1
00:00:00,000 --> 00:00:07,620
So I wanted to bring up in discussion today, it's Friday that we're doing a recording

2
00:00:07,620 --> 00:00:10,520
of our podcast, but it's also St. Patty's Day.

3
00:00:10,520 --> 00:00:14,680
And not that you guys have to be Irish to wear green, but and we can't do a show of

4
00:00:14,680 --> 00:00:19,600
hands, but I'm going to go around the virtual room and ask how many of you guys are wearing

5
00:00:19,600 --> 00:00:20,600
green.

6
00:00:20,600 --> 00:00:21,720
I'm going to go first.

7
00:00:21,720 --> 00:00:24,740
I actually have a green sweatshirt and green pants on.

8
00:00:24,740 --> 00:00:29,880
So I am full on going to be Irish today and say, let's go.

9
00:00:29,880 --> 00:00:31,240
Kelsey, what about you?

10
00:00:31,240 --> 00:00:33,760
I was really hoping you were going to do that with an Irish accent.

11
00:00:33,760 --> 00:00:35,840
So maybe next time, maybe next time.

12
00:00:35,840 --> 00:00:36,840
Yeah, totally.

13
00:00:36,840 --> 00:00:37,840
Right.

14
00:00:37,840 --> 00:00:40,560
So for anybody listening, can't see my socks, obviously, but I'm wearing two different

15
00:00:40,560 --> 00:00:44,080
pairs of Irish cat socks because I couldn't say pick a single pair.

16
00:00:44,080 --> 00:00:49,400
One of them says Toth of Meowning to you, which doesn't really work, but it's here.

17
00:00:49,400 --> 00:00:50,620
It's green.

18
00:00:50,620 --> 00:00:52,520
It's got orange cats.

19
00:00:52,520 --> 00:00:54,280
What about you, Matthew?

20
00:00:54,280 --> 00:00:58,760
I, as you guys know, it's very early in the morning for me and I did forget.

21
00:00:58,760 --> 00:01:02,680
So no, I'm not wearing green today.

22
00:01:02,680 --> 00:01:04,800
Not appropriately caffeinated is what I heard.

23
00:01:04,800 --> 00:01:07,080
Yeah, that's still happening.

24
00:01:07,080 --> 00:01:08,560
What about you, Todd?

25
00:01:08,560 --> 00:01:16,400
I am wearing a green polo and that's all I have, but slighty.

26
00:01:16,400 --> 00:01:17,400
And I am not.

27
00:01:17,400 --> 00:01:25,080
I've got a kid that had a dirty diaper that was in a rush to get out the door and I just

28
00:01:25,080 --> 00:01:29,480
took care of it and threw on all my clothes and without even a thought that St. Patty's

29
00:01:29,480 --> 00:01:30,480
Day was today.

30
00:01:30,480 --> 00:01:35,240
So I'm sure my family will give me crap later or try and pinch me or something.

31
00:01:35,240 --> 00:01:38,960
Don't you have like a little green swoop on your quarter zip?

32
00:01:38,960 --> 00:01:40,960
Probably not.

33
00:01:40,960 --> 00:01:41,960
Maybe.

34
00:01:41,960 --> 00:01:43,240
How about this?

35
00:01:43,240 --> 00:01:46,120
My forest green on my hiking shoes.

36
00:01:46,120 --> 00:01:48,760
We'll say that's green enough.

37
00:01:48,760 --> 00:01:49,760
It counts.

38
00:01:49,760 --> 00:01:50,760
It does.

39
00:01:50,760 --> 00:01:54,280
I guess I should have promised this that you didn't necessarily have to have on green to

40
00:01:54,280 --> 00:01:57,760
be part of the Cool Kids Club today, but that's all right.

41
00:01:57,760 --> 00:02:01,560
Maybe if you put some green drops into your coffee, then we can say we had green coffee

42
00:02:01,560 --> 00:02:03,240
even though it won't show up.

43
00:02:03,240 --> 00:02:06,880
But then we'll say we're drinking Irish coffee.

44
00:02:06,880 --> 00:02:08,840
It's not black coffee.

45
00:02:08,840 --> 00:02:10,640
It's just really, really dark.

46
00:02:10,640 --> 00:02:11,640
Yeah.

47
00:02:11,640 --> 00:02:14,640
All good.

48
00:02:14,640 --> 00:02:20,560
I will make sure to get that we get this subject at hand here because today our podcast is

49
00:02:20,560 --> 00:02:27,320
very real that we wanted to definitely educate our community in regards to protecting the

50
00:02:27,320 --> 00:02:30,920
education industry and best security practices.

51
00:02:30,920 --> 00:02:33,160
So as always, we're going to kick it off.

52
00:02:33,160 --> 00:02:35,840
This is our CIT Tech for Business podcast.

53
00:02:35,840 --> 00:02:42,680
And today I have Matthew, who is our governance risk and compliance analyst, along with Nate,

54
00:02:42,680 --> 00:02:49,360
who is our director of cybersecurity and virtual CISO, Todd, who is our chief operating officer

55
00:02:49,360 --> 00:02:50,600
and CISO.

