This document discusses cybersecurity issues for public educators. It notes that cybersecurity is everyone's responsibility, not just IT, and that the threats can come from both malicious and unintentional sources. It encourages developing policies, training, and response plans to address prevention, protection, mitigation, response and recovery from cyber incidents. It highlights the importance of the human factor in security and privacy online. Activities are suggested to evaluate an organization's website, social media use, and individual online profiles for potential vulnerabilities. Best practices are outlined for managing social media accounts securely and maintaining control over all accounts related to an organization.

2. Cybersecurity
for Public
Educators

4. Cybersecurity is everyone’s problem
• Cybersecurity is NOT
just IT’s problem.
IT
Emergency Management
Law Enforcement
And everyone in your
organization

5. The threat
• Malicious vs unintentional
• Active attacks
• Data breaches
• Human error
• Cyber warfare

6. I never
thought it
could happen
to me!

9. Activity
https://haveibeenpwned.com/

12. Lifecycle

13. Prevention
• What have you done to
prepare?
• What policies are in place?
• What training is in place?
• How are the policies
enforced?
• THINGS YOU MUST HAVE
• Emergency Operations Plan
• Cybersecurity Policy
• Acceptable Use Policy

15. Protection

16. Mitigation
• What steps have you
taken?
• What steps can you take?
• Insurance
• Backups
• Redundancy
• Monitoring
• https://haveibeenpwned.com
• Early Reporting
• Training

17. Response
Do you have a
response plan?
Does everybody
know how to
recognize an
incident?
Does your staff
know what to do
if they suspect
an incident?
Who do you call
for help?

18. Recovery
What’s your recovery plan?
Beyond just the technology
Who do you call for help?

19. Sample Incident annex
https://1drv.ms/w/s!At2Gwcs7z-oh3Ubt7QNXAZ-HHeM2

20. References
• National Cyber Incident Response Plan, Department of Homeland Security,
2016
• Computer Security Incident Handling Guide (Revision 2) National Institute of
Standards and Technology, 2012
• Washington State Significant Cyber Incident Annex, Washington Military
Department – Emergency Management Division, 2015
• ISO/IEC 27032 – Information Technology – Security techniques – Guidelines for
cybersecurity, International Standards Organization, 2012

21. Annex Parts
Policies Sets
expectations
Situation/
Assumptions
Requires all
components to
be in place
Concept of
Operations
Will require
local discussion
Responsibilities
EM/IT/LE
Expect some
pushback

22. Major Cyber Incident
Checklist
• Action items
• Pre-Incident Phase
• Response Phase
• Recovery/Demob Phase

23. Common
Issues
Most entities lack a comprehensive
cybersecurity policy that vests
responsibility with every employee.
Those that have policies don’t enforce
them
A greater number of incidents occur than
are reported in any formal way
Lack of response plans leads to slow
recognition, response, recovery.
Lack of individual security leaves entire
organization at risk

24. Human Factor
Phishing, social
engineering
• Enabled by agency and
employee use of social
media and other things
Careless info
access/dissemination
• Public spaces
• Public wifi
• Unlocked computers
• Lack of caution

25. Security and
Privacy
• Keep personal information personal
• Never post anyone’s information
without their written consent
• Only post (with consent)
• Names
• Phone numbers
• E-mail addresses
• Remove immediately when
someone withdraws consent
• Never post
• Addresses
• Dates of birth

26. Activity
Find a buddy
Go online and pull up each of your
organization’s websites
Evaluate the website for privacy
issues
Be ready to report back on what is
good and what needs to be updated

27. Platforms
Facebook Twitter Instagram
YouTube LinkedIn Pinterest

28. Follow the
rules!
Rules might include
Content Contests Access rights
Type of
account/page
Don’t violate the rules!
Read the actual rules for the platform
before you sign your organization up

29. Social Media Privacy and Security
No photos posted without permission
No graphics used without permission That means memes too!
No personal information without permission
Even with permission, be VERY limited
Make sure the person giving permission understands the potential repercussions
Ensure employees and volunteers are not sharing organization things without permission
Ensure employees and volunteers are not sharing their own personal information

30. Activity
Alone or with a buddy
Search for yourself on the internet
See if there is anything that ties your name
to your organization
See if there is any personal information about
you that could be used to impersonate you.
Be ready to report back any surprises you
found

31. Social Media
Best Practices
• Create a record of every online account
your organization has
• Store it in an encrypted format
• Include login and password info for master
accounts
• Include who has access to the two-factor
authentication
• Ensure at least two people have access to it
Account information
Create more than one administrator
• Get everyone to use an encrypted password
manager
Don’t share admin credentials
Always use two-factor authentication

32. More Best Practices
• Keeps third parties from getting them and impersonating you
• Keep them non-published or dormant
Obtain accounts
even if you might
not use them
• Created by others or former employees
• May be helpful
• May be malicious
• You need control of all of them
Search for accounts
using your
organization’s name

33. Activity 3
• Find a buddy
• Go online and pull up each of your organization’s social media sites
• See if there are any other social media sites that might be about your
organization
• Make a list of all the sites you find
• Evaluate the official sites
• Be ready to report back on what is good and what needs to be
updated. Include any sites you need to gain control of and add any
sites you think your organization should add.

34. Other Examples
This Photo by Unknown Author is licensed under CC BY-NC-SA

35. QUESTIONS?
Contact me:
Sarah Miller, MPA, CEM
Zone 3 EM Coordinator
President, IAEM Region 10
Past Chair, IAEM Emerging Tech Caucus
sarah.miller@kingcounty.gov
twitter: @scba