We ran a realistic incident-response tabletop exercise with school leadership, IT, and legal in the same room. We walked through a live ransomware scenario step by step, including decision points around shutting down systems, communicating with parents, and coordinating with law enforcement. The biggest improvement came from clarifying who had authority to act and eliminating delays caused by uncertainty. We also adjusted MFA enforcement for administrative and SIS access after the drill, tightening it where it mattered most without disrupting classroom workflows. The result was faster response time, clearer accountability, and far less operational confusion—outcomes you don't get from compliance checklists alone.
Principal & Senior IT Architect at GO Technology Group Managed IT Services
Answered 2 months ago
One cybersecurity practice that genuinely reduced risk for the schools we support this year was refining how MFA is managed for SIS access, treating it as an ongoing operational control rather than a one-time deployment. As Principal and Senior IT Architect at GO Technology Group, a managed service provider supporting schools in the Chicago area, I've seen how identity controls can quietly fail if user behavior isn't addressed. While MFA was technically enabled, staff approval habits and notification fatigue still created exposure. To close that gap, we paired a brief tabletop discussion with targeted MFA adjustments, walking administrators through realistic phishing scenarios tied directly to SIS credentials. Those conversations surfaced confusion around unexpected MFA prompts and escalation steps. As a result, we refined conditional access policies, reinforced training on what legitimate MFA behavior looks like, and monitored approval patterns more closely. Within months, multiple unauthorized login attempts were blocked without disrupting instruction. In parallel, we verified SIS backups for actual recovery (not just documentation) confirming restore points and timelines. What made the difference was aligning people, process, and technology so cybersecurity became operationally effective, not just compliant.
One practice that significantly reduced risk was refining the rollout of multi-factor authentication for staff and administrators. Rather than enabling MFA across the board and hoping for adoption, we worked with the school to implement risk-based MFA. Privileged accounts, remote access, and SIS administration were prioritised, with clear guidance on why those roles posed a higher risk. The small but critical tweak was pairing the rollout with short, scenario-based training and a temporary support window during login hours. This reduced workarounds, improved acceptance, and ensured MFA was used properly rather than bypassed. Within weeks, failed login attempts dropped sharply, and there was clear evidence of reduced exposure to credential-based attacks. The key lesson is that security controls only reduce risk when they're usable. Focus on how a control is implemented and supported, not just whether it exists, and you move from compliance to meaningful protection.
Implementation of "Hardened MFA" for Administrative Access. This year, we moved a school district beyond basic MFA (SMS-based) to Hardened MFA using physical security keys (like YubiKeys) for all administrative accounts with access to the Student Information System (SIS). The Result: While basic MFA protects against simple credential stuffing, it remains vulnerable to sophisticated phishing and "MFA fatigue" attacks. By requiring a physical token for high-level access, we effectively "air-gapped" the credentials from remote phishing attempts. This didn't just check a compliance box; it eliminated the primary entry point for ransomware-the compromised admin account. Actionable Step: For schools with limited budgets, we recommend starting with a "Tabletop Drill" focused specifically on a Ransomware-encrypted SIS. This reveals exactly who has access and where basic passwords are still the only line of defense, creating a clear roadmap for where to deploy physical security keys first. Vijay Tiwari is the Founder & CEO of ViTi Security (https://vitisecurity.com), a cybersecurity firm specializing in hardened IT infrastructure and secure network communications.
Hello, Wouldn't it be great if there were a magic trick to reduce all risks at all times? Unfortunately, real risk reduction usually comes from doing a few key things very well in these five main areas of cybersecurity. 1. Lightweight governance: Maintain an up-to-date list showing each digital service, its biggest risks, and any active exceptions. Use simple change control to ensure everyone follows the rules. If you're making a major change, you need to indicate how it affects risk, who is in charge, when exceptions expire and how you will reverse it if things go wrong. This keeps service changes fluid and security under control as things change. 2. Prevention: Start with the basics. Fix important vulnerabilities, strengthen identity, eliminate old login methods, give people only the access they need and prevent unmanaged devices from accessing sensitive information. Also, perform a few small "attacks" to test the system. A controlled phishing test, a simulated password attack, a check for exposed admin areas or overly open shared files. The trick is to do it regularly to catch any oversights. 3. Detection: Generate and manage only important alerts by yourself or use a managed detection and response (MDR) service if you have the budget. Network detection and response (NDR) can be a bit noisy, but if used carefully in some critical parts of the network, it can be very useful in certain situations. Deception technology, when used correctly, is inexpensive and works incredibly well. We have found that it is better to receive reliable alerts than to have perfect dashboards. 4. Response: Playbooks are absolutely necessary and should be as automated as possible. Even without a full security orchestration, automation, and response (SOAR) system, a few Python scripts that can disable accounts, terminate sessions, isolate devices, collect important logs or open support tickets can significantly reduce the time it takes to resolve an issue. 5. Recovery: Ensure you have backups that cannot be modified and are completely separate from your main network. Test these backups to ensure they work. Be realistic about how much data you can afford to lose (RPO) and how quickly you can restore operations (RTO). You can't restore from tape in five minutes, nor can you promise data recovery in 60 seconds if your configuration doesn't support it. The main idea here is to keep things simple, repeatable and directly tied to real risks. Regards, J.
The most powerful of these by far was moving from a blanket MFA policy to an adaptive one. When we ask for a prompt on every single login, we wear our users out, and they start working around it in ways that aren't always good. As IBM puts it, adaptive MFA checks for risk signals like location and device type to determine the proper level of authentication. The change we made was to tie the MFA prompt to something like a change in device, moving from a different IP address or an unusual login time -- for instance, a user logging in with their work laptop at 10 a.m. has early-morning meetings ahead and should go right through log-in. The same user working late trying to log in from an unknown device at 3 a.m. is a different story and deserves an immediate challenge. Rather than a checkbox, this made our authentication system an active threat-detection mechanism. That reduced the user friction that slows down adoption, and even made our security alerts much more meaningful because they were tied to true anomalies.
What actually reduced risk was changing how MFA was rolled out, not just enabling it everywhere. Instead of a blanket launch, districts phased it in, starting with admin, SIS, and finance accounts. Before turning it on, they ran a short tabletop exercise showing how those accounts are typically compromised through phishing. That order mattered. People understood why MFA existed before being required to use it. One small tweak made adoption stick. For the first 30 days, a temporary backup login option was allowed, then removed. Lockouts dropped, usage stabilized, and risky workarounds disappeared. Protecting the highest-impact accounts first reduced exposure quickly. Compliance would have been met either way. This approach actually changed outcomes.
The practice that actually reduced risk was running a 15-minute, role-specific ransomware tabletop tied to our SIS and then immediately fixing the one failure it exposed. During the drill, staff couldn't say who had authority to shut down SIS access or how to restore attendance data the next morning. We documented a single decision owner, rehearsed the exact shutdown call, and moved SIS backups to hourly immutable snapshots with a quarterly restore test. That change mattered because it turned an abstract incident response plan into a rehearsed muscle memory and a verified recovery path, not just a compliance document Albert Richer, Founder, WhatAreTheBest.com
One cybersecurity practice that actually reduced risk for a school this year was changing how tabletop drills were run. Instead of theoretical scenarios, we walked staff through a live simulation using real systems and realistic timelines. A key step was forcing decisions with incomplete information. That exposed gaps fast. We also adjusted MFA rollout by staggering enforcement and pairing it with short training videos. Finally, we tested SIS backups by restoring to a clean environment, not just verifying they existed. These changes improved response speed and confidence. The difference came from realism, not paperwork.