56
00:02:50,600 --> 00:02:54,080
And then, of course, lovely Kelsey and Tara as part of the marketing team.

57
00:02:54,080 --> 00:02:56,760
But first of all, I'm going to kind of get us started.

58
00:02:56,760 --> 00:02:59,380
I want to just to talk about this, why it's important.

59
00:02:59,380 --> 00:03:05,040
We're here in the Twin Cities and we had a school district that had a ransomware attack.

60
00:03:05,040 --> 00:03:10,320
So I wanted just to bring this up in conversation and just kind of start some of the best practices.

61
00:03:10,320 --> 00:03:12,640
So let's get started about that.

62
00:03:12,640 --> 00:03:17,840
Who, Eeny, Meeny, Miny, Moe, who wants to take that of just briefly introducing why

63
00:03:17,840 --> 00:03:22,200
cybersecurity is really important in the education industry?

64
00:03:22,200 --> 00:03:25,440
I'll take it, I guess.

65
00:03:25,440 --> 00:03:27,640
All right, Nate, fire away.

66
00:03:27,640 --> 00:03:28,640
Yeah.

67
00:03:28,640 --> 00:03:35,400
So in the education industry, essentially one of the main things here is schools, and

68
00:03:35,400 --> 00:03:40,480
this is going to come back to some of the challenges as well, but schools typically

69
00:03:40,480 --> 00:03:45,000
really struggle with protecting networks, protecting data, and it's due to a lot of

70
00:03:45,000 --> 00:03:46,000
different challenges.

71
00:03:46,000 --> 00:03:52,640
It could be funding, administrative challenges, whatever it is.

72
00:03:52,640 --> 00:03:59,720
But the critical thing here is schools do have a lot of sensitive data, right?

73
00:03:59,720 --> 00:04:02,780
And there's a lot of components that you need to protect.

74
00:04:02,780 --> 00:04:10,280
So you're dealing with kids' health records, medical records, maybe you have an on-site

75
00:04:10,280 --> 00:04:14,320
nurse or anything like that, all the social security numbers.

76
00:04:14,320 --> 00:04:20,040
And protecting the data of minors is extremely important.

77
00:04:20,040 --> 00:04:26,760
And oftentimes, again, these are hosted either on-prem in some type of cloud solution that

78
00:04:26,760 --> 00:04:28,760
someone can have access to.

79
00:04:28,760 --> 00:04:34,760
So a lot of care needs to be taken to protect that.

80
00:04:34,760 --> 00:04:37,800
And then ransomware is just a recent one.

81
00:04:37,800 --> 00:04:40,240
We can cover a little bit of what that looked like.

82
00:04:40,240 --> 00:04:42,600
I'll probably let someone else talk on that if they want.

83
00:04:42,600 --> 00:04:51,160
But one component of that was data was exfiltrated or taken out of the network, and it does contain

84
00:04:51,160 --> 00:04:53,320
a lot of sensitive info along the way.

85
00:04:53,320 --> 00:04:58,560
So I don't know, Todd or Matthew, do you want to talk a little bit about the school district

86
00:04:58,560 --> 00:04:59,560
incident?

87
00:04:59,560 --> 00:05:00,560
Yes.

88
00:05:00,560 --> 00:05:05,280
Well, not this one, yes, but also a little bit more background.

89
00:05:05,280 --> 00:05:09,760
I mean, Nate covered a ton of ground there, and I just kind of wanted to reemphasize a

90
00:05:09,760 --> 00:05:12,640
few things is they did get attacked.

91
00:05:12,640 --> 00:05:16,600
One of the things that I wanted to say is it's a great example of nobody's safe, right?

92
00:05:16,600 --> 00:05:17,800
You may go out to school.

93
00:05:17,800 --> 00:05:19,640
How likely is that?

94
00:05:19,640 --> 00:05:25,440
According to the FBI, 57% of all attacks go against education institutes.

95
00:05:25,440 --> 00:05:30,600
So if you're curious if they're of interest, the answer was absolutely yes.

96
00:05:30,600 --> 00:05:34,420
And Nate covered a lot of reasons why that is.

97
00:05:34,420 --> 00:05:40,000
There's a lot of sensitive data that are within the walls or those institutions.

98
00:05:40,000 --> 00:05:46,920
But part two is Nate hit this too, is that they unfortunately tend to lack funding.

99
00:05:46,920 --> 00:05:50,360
And we can get into the whys of that in a few minutes.

100
00:05:50,360 --> 00:05:55,240
But the big pieces that I just wanted to highlight briefly is the maturity level of a lot of

101
00:05:55,240 --> 00:05:59,120
schools, unfortunately today, just isn't as where you would expect it to be.

102
00:05:59,120 --> 00:06:02,480
A lot of businesses are quite a bit ahead of where the schools are.

103
00:06:02,480 --> 00:06:05,480
Now, it's not all bad news, but we can touch on some of the good things that are going

104
00:06:05,480 --> 00:06:07,800
on with a lot of schools as well.

105
00:06:07,800 --> 00:06:11,880
But the biggest reason, in my opinion, is a lack of funding, which drives a lot of the

106
00:06:11,880 --> 00:06:14,480
other things that we're going to get into as well.

