of understanding how you create, uh, a cyber resilient plan, or at least the essential components of it.

Now, what is missing from here is a lot of the, uh, information that, uh, it would have to have to make sure that they build appropriate protections.

That's a technical presentation that's, uh, quite different from the, this content.

But, uh, what I can tell you is that people that build cyber resilient plans very early on in the process understand that it's not an IT problem.

The mistake that they, the perceptual, the perception mistake that they have is that this deals with technology.

Technology is it? So this is an IT problem, and it, and it's not.

Um, and if you understand going into your cyber res cyber resilience planning, then you're going to appropriately divvy off the responsibilities of preparing, uh, to the appropriate roles.

And I will be, I'll give you an example of that, uh, in just a second.

But what you, well, it's not just an IT problem.

What you can ask of your IT department really depends on, on their depth and independent schools.

And again, they're attractive targets because they often, you know, lack resources to fully staff and IT department.

Um, and so sometimes, uh, independent schools have, uh, IT directors or IT or technology leaderships that are fairly deep, and they can take on many parts of this resilience plan themselves.

But that is the exception rather than the rule.

Most commonly, IT, people are used to keeping things running, uh, to responding to outages, uh, but not really to effective cyber cyber planning.

And I think another concern is, if they haven't experienced responding to a cyber incident, then they may not be able to build the most effective plan.

Uh, but primarily you can count on them for, for using an assessment framework like, uh, nist, CIS or, uh, Atlas, which, which, uh, has a very, very effective assessment framework and all of your members.

So you can go right onto the Atlas link, go to cybersecurity, and you conduct your own assessment.

But there's really a responsibility, it has to always, to continuously measure their risk, create a plan that addresses that risk in, in severity order, and then create, create initiatives from that plan that are, that they're always working on, on implementing.

So at any one time, you can ask it, give me numerically what our risk is today and compare it with how it was a quarter ago and a quarter before that.

But you, they should always be working on, on, uh, on effecting this, uh, risk mitigation plan and lowering and lowering and lowering their risk calculated number that was calculated using one of these great frameworks that I talked about, like atlas, which is a very, very good one.

Um, it can also be counted on to create a, remain a remediation plan for all of the, uh, initiatives and, uh, to, uh, operate the solutions of the protection solutions.

I just gave examples here, multifactor authentication, uh, endpoint, uh, detection and response.

Uh, and also they can manage awareness training.

And there are tools like nine, which is a, um, which is, uh, an Atlas partner, uh, know before, there are several other providers out there of that awareness training, but that is an essential part of their work, again, outta scope, um, of this discussion.

But those are the kinds of things that your, it can be counted on, uh, to operate.

And then the other thing, and this is fairly new, that you should get into the practice of getting monthly or more likely quarterly updates of what is the latest risk measurement, what is the current plan? What have you done since the last plan? How is our risk lowered? So that should be like a muscle that you build when you're communicating with it about, uh, about cyber resilience and cyber protection.

So there are other third parties that can help, uh, in, in you building and operating your cyber resilience plan.

Obviously the cyber insurer, and that's the top of the list because you have so many resources and it, and they're, they have a stake in the game to make sure that you are as resilient as possible, and that the, your actual cost to responding to an outage, uh, to an incident, it's as low as possible because it's their money.

Um, there are also services called managed services, managed security service provider, uh, and then companies like ours, managed service provider, and then also cybersecurity consultants that are people that can help you to build parts of the plan that are essential.

I, I put together this sample, uh, responsibility matrix, just to give you an idea of how it's really not just an IT problem here.

So these are the against, uh, on along the bottom, those are the four.

Um, those are the four, uh, pillars of creating the plan or, or the four pillars of the plan.

You can see the very first one in prepare, pillar number one is identifying the assets that you want to protect the most.

And I think I have an example here.

I may have an example of what those assets are, may be coming up next, but it really, that should be the CFO or CRO, which is a chief risk officer, often with independent schools, that is one person.

So that person really owns the identification of the IT assets that had to be protected.

And that's not like servers and devices, it's actually like, where's the student data, the health data, employee records, finance records, payroll records.

It's really identifying all of the information that has to be protected so that, uh, when you're building a plan and creating access, matrices, matrices for that, for that information, it's done under the auspices of the people that bear the risk.

And that is the CFO or chief Risk Officer.

So, I'm not gonna read through this, but you can see that in this responsibility matrix, there are people that can, that own it, and there are people that can help.

Um, you may see that in the, in the respond, uh, pillar that the CFO and CRO is really responsible for, for building the response part of the plan.

