Higher education has been at the forefront of implementing robust cybersecurity practices, while K-12 schools traditionally have been a few steps behind. Historically, a lack of resources and funding has kept cybersecurity low on their list of priorities. However, the dramatic rise in ransomware attacks coupled with the rush to virtual learning in the past year has caused many schools to rethink their security strategy.
With 21 years of experience across higher education and K-12, Aaron Thalman, a security engineer at IDEA Public Schools, saw a need to build a strong cybersecurity discipline in K-12. Thalman joined IDEA Public Schools understanding the complexity and long-term implications of housing and maintaining sensitive student information. He set out to build a cybersecurity program that would secure the data of IDEA’s students and staff and serve as a framework for other K-12 schools in Texas and beyond. Thalman started at the leadership level to educate the organization on the importance of finding a security solution that was both comprehensive in nature and easy for staff to use.
Choosing a Solution
During Thalman’s time in higher education, he became familiar with Duo as a solution for verifying users through multi-factor authentication (MFA). It was clear that Duo’s focus on data protection, quick and simple deployment, and ease of use for all staff would make it the perfect security solution for IDEA.
School districts are responsible for a vast amount of data, including sensitive information around teacher performance, payroll information, healthcare, curriculum, parents and families, and of course, students. According to FERPA (Family Educational Rights and Privacy Act), schools must protect student information including academic performance, test scores, psychological tests, teacher observations, and disciplinary history. That can mean a lot of data in states like Texas where some records need to be kept permanently. However, as schools have moved more of their systems online, it has increased their risk and led to a rise in ransomware and data breaches in 2020.
Armed with this knowledge, IDEA took the proactive step to protect student and staff data with Duo.
Localized Training and Support
With Duo, Thalman can manage applications centrally while also enabling regional IT administrators to manage users locally. Using Duo’s administrative units feature, each regional IT office is able to manage its select group of users. This provides local control and lower risk by only allowing admins access to their unique group of users.
Customizing Duo’s training resources for his team, Thalman prepared them to answer questions and provide support to their staff and users. It was important to get everyone on the IT team on the same page, and armed with relevant resources, to make the deployment smooth for the end users.
In addition to providing support and training, Thalman also led an internal communication campaign that gave IDEA employees adequate time to prepare for the Duo implementation. IDEA used Duo training videos and customized Duo’s FAQ guides to ensure there would be no surprises. This helped employees not only understand the importance of MFA, but also ensured that they would follow the new security measures. He found it helped to explain the need for security in terms of personal risks such as paycheck theft or student data loss. And it worked! Over 90% of staff was up and running in a matter of months.
Ease of Use
IDEA faculty members were able to download the Duo mobile app, self-enroll to sign up for MFA and quickly link their accounts. From there, all they had to do was start using the app. Even Thalman, who was an advocate for Duo, was surprised at how easy the process was, stating, “It was the smoothest technology rollout that touched all individual users.”
Many IDEA employees were initially skeptical about the introduction of a new security measure, and whether it would disrupt their ability to work or teach. However, by overcommunicating the new changes, and making sure that all staff members were fully trained on how to use Duo, IDEA was able to get all stakeholders on board.
Since IDEA has deployed Duo, the organization has seen a positive impact on its overall security position. Thalman said, “ Before Duo, we had hundreds, if not thousands of attempts to compromise user accounts almost daily. Since implementing Duo, we don’t see it as much. Not only is Duo a second line of defense but it also scares the attackers off.”
With a strong foundation in place, Thalman plans to incorporate more of Duo’s features to secure devices and application access. “We have always understood the importance of securing sensitive student data and meeting FERPA requirements. With Duo, we have been able to show our staff that security is a shared responsibility and there are easy steps they can take to help.”