107
00:06:14,480 --> 00:06:22,840
Yeah, I'd say that I think there's a bit of a logical fallacy as well.

108
00:06:22,840 --> 00:06:28,140
I think breaking down now, but it followed the same things I used to see in small businesses

109
00:06:28,140 --> 00:06:32,120
of well, we're not a target.

110
00:06:32,120 --> 00:06:36,700
And so people would assume that they were safe because they weren't thought of as holding

111
00:06:36,700 --> 00:06:39,300
the type of data that was valuable.

112
00:06:39,300 --> 00:06:46,920
And I think that that's why we're seeing that uptick in more recent years towards education,

113
00:06:46,920 --> 00:06:50,200
towards the education field in general.

114
00:06:50,200 --> 00:06:55,020
It results in them being hit and potentially being hit harder because they aren't prepared

115
00:06:55,020 --> 00:06:56,680
for it at all.

116
00:06:56,680 --> 00:07:01,340
Yeah, maybe the one other thing I'd add to this before we start getting a little deeper

117
00:07:01,340 --> 00:07:04,800
is that this is nothing new.

118
00:07:04,800 --> 00:07:08,300
So attacks against the schools, this is a new trend.

119
00:07:08,300 --> 00:07:15,880
So if you even go take a look back in, I believe it was 2019, even the full state of Louisiana

120
00:07:15,880 --> 00:07:20,360
issued a state of emergency because a ton of their schools were getting hit with ransomware.

121
00:07:20,360 --> 00:07:25,400
And there's California and a couple of other places that issued state of emergencies.

122
00:07:25,400 --> 00:07:31,720
But again, that was what is that now four years ago, five years ago, somewhere around

123
00:07:31,720 --> 00:07:33,640
there, depending on when those came out.

124
00:07:33,640 --> 00:07:38,920
So we're only taking that one example of a recent one because it's so close to us to

125
00:07:38,920 --> 00:07:40,840
bring this back up.

126
00:07:40,840 --> 00:07:46,840
But yes, ransomware has been affecting school districts and not just ransomware.

127
00:07:46,840 --> 00:07:48,840
That's an easy one to pick on.

128
00:07:48,840 --> 00:07:53,520
Security threat actors have been focusing on schools for a long time.

129
00:07:53,520 --> 00:08:00,000
Yeah, I mean, again, this is probably a little bit of a rabbit hole that we don't necessarily

130
00:08:00,000 --> 00:08:01,000
need to go down.

131
00:08:01,000 --> 00:08:02,000
So I'll keep it brief.

132
00:08:02,000 --> 00:08:07,480
But I was just kind of thinking more about the comments about not having funding and

133
00:08:07,480 --> 00:08:08,480
whatnot.

134
00:08:08,480 --> 00:08:13,240
Obviously, the vast majority of funding for schools either comes from the federal government

135
00:08:13,240 --> 00:08:15,920
or it comes from referendums.

136
00:08:15,920 --> 00:08:20,320
And referendums tend to be my neighborhood is growing like crazy, we need another school

137
00:08:20,320 --> 00:08:22,920
or there's a technology upgrade.

138
00:08:22,920 --> 00:08:25,040
Is security a surprise?

139
00:08:25,040 --> 00:08:26,680
Security does become a priority.

140
00:08:26,680 --> 00:08:29,680
Unfortunately, it's all reactionary.

141
00:08:29,680 --> 00:08:32,320
I was kind of also going down the thought process.

142
00:08:32,320 --> 00:08:36,160
If you look at how if you're in the education industry, you're aware of what e-rate is,

143
00:08:36,160 --> 00:08:40,680
and it's an additional way of getting additional funds to help pay for some of the technology

144
00:08:40,680 --> 00:08:43,040
that the schools need.

145
00:08:43,040 --> 00:08:44,080
Even that is dated.

146
00:08:44,080 --> 00:08:48,080
If you look at it, that's all built around trying to build out infrastructure so you

147
00:08:48,080 --> 00:08:53,200
have enough internet connectivity to supply the schools with what they need, whether that's

148
00:08:53,200 --> 00:08:56,800
wireless access connectivity itself.

149
00:08:56,800 --> 00:08:58,880
When I say it's dated, it is still relevant, right?

150
00:08:58,880 --> 00:09:00,960
The schools need to keep up with it and so on.

151
00:09:00,960 --> 00:09:05,480
But it's interesting that that funding was put in years and years ago, and it really

152
00:09:05,480 --> 00:09:10,000
has not evolved along with the security threats that schools are facing.

153
00:09:10,000 --> 00:09:14,520
So I did want to talk a little bit about it.

154
00:09:14,520 --> 00:09:19,360
So we talked the budgeting with them maybe not necessarily having the funding, but let's

155
00:09:19,360 --> 00:09:21,880
say that there is funding available.

156
00:09:21,880 --> 00:09:24,320
What are some of those best practices that they can start with?

157
00:09:24,320 --> 00:09:27,760
I know we talk heavily about MFA.