But you are not likely to hear from them in the communication.

Typically, that's done by the, by, um, either the head of school or, uh, or the school's chief communications, uh, director.

Um, but, uh, all always, uh, when there's a response, uh, it's done with a tight integration with your counsel, with a count, with a separate, uh, legal team that's provided by the cyber insurer and maybe even with law enforcement.

So, uh, there's a lot to the, to the word legal there in the input.

Okay, I'm gonna move on here.

So I'll talk a little bit about what, uh, I'll just, I'll stop in a few minutes for questions.

But, uh, I'll talk a little bit about, uh, what cyber risks are.

And, um, I, I, again, want to enforce that.

Uh, it's, it's, the onus is on you, the CXOs or the, the, the leaders of schools to understand what that, what your risk is At any one moment.

You're not doing the calculations, you're getting those calculations from whoever is executing the framework, and that's typically it.

But risk is usually the likelihood of attack by the impact of the attack.

So, um, each one of the factors that are measured by both the Atlas framework and the CIS framework, uh, have associated with the measurement, with the assessment, uh, a likelihood and an impact number.

The likelihood is simply, what's the probability that the threat is going to exploit something that is, that we're vulnerable to.

And then the impact is what's the outcome? What's the worst that's going to happen if that data is lost or compromised, uh, or made public.

So, um, while it oversees, uh, the protection, like both of those factors, likelihood and impact, um, it, it, uh, it really is incumbent upon you to get updates on the status of that risk using some accepted framework.

And, uh, not it speak, it speak may tell you, um, oh, we've implemented this thing, we've, and we've, we have this antivirus, and now we've got this cool data backup system and all these great things.

That means nothing.

Uh, what's essential is that you get the number based on a very objective assessment framework like, you know, Atlas or CIS.

So you don't have to understand anything in that sentence I just gave you.

'cause you shouldn't, you should really understand what are the results, what's the outcome here? And when you're working, when you understand the risk, all of the risks that are measured in these frameworks remediate those that have the highest number first, fix the things that are gonna cause the, the, the most damage before you work on the lower yield.

Uh, another thing too that I often communicate to schools before there's an incident is it's you guys that own the risk.

You know, it's not it, uh, when there's an incident, it may work on the remediation and there may be, uh, very difficult conversations with them, but ultimately it's your risk.

So don't let them take the risk for you without you understanding what you're accepting in terms of risk.

There's, um, I'm not gonna get into this.

There, there are more expanded, uh, risk formulas, and there's even one more expanded than this.

Uh, and the, and I think people that study risk for a living just really love these kinds of things.

They're not gonna be, these kind of quantitative risk calculations can be helpful, but really the essential thing to get out of any risk measurement is identify it, prioritize it, and remediate it as a regular practice that should always be going on.

Um, I think I've said this in many different ways, how to reduce cyber risk.

'cause you just, uh, reduce any one of its components, reduce the likelihood of the risk happening, reduce your vulnerability to the risk, and reduce the impact of the, of the event.

So then a few, um, a few final words in this last minute here, um, is that, uh, even though you lower risk, it doesn't make your school any more resilient.

Resilience is really about con the continuity of services, the continuity of operations, the clarity of communications, uh, while the event occurs.

And in order to, to have those things, you have to understand those four pillars and build your plan according to those four pillars.

The second thing is, um, don't get hung up on or attracted to or distracted by specific remediative tools.

That's really not your job.

Your job is to use strategic planning and metrics to make sure that you always understand how well protected you are and your ability to, uh, be resilient in the face of an attack.

Uh, oh, I did tell you, I would give you this.

Uh, it's an example of the crown jewels.

What are the things, what are the, the assets that are most commonly looked at to protect? And these are kinds of things I'm not gonna read through them.

Uh, PII means personally identifiable information, um, as these are things that are very valuable when determining how much, uh, ransom will be asked if you do have a ransomware attack at the bottom here, my disclaimer, uh, this is just an example, it's an illustration, but e each school will conduct its own, uh, assessment of systems and data to make sure that you understand which ones require special monitoring, special protection, but by all means, whatever the data is implement, you know, role-based access, multifactor authentication, um, and zero trust.

Alright, that's, uh, that's all I have here.

I'll, um, I'll leave this slide up and, uh, if you wanna get a little bit more information about us, uh, you can, you can scan that, uh, QR code.

But in the meantime, I'll be happy, uh, to take questions.

And I think, let me see here.

There was one earlier, Tom.

Oh, great.

Good to hear your voice.

Okay.

Um, there was a question from, I think it was your first slides about talking about the statistics from, um, cyber attacks.

