Friday Institute Plays Key Role in NC’s K-12 Cybersecurity Program

With more than 2,500 technology resources per school district in North Carolina, third-party educational technology vendors are one of the biggest threats to cybersecurity in K-12 public schools in the state, says Vanessa Wrenn, chief information officer at the North Carolina Department of Public Instruction (NCDPI). The other is human error. 

With this high level of risk to students and educators, NCDPI established the K-12 Cybersecurity Program to provide a full K-12 cybersecurity support system for North Carolina public schools at no cost. The Friday Institute for Educational Innovation is a key partner in this program. On Feb. 21, 2024, the Friday Institute, in partnership with NCDPI and the Cybersecurity and Infrastructure Security Agency (CISA), hosted more than 75 technology and business team members from 14 public school districts throughout North Carolina for a tabletop exercise to prepare participants for future cyber incidents in their schools. 

“The tabletop exercise builds muscle memory for all of our technical supports in our schools to know exactly what to enact and what to do first by the steps in the event that they have a cybersecurity incident,” said Wrenn. “Having the space to practice, being led by experts in the field, will get them stronger in how they can prepare all their cybersecurity materials in their school district.”

The Friday Institute’s role in the K-12 Cybersecurity Program is to create, maintain and manage tools that inform and automate cybersecurity functions for North Carolina public schools, provide strategy and expertise, and train and disseminate information to help schools connect to the internet efficiently and securely. The Friday Institute is involved in eight distinct work streams for the program that collectively create and support a robust defense against cyber risks, including overall program management engagement and support, cybersecurity awareness and skills training, vulnerability management, asset discovery and identification, incident response, cybersecurity consulting, and identity and access management. Along with the other program services and resources, the Friday Institute plays an instrumental part in the protection, detection and responses for K-12 institutions across North Carolina.

“Our goal for the K-12 Cybersecurity Program is for all PSUs (public school units) to have essential cyber hygiene,” said Samuel Carter, systems architect at the Friday Institute. “That is, PSUs all have or are doing the basic functions to be cyber safe. By doing and having these essential protections in place, we can head off the vast majority of attacks. Our efforts are focused on preventing cyber attacks to minimize the impact on teaching and learning in schools.”

The tabletop exercise was one of the many trainings that the Friday Institute facilitates as part of the NC K-12 Cybersecurity Program. They are hosting a set of PSU Incidence Response Support Sessions and monthly cybersecurity webinars.

“We could not do what we do to support our schools without our partnership with the Friday Institute,” said Wrenn. “The Friday Institute provides us subject matter experts, they keep us aware of developing trends and they let us know what to watch out for. We also have help with their monitoring systems, so it gives us an extra set of eyes. The partnership with the Friday Institute has been probably one of the most critical pieces to our overall success.”

The tabletop exercise was led by CISA staff and was designed to provide a unique opportunity for participants to engage in realistic scenarios that simulate cybersecurity incidents. It allowed staff to examine their public school unit’s (PSU) cyber resilience and their ability to respond to and recover from a significant cyber incident. Additionally, staff could review their existing incident response plans for any gaps or opportunities for improvement. Participants included staff from IT, safety, business operations, financial and executive leadership in North Carolina public schools.

“The main takeaway was knowing that PSUs have access to a lot of information out there,” said Paul Mijumbi, director of IT operations for Durham Public Schools. “It can assist us before, during and after an event.” 

North Carolina schools do not have resources for cybersecurity professionals or the budget to purchase cybersecurity protection tools. NCDPI offers full wraparound support for schools to maintain their digital infrastructure, including cybersecurity awareness training, web security services, managed firewall services, managed endpoint protection, asset discovery and identification, vulnerability management, identity and access management, and network engineering. They have a two-prong approach to cybersecurity that, according to Wrenn, sets North Carolina apart from other states. They provide the resources that are needed as well as the experts who will come into the field to help schools for free.

Cybersecurity training for educators is a priority for NCDPI. According to the Friday Institute, over the last three years, 200,000 educators have completed over a half million cybersecurity training modules and have received 1.9 million phishing simulation emails. Wrenn says that the best resource for educators is the North Carolina Local Government Information Systems Association’s Cybersecurity Strike Team. This group provides IT support when needed during emergency events. They mobilize quickly and help schools at no cost.

“To my knowledge, there is no other state in the country that has a cybersecurity program that is comparable to what we’re doing in North Carolina,” said Carter. “We’ve been able to accomplish a lot of great things that other groups have not. That is primarily due to the combination of our subject matter experts, K-12 experience and genuine desire to support, protect and uplift every PSU in the state.”