158
00:09:27,760 --> 00:09:33,840
So obviously, I want you guys to talk about MFA, multi-factor authentication, key number

159
00:09:33,840 --> 00:09:36,600
one, basic level, but let's build upon that.

160
00:09:36,600 --> 00:09:41,080
So what else can they do to kind of help protect their environments?

161
00:09:41,080 --> 00:09:43,240
I'm going to take a real quick first pass at it.

162
00:09:43,240 --> 00:09:46,840
I mentioned at the intro that there is a lot of good news for schools.

163
00:09:46,840 --> 00:09:48,400
There is a lot of stuff in place.

164
00:09:48,400 --> 00:09:52,000
So I don't want it to seem like there is no hope and they aren't doing a lot of good things

165
00:09:52,000 --> 00:09:53,800
because they are.

166
00:09:53,800 --> 00:09:57,480
There's a lot of really things that have been put in place over the course of years, like

167
00:09:57,480 --> 00:10:01,400
physical security typically is very, very strong in schools.

168
00:10:01,400 --> 00:10:04,440
Now there are other things that would counter that statement, right?

169
00:10:04,440 --> 00:10:09,120
I mean, you see all kinds of issues with people being able to get into schools and all kinds

170
00:10:09,120 --> 00:10:12,160
of other threats that are outside of the cybersecurity world.

171
00:10:12,160 --> 00:10:16,960
Now typically, most schools have a very strong foundation for physical controls.

172
00:10:16,960 --> 00:10:18,440
The doors are locked.

173
00:10:18,440 --> 00:10:21,240
You get stuck in a man trap when you first enter the doors.

174
00:10:21,240 --> 00:10:22,240
You have to sign in.

175
00:10:22,240 --> 00:10:24,080
You have to validate who you are.

176
00:10:24,080 --> 00:10:26,300
You're typically escorted through the building, et cetera.

177
00:10:26,300 --> 00:10:29,480
So that is almost always incredibly well done.

178
00:10:29,480 --> 00:10:34,320
Again, they do have funding, so they're very good about doing their backups.

179
00:10:34,320 --> 00:10:37,880
They do have very good baseline policies in place.

180
00:10:37,880 --> 00:10:42,200
And then typically most schools, just like most organizations, have a very strong exterior

181
00:10:42,200 --> 00:10:43,200
posture.

182
00:10:43,200 --> 00:10:47,760
So when the outside looking in, you really don't see a lot of stuff going on with schools.

183
00:10:47,760 --> 00:10:49,400
You may see a web portal.

184
00:10:49,400 --> 00:10:52,300
You may see a VPN, but usually don't see a whole lot.

185
00:10:52,300 --> 00:10:56,520
So there are really good starting points for them, which is a good baseline and a good

186
00:10:56,520 --> 00:10:58,320
place to start.

187
00:10:58,320 --> 00:11:03,280
And I just want to acknowledge that most of that is in place for most organizations.

188
00:11:03,280 --> 00:11:07,240
One of the things that I'm going to start with, I agree with what you said with MFA

189
00:11:07,240 --> 00:11:08,920
and a bunch of other stuff, and we'll dig into that.

190
00:11:08,920 --> 00:11:13,560
But one of the places that I would typically start, and it's fairly low hanging fruit,

191
00:11:13,560 --> 00:11:18,000
fairly low effort, and this will be probably somewhat near and dear to Matthew's heart,

192
00:11:18,000 --> 00:11:20,680
is I'd start with your security policy.

193
00:11:20,680 --> 00:11:24,200
You need to state what you do and how you're going to do it.

194
00:11:24,200 --> 00:11:28,920
And that could be some really basic stuff like when the crap hits the fan, who do you

195
00:11:28,920 --> 00:11:30,200
call?

196
00:11:30,200 --> 00:11:33,160
Who is your main person and who is their backup?

197
00:11:33,160 --> 00:11:35,400
What is your password policy, et cetera?

198
00:11:35,400 --> 00:11:36,400
Those are some areas.

199
00:11:36,400 --> 00:11:38,440
Like I said, it's not a huge effort to do it.

200
00:11:38,440 --> 00:11:42,600
There's tons of templates available that you can get for free as a starting point.

201
00:11:42,600 --> 00:11:46,760
And if you have a baseline, then you can start to build your program around that.

202
00:11:46,760 --> 00:11:47,760
Yeah.

203
00:11:47,760 --> 00:11:54,000
The computer incident response plan, we have a podcast on that already.

204
00:11:54,000 --> 00:11:59,280
Great way to kind of know and have a path to follow if something like this were to happen.

205
00:11:59,280 --> 00:12:01,660
On top of that, you mentioned password policies.

206
00:12:01,660 --> 00:12:07,680
That ties in really well with MFA, with these types of things that you're building.

207
00:12:07,680 --> 00:12:11,900
The more documentation and the more policy you have around how process and how actions

208
00:12:11,900 --> 00:12:18,460
should be taken and what the posture is of the organization, that's what we call your

209
00:12:18,460 --> 00:12:20,160
maturity level.

210
00:12:20,160 --> 00:12:23,320
The more of it there is, the more in-depth it is.

211
00:12:23,320 --> 00:12:29,000
And those are the things that, in my opinion, catch the most stuff.