And someone asked if those STA statistics also take into account a school SaaS applications? Uh, yes, they do.

Yeah.

And then SaaS applications are software as a service, like, uh, PowerPoint and, uh, and Blackbaud, uh, uh, not PowerPoint, oh my God.

Uh, PowerSchool, Blackbaud, uh, Razor's Edge, uh, uh, uh, uh, health applications, et cetera.

I think I probably address that in subsequent slides.

And then kind of to follow up then, do you not recommend to use cloud solutions like PowerSchool or Black Bot? Are they not able to keep data secure or recommendation for that? Uh, It's a good question.

Um, and the answer is far better than anyone on this call can, you know, they have significantly greater resources and, uh, personnel in protecting data.

Um, I think that cyber attacks happen.

It's a fact of life.

Um, the, you know, this, this presentation is really targeted on becoming cyber resilient so that when it does happen, you can respond.

But, you know, my, uh, I think my, my thinking is yeah, if you can, if you can use a SaaS service, you know, like I mentioned before, instead of putting, you know, building solutions on campus, they're far more vigilant about protecting and monitoring access than you can ever be, even though obviously, you know, mistakes happen.

Uh, but I, I think I, no, we, you shouldn't, the takeaway should not be, don't use, don't use cloud providers and SaaS services.

Use 'em when you can.

Um, another one I saw was how long does it take to become cyber resilient? Should schools have a cybersecurity expert on staff? Repeat that again.

Uh, how long does it take to become cyber resilient and should schools have a cybersecurity expert on staff? Um, okay.

So implementing this plan realistically could take, you know, 12 to 24 months, uh, to build your own, uh, cyber resilience plan.

But it's really, once it's built, it's a practice to make sure that it's always viable and make sure that, you know, that the identified crown jewels are still the same set that, uh, the protection processes, that it is still asserting that those are the, that we're protecting the right things, that there's always taking the risk measurements.

So there's some ongoing work, but, you know, 12 to 24 months is a baseline.

And as far as having a cybersecurity expert on staff, I just think that for most independent schools, that's just unrealistic.

I, um, because they're very expensive.

Um, if they're good, they're gonna be very expensive.

And so figuring out a way maybe a consultant would be a better, uh, a better approach or condu contact your cyber insurer for their advice on, uh, on that responsibility matrix.

Let me pop that back up.

Like, um, this is kind of the thing to think about here, like the, none of these say, uh, on staff cybersecurity experts.

So I, I think the answer is probably not, but your, your cyber insurer is a good starting point for understanding that.

Awesome.

That's all the questions I've seen so far.

Okay.

I also, uh, I also wanna say that, uh, Kelsey responded that you don't actually have to become an be an Atlas member to have access to the, their list of cybersecurity recommendations.

That's great.

I, I think that you might to have access to the framework, their assessment Framework.

Yes.

Yeah, we have a few more in depth resources.

Okay.

Um, like the assessment, we have a cyber insurance guide.

We have, um, partnership with no before, um, things like that.

Oh, great.

Yeah.

Our member.

Um, but, but the cyber recommendations, which is a really great starting point.

Um, and our Atlas 360, which is more, um, it's more broad than just cyber.

It's kind of addressing your school, um, tech strategy as a whole.

Um, those are not member exclusive, so we can share the links and the recording with the, for those things.

But, um, everything That you just said, those are wonderful resources to have.

Yes.

Um, and that assessment is, uh, I mean, yeah, that assessment is top notch and it, yeah, that's great.

Assessment is something that was developed, I think with CIS nist.

Mm-hmm.

So it's like it has significant, uh, amount of professional resources built into it.

And, uh, I would, I would use that as the starting point for framework, like, don't bother with CIS, don't bother with LAST if you've not been through the Atlas, which is like really practically, uh, created for independent schools.

So, big plug there.

Thanks for the shout out.

We should hire you as our marketing.

Actually, uh, I also wanna tell you that I'm in Portland and, uh, it's cold today.

And so I'm, this is the first time I had my, my grandpa flannel, and it feels good.

Nice.

Thanks to everybody for participating.

Uh, if you have any other questions, uh, reach out to anyone.

Uh, that was you, you know, you had the link there for, for our, for No technologies.

The Atlas Links are just fantastic.

I use those as well.

So let us know how we can help.

Tom, thank you so much, Maureen.

Thanks for your support.

We really value our partnership with Knowing Technologies and are so grateful for all of this knowledge, um, incredible resources that you shared with us, and look forward to getting this reporting out to the community as well.

For anyone who missed it, do it..