We ran a realistic incident-response tabletop exercise with school leadership, IT, and legal in the same room. We walked through a live ransomware scenario step by step, including decision points around shutting down systems, communicating with parents, and coordinating with law enforcement. The biggest improvement came from clarifying who had authority to act and eliminating delays caused by uncertainty. We also adjusted MFA enforcement for administrative and SIS access after the drill, tightening it where it mattered most without disrupting classroom workflows. The result was faster response time, clearer accountability, and far less operational confusion—outcomes you don't get from compliance checklists alone.
Principal & Senior IT Architect at GO Technology Group Managed IT Services
Answered a month ago
One cybersecurity practice that genuinely reduced risk for the schools we support this year was refining how MFA is managed for SIS access, treating it as an ongoing operational control rather than a one-time deployment. As Principal and Senior IT Architect at GO Technology Group, a managed service provider supporting schools in the Chicago area, I've seen how identity controls can quietly fail if user behavior isn't addressed. While MFA was technically enabled, staff approval habits and notification fatigue still created exposure. To close that gap, we paired a brief tabletop discussion with targeted MFA adjustments, walking administrators through realistic phishing scenarios tied directly to SIS credentials. Those conversations surfaced confusion around unexpected MFA prompts and escalation steps. As a result, we refined conditional access policies, reinforced training on what legitimate MFA behavior looks like, and monitored approval patterns more closely. Within months, multiple unauthorized login attempts were blocked without disrupting instruction. In parallel, we verified SIS backups for actual recovery (not just documentation) confirming restore points and timelines. What made the difference was aligning people, process, and technology so cybersecurity became operationally effective, not just compliant.
One practice that significantly reduced risk was refining the rollout of multi-factor authentication for staff and administrators. Rather than enabling MFA across the board and hoping for adoption, we worked with the school to implement risk-based MFA. Privileged accounts, remote access, and SIS administration were prioritised, with clear guidance on why those roles posed a higher risk. The small but critical tweak was pairing the rollout with short, scenario-based training and a temporary support window during login hours. This reduced workarounds, improved acceptance, and ensured MFA was used properly rather than bypassed. Within weeks, failed login attempts dropped sharply, and there was clear evidence of reduced exposure to credential-based attacks. The key lesson is that security controls only reduce risk when they're usable. Focus on how a control is implemented and supported, not just whether it exists, and you move from compliance to meaningful protection.
Implementation of "Hardened MFA" for Administrative Access. This year, we moved a school district beyond basic MFA (SMS-based) to Hardened MFA using physical security keys (like YubiKeys) for all administrative accounts with access to the Student Information System (SIS). The Result: While basic MFA protects against simple credential stuffing, it remains vulnerable to sophisticated phishing and "MFA fatigue" attacks. By requiring a physical token for high-level access, we effectively "air-gapped" the credentials from remote phishing attempts. This didn't just check a compliance box; it eliminated the primary entry point for ransomware-the compromised admin account. Actionable Step: For schools with limited budgets, we recommend starting with a "Tabletop Drill" focused specifically on a Ransomware-encrypted SIS. This reveals exactly who has access and where basic passwords are still the only line of defense, creating a clear roadmap for where to deploy physical security keys first. Vijay Tiwari is the Founder & CEO of ViTi Security (https://vitisecurity.com), a cybersecurity firm specializing in hardened IT infrastructure and secure network communications.
Hello, Wouldn't it be great if there were a magic trick to reduce all risks at all times? Unfortunately, real risk reduction usually comes from doing a few key things very well in these five main areas of cybersecurity. 1. Lightweight governance: Maintain an up-to-date list showing each digital service, its biggest risks, and any active exceptions. Use simple change control to ensure everyone follows the rules. If you're making a major change, you need to indicate how it affects risk, who is in charge, when exceptions expire and how you will reverse it if things go wrong. This keeps service changes fluid and security under control as things change. 2. Prevention: Start with the basics. Fix important vulnerabilities, strengthen identity, eliminate old login methods, give people only the access they need and prevent unmanaged devices from accessing sensitive information. Also, perform a few small "attacks" to test the system. A controlled phishing test, a simulated password attack, a check for exposed admin areas or overly open shared files. The trick is to do it regularly to catch any oversights. 3. Detection: Generate and manage only important alerts by yourself or use a managed detection and response (MDR) service if you have the budget. Network detection and response (NDR) can be a bit noisy, but if used carefully in some critical parts of the network, it can be very useful in certain situations. Deception technology, when used correctly, is inexpensive and works incredibly well. We have found that it is better to receive reliable alerts than to have perfect dashboards. 4. Response: Playbooks are absolutely necessary and should be as automated as possible. Even without a full security orchestration, automation, and response (SOAR) system, a few Python scripts that can disable accounts, terminate sessions, isolate devices, collect important logs or open support tickets can significantly reduce the time it takes to resolve an issue. 5. Recovery: Ensure you have backups that cannot be modified and are completely separate from your main network. Test these backups to ensure they work. Be realistic about how much data you can afford to lose (RPO) and how quickly you can restore operations (RTO). You can't restore from tape in five minutes, nor can you promise data recovery in 60 seconds if your configuration doesn't support it. The main idea here is to keep things simple, repeatable and directly tied to real risks. Regards, J.
The most powerful of these by far was moving from a blanket MFA policy to an adaptive one. When we ask for a prompt on every single login, we wear our users out, and they start working around it in ways that aren't always good. As IBM puts it, adaptive MFA checks for risk signals like location and device type to determine the proper level of authentication. The change we made was to tie the MFA prompt to something like a change in device, moving from a different IP address or an unusual login time -- for instance, a user logging in with their work laptop at 10 a.m. has early-morning meetings ahead and should go right through log-in. The same user working late trying to log in from an unknown device at 3 a.m. is a different story and deserves an immediate challenge. Rather than a checkbox, this made our authentication system an active threat-detection mechanism. That reduced the user friction that slows down adoption, and even made our security alerts much more meaningful because they were tied to true anomalies.