212
00:12:29,000 --> 00:12:32,520
Because if you have people who are aware of what's going on, aware of what they should

213
00:12:32,520 --> 00:12:38,600
and shouldn't do, then they're far less likely to accidentally click on something that could

214
00:12:38,600 --> 00:12:41,320
trigger an event like this.

215
00:12:41,320 --> 00:12:46,600
They're going to be aware that they need MFA and maybe an unexpected MFA token pop-up is

216
00:12:46,600 --> 00:12:50,560
going to be treated the way it should be.

217
00:12:50,560 --> 00:12:56,120
Obviously, I just kind of jumped into an MFA thing there.

218
00:12:56,120 --> 00:13:01,600
I'll let Nate dive into that a little more.

219
00:13:01,600 --> 00:13:07,600
The clearer you are with what the rules are, and this is obviously the education industry.

220
00:13:07,600 --> 00:13:09,560
They're right there.

221
00:13:09,560 --> 00:13:12,080
You've already got a lot of them written down.

222
00:13:12,080 --> 00:13:17,400
When it comes to this side of things, the clearer you are with what isn't expected,

223
00:13:17,400 --> 00:13:20,880
the better it's going to be for everyone.

224
00:13:20,880 --> 00:13:28,560
I'm going to probably go even higher level with my recommendations because Todd gave

225
00:13:28,560 --> 00:13:31,400
a great overview of a lot of different components there.

226
00:13:31,400 --> 00:13:33,820
He said that most schools have this.

227
00:13:33,820 --> 00:13:39,240
The way that I'm going to bring this even higher is say, no schools are similar or identical

228
00:13:39,240 --> 00:13:41,560
in what they have today.

229
00:13:41,560 --> 00:13:49,600
Oftentimes what we'll see is some schools have been able to influence greater cybersecurity

230
00:13:49,600 --> 00:13:50,600
budgets.

231
00:13:50,600 --> 00:13:52,120
They have great tools in place.

232
00:13:52,120 --> 00:14:00,080
Then we go into other schools that are years behind on their security, posture, and maturity.

233
00:14:00,080 --> 00:14:04,840
Same industry, very different approaches that need to be taken.

234
00:14:04,840 --> 00:14:11,320
I'm going to call out a link that we can link out later, but it's stopransomware.gov.

235
00:14:11,320 --> 00:14:14,840
It's right from CISA, which is a government agency.

236
00:14:14,840 --> 00:14:18,800
It's also a cisa.gov slash stopransomware.

237
00:14:18,800 --> 00:14:23,360
The reason why I bring that up is they have a ransomware readiness self-assessment tool

238
00:14:23,360 --> 00:14:25,680
that you can go through.

239
00:14:25,680 --> 00:14:32,560
The reason why I bring that up is identifying what you have today or what you don't have

240
00:14:32,560 --> 00:14:38,800
should be the first step before you go dig into implementing multi-factor or policy revisions

241
00:14:38,800 --> 00:14:39,800
or anything like that.

242
00:14:39,800 --> 00:14:42,960
It's what do you have today and what don't you have?

243
00:14:42,960 --> 00:14:48,600
Then you can start developing that plan, which ties everything back together.

244
00:14:48,600 --> 00:14:54,000
Some schools have great multi-factors, some have none.

245
00:14:54,000 --> 00:14:55,000
That's my recommendation.

246
00:14:55,000 --> 00:14:56,560
Yeah, I was going to state that too.

247
00:14:56,560 --> 00:15:00,640
I was going to circle back and go, I think starting with some sort of assessment, whether

248
00:15:00,640 --> 00:15:03,920
it's a self-assessment or you bring in some experts to help you with it, is a great way

249
00:15:03,920 --> 00:15:04,920
to start.

250
00:15:04,920 --> 00:15:09,640
If you don't know where you are, you don't know where you're going, right?

251
00:15:09,640 --> 00:15:14,040
One of the other things that Nate touched on in that overview is it also can help you

252
00:15:14,040 --> 00:15:17,480
with the influence if you bring in somebody.

253
00:15:17,480 --> 00:15:19,440
I'll just kind of tip my hand a little bit.

254
00:15:19,440 --> 00:15:21,880
CIT does this often with a lot of schools.

255
00:15:21,880 --> 00:15:26,720
Essentially what we're coming in and saying, this is what we see, here's what we're seeing

256
00:15:26,720 --> 00:15:32,480
other schools do, and we can start to help influence at that level and saying, here's

257
00:15:32,480 --> 00:15:36,840
where you're at, here's how you measure up to comparables, and then start to build out

258
00:15:36,840 --> 00:15:37,840
the plan.

259
00:15:37,840 --> 00:15:39,840
That helps with the budgeting mindset, right?

260
00:15:39,840 --> 00:15:42,200
That starts to build out the long-term plan.

261
00:15:42,200 --> 00:15:47,080
That can be doing things like policies, procedures, start looking at what tools are in place.

262
00:15:47,080 --> 00:15:50,920
So multi-factor authentication, absolutely critical for everybody.

263
00:15:50,920 --> 00:15:55,280
I don't care what industry you're in, it's absolutely critical.

264
00:15:55,280 --> 00:15:57,480
But again, schools may not have them in place.

265
00:15:57,480 --> 00:15:59,880
Maybe some of the legacy tools they have may not be in place.

266
00:15:59,880 --> 00:16:03,160
But you can start to map that out and saying, this tool needs it.

267
00:16:03,160 --> 00:16:06,600
When you're trying to access student information, you need to have X, Y, and Z.

268
00:16:06,600 --> 00:16:15,880
So I 100% agree that the assessment is incredibly important.

269
00:16:15,880 --> 00:16:20,000
This is a little bit of a little tangent that we probably should bring in a little bit later,

270
00:16:20,000 --> 00:16:25,120
but I'm going to bring it up just because I did mention the government.

271
00:16:25,120 --> 00:16:31,960
Something that's really, really powerful to our Wisconsin school districts, when you're

272
00:16:31,960 --> 00:16:34,840
talking about how do you start preparing for that, right?

273
00:16:34,840 --> 00:16:38,640
So Matthew was talking about the incident response plan and everything like that.

274
00:16:38,640 --> 00:16:43,440
The government in Wisconsin has a great cyber response team.

275
00:16:43,440 --> 00:16:46,700
So if you ever have a security incident, call them up.

276
00:16:46,700 --> 00:16:52,600
They will send the FBI and CISA and all that fun stuff there to help you along the way.

277
00:16:52,600 --> 00:16:57,020
So if you didn't know about that, Wisconsin, you're in a great position having the government

278
00:16:57,020 --> 00:16:58,400
help you out.

279
00:16:58,400 --> 00:17:03,240
Minnesota, while I love many, many things about Minnesota since I live here, that is

280
00:17:03,240 --> 00:17:06,480
one where I am envious of Wisconsin.

281
00:17:06,480 --> 00:17:13,420
Yeah, there's also been funding made available to Wisconsin schools that we've seen a lot

282
00:17:13,420 --> 00:17:17,440
of them take advantage of, whether that's starting with assessments or whatever.

283
00:17:17,440 --> 00:17:22,560
So diving in a little bit further, I know we started out the podcast going, what do

284
00:17:22,560 --> 00:17:23,560
you do about it, right?

285
00:17:23,560 --> 00:17:28,760
So major problem, ransomware, starting out figuring out where you're at.

286
00:17:28,760 --> 00:17:31,160
That's typically an assessment, then starting to build your plan.

287
00:17:31,160 --> 00:17:32,600
Plans include the policies.

288
00:17:32,600 --> 00:17:34,920
They include MFA like we talked about.

289
00:17:34,920 --> 00:17:40,320
Other things that we typically do as we start to get engaged with schools or even any industry,

290
00:17:40,320 --> 00:17:46,280
quite frankly, is we start to go through a process of defining what risk exists.

291
00:17:46,280 --> 00:17:49,120
You can say risk is ransomware.

292
00:17:49,120 --> 00:17:50,280
We know how much it costs.

293
00:17:50,280 --> 00:17:52,200
We know what it takes to start to mitigate it.

294
00:17:52,200 --> 00:17:55,680
Then we start to build out how you would start to tackle that.

295
00:17:55,680 --> 00:17:59,140
That framing up is typically on a handful of things.

296
00:17:59,140 --> 00:18:00,520
How big is the risk?

297
00:18:00,520 --> 00:18:05,920
What does it take to do it, whether that's man hours or woman hours, and cost and so

298
00:18:05,920 --> 00:18:06,920
forth.

299
00:18:06,920 --> 00:18:09,040
So you start to walk through that and go, what does that typically look like?

300
00:18:09,040 --> 00:18:13,680
Things that would definitely be on the radar, cybersecurity training and simulated phishing

301
00:18:13,680 --> 00:18:16,440
would be extremely high on my radar.

302
00:18:16,440 --> 00:18:17,640
It's not expensive.

303
00:18:17,640 --> 00:18:21,920
It's very easy to do, and it increases awareness almost immediately.

304
00:18:21,920 --> 00:18:33,200
Matthew, I don't know if you had anything there, but otherwise, I guess from my experience,

305
00:18:33,200 --> 00:18:36,120
typically what I see is a lot of school districts.

306
00:18:36,120 --> 00:18:40,560
I mentioned this a little bit before, is they have a very, very strong exterior posture.

307
00:18:40,560 --> 00:18:47,960
But then once you move in, it's very soft and squishy and easy to compromise items internally.

308
00:18:47,960 --> 00:18:52,000
We see a lot of this is challenges within the classroom.

309
00:18:52,000 --> 00:18:57,520
For example, a lot of the staff, when they're in the classroom with the students, they don't

310
00:18:57,520 --> 00:19:02,400
want the screen to automatically lock because it might give them an extra couple of minutes

311
00:19:02,400 --> 00:19:04,200
that they need to log back in.

312
00:19:04,200 --> 00:19:14,160
So the kids will hop on the computers or things such as even some of the most robust school

313
00:19:14,160 --> 00:19:20,600
districts, they don't know if the student Wi-Fi is properly segmented from the internal

314
00:19:20,600 --> 00:19:21,600
network.

315
00:19:21,600 --> 00:19:22,980
Oftentimes, it's not.

316
00:19:22,980 --> 00:19:27,880
So better network segmentation is going to be something really critical.

317
00:19:27,880 --> 00:19:34,160
I was just working with a school district, I think last month, that all of their students

318
00:19:34,160 --> 00:19:38,280
were on the same or had access to the internal network.

319
00:19:38,280 --> 00:19:40,680
And that's also where all their backups were.

320
00:19:40,680 --> 00:19:42,880
That's extremely dangerous.

321
00:19:42,880 --> 00:19:47,640
So kind of going back to the identification, that's one of the things I would at least

322
00:19:47,640 --> 00:19:51,840
consider.

323
00:19:51,840 --> 00:19:55,040
It's just so important to better segment your network.

324
00:19:55,040 --> 00:20:00,920
Matthew, I think you are on mute, but great topic.

325
00:20:00,920 --> 00:20:01,920
Thank you.

326
00:20:01,920 --> 00:20:03,420
There we go.

327
00:20:03,420 --> 00:20:09,640
One of the things that goes with the funding that we've talked about is that we've said

328
00:20:09,640 --> 00:20:14,640
we do a lot with the education industry, with these schools.

329
00:20:14,640 --> 00:20:22,120
And the reason for that is that the funding that's being used, your internal team is the

330
00:20:22,120 --> 00:20:24,760
one doing all of this work.

331
00:20:24,760 --> 00:20:31,840
So when you need something more than what you have in place, organizations like CIT,

332
00:20:31,840 --> 00:20:36,040
we do have security teams, we can assist in those locations.

333
00:20:36,040 --> 00:20:45,960
And that's why it's easier and significantly cheaper in some cases to pull in an organization

334
00:20:45,960 --> 00:20:49,200
like us to assist in that field.

335
00:20:49,200 --> 00:20:53,680
Depending on how many people you have on your IT team, it may just be too much for one,

336
00:20:53,680 --> 00:20:58,080
two, even five people to handle depending on the scope.

337
00:20:58,080 --> 00:21:03,860
And trying to have that number of people, however many it is, handle all parts of an

338
00:21:03,860 --> 00:21:13,160
internal IT system can be not just overwhelming, but cause burnout, can cause a fear of rushing,

339
00:21:13,160 --> 00:21:17,240
feeling like things have to get done as quickly as possible rather than taking the time to

340
00:21:17,240 --> 00:21:21,400
do them in full best practices.

341
00:21:21,400 --> 00:21:23,960
There's obviously a lot to that.

342
00:21:23,960 --> 00:21:26,420
Everyone's doing the best they can.

343
00:21:26,420 --> 00:21:29,160
But this is why services like this exist.

344
00:21:29,160 --> 00:21:35,040
It's so you can have help that isn't having to hire someone else who is a specialist in

345
00:21:35,040 --> 00:21:36,920
that field.

346
00:21:36,920 --> 00:21:38,240
You can do consulting work.

347
00:21:38,240 --> 00:21:43,320
You can have someone come in and assess and do that, review it, provide some guidance

348
00:21:43,320 --> 00:21:46,960
or assistance, and then step back.

349
00:21:46,960 --> 00:21:51,360
And that's a really great way just in general to find out where you are.

350
00:21:51,360 --> 00:21:54,360
We do this ourselves.

351
00:21:54,360 --> 00:21:56,000
We have audits that we do.

352
00:21:56,000 --> 00:21:58,280
We have reviews done.

353
00:21:58,280 --> 00:22:00,400
Vulnerability scans are incredibly useful.

354
00:22:00,400 --> 00:22:04,240
These help you find not just the posture from what you're looking for on your side, but

355
00:22:04,240 --> 00:22:06,880
how it looks to other people coming in.

356
00:22:06,880 --> 00:22:08,880
And that can be a little scary.

357
00:22:08,880 --> 00:22:11,960
I know there's been a couple of times where I've seen people say they don't ever want

358
00:22:11,960 --> 00:22:14,160
to see how it looks to other people.

359
00:22:14,160 --> 00:22:19,120
But those are exactly the times when you need someone to.

360
00:22:19,120 --> 00:22:20,600
Like I said, everyone's doing their best.

361
00:22:20,600 --> 00:22:22,040
None of this comes with judgment.

362
00:22:22,040 --> 00:22:25,480
It's all about guidance and what can be done better.

363
00:22:25,480 --> 00:22:30,240
I'm going to just quick ride off your whole staffing conversation.

364
00:22:30,240 --> 00:22:32,040
I know that we could go deep into that.

365
00:22:32,040 --> 00:22:38,000
But I do want to just quick make a call out saying, if you are in any form of district

366
00:22:38,000 --> 00:22:44,480
leadership, please take the time to have a little empathy with some of your IT staff

367
00:22:44,480 --> 00:22:46,840
if they are feeling burnt out and stressed.

368
00:22:46,840 --> 00:22:53,320
And then also, oftentimes it's the IT staff that are trying to make recommendations for

369
00:22:53,320 --> 00:22:59,680
different cybersecurity or different products or trying to push for some type of assessment.

370
00:22:59,680 --> 00:23:05,740
Maybe just take some time and ask them, hey, where do we stand on our assessments for cybersecurity?

371
00:23:05,740 --> 00:23:07,680
If you haven't done that already.

372
00:23:07,680 --> 00:23:12,360
And empower them to start looking into that.

373
00:23:12,360 --> 00:23:19,460
It's free, but it's a great way to help empower and start the conversations rather than having

374
00:23:19,460 --> 00:23:21,240
to influence up.

375
00:23:21,240 --> 00:23:27,560
Because that's often one of the main challenges there is just be receptive to them influencing

376
00:23:27,560 --> 00:23:28,840
you as well.

377
00:23:28,840 --> 00:23:34,040
Yeah, the one last thing that I would throw on the staff is schools have a tendency to

378
00:23:34,040 --> 00:23:39,480
try to delay as much as possible to the summertime because that's when the schools, quote unquote,

379
00:23:39,480 --> 00:23:40,480
aren't busy.

380
00:23:40,480 --> 00:23:42,720
Your IT staff is already busy during the summer.

381
00:23:42,720 --> 00:23:44,920
That's when they actually get to, quote unquote, do the work.

382
00:23:44,920 --> 00:23:49,880
So that's when they're doing the system revisions, they're upgrading, whatever it is, closets,

383
00:23:49,880 --> 00:23:52,480
network switching, access points, you name it.

384
00:23:52,480 --> 00:23:54,560
They've got a full slate coming into the summer.

385
00:23:54,560 --> 00:23:58,400
So if you're just thinking, well, we'll deal with that in the summer, they're already swamped.

386
00:23:58,400 --> 00:24:02,820
So just be cognizant of what you're asking your teams as you're going through it.

387
00:24:02,820 --> 00:24:07,360
If you're one of those teams, we feel you were with you 100% and we often help out during

388
00:24:07,360 --> 00:24:13,400
the summers too, because that's when they need the help the most.

389
00:24:13,400 --> 00:24:18,840
So as we're kind of walking through this, we kind of did a bit of a dive into some of

390
00:24:18,840 --> 00:24:20,680
the challenges that are out there.

391
00:24:20,680 --> 00:24:25,600
And one of the larger challenges that we typically see is friction that the security tools put

392
00:24:25,600 --> 00:24:26,600
in place, right?

393
00:24:26,600 --> 00:24:31,440
So things that we almost inevitably see as a lack of multifactor, we often see passwords

394
00:24:31,440 --> 00:24:32,960
that don't expire.

395
00:24:32,960 --> 00:24:36,760
Nate already mentioned whether the network is segmented or not.

396
00:24:36,760 --> 00:24:38,840
Those are things that are typically not done.

397
00:24:38,840 --> 00:24:43,120
Obviously, if you're looking for examples, things we want to do is we want to segment

398
00:24:43,120 --> 00:24:46,400
the network, the students shouldn't be on the same network as the staff.

399
00:24:46,400 --> 00:24:52,280
So they shouldn't have access to any of that PII, that personally identifiable information.

400
00:24:52,280 --> 00:24:56,720
We often see that they almost never have lockouts on their PC.

401
00:24:56,720 --> 00:25:01,860
So the teacher may have unbelievable amounts of access to data, and they don't like that

402
00:25:01,860 --> 00:25:05,520
their computers lock out when they walk away from them.

403
00:25:05,520 --> 00:25:07,120
There's ways to get rid of friction too.

404
00:25:07,120 --> 00:25:09,240
But because of that, the school just says, well, that's fine.

405
00:25:09,240 --> 00:25:14,440
We'll just leave them open, which is a terrible idea.

406
00:25:14,440 --> 00:25:18,840
There's other things that we would typically see that, again, kind of fall down that path

407
00:25:18,840 --> 00:25:21,560
that we would see that you need to go through.

408
00:25:21,560 --> 00:25:26,000
Ultimately, where I was going with it is there is ways to limit the friction that comes up

409
00:25:26,000 --> 00:25:28,240
from some of these tools.

410
00:25:28,240 --> 00:25:31,540
For example, passwords, where I said the passwords tend to be terrible.

411
00:25:31,540 --> 00:25:35,600
We typically recommend doing a very long, strong password and then changing it once

412
00:25:35,600 --> 00:25:37,600
a year.

413
00:25:37,600 --> 00:25:40,000
Teachers hate having their passwords changed.

414
00:25:40,000 --> 00:25:44,760
However, I've worked at schools with schools in schools, and I can tell you that when they

415
00:25:44,760 --> 00:25:48,720
go on their summer break, so from when they're gone from June until September, they've forgotten

416
00:25:48,720 --> 00:25:49,720
their passwords.

417
00:25:49,720 --> 00:25:52,320
So it's a great time to just say it's time to roll the password.

418
00:25:52,320 --> 00:25:58,080
Let's get it updated September 1st, and you can start the new year fresh.

419
00:25:58,080 --> 00:26:03,460
That's an easy way to start to kind of remove the friction that goes with it.

420
00:26:03,460 --> 00:26:07,300
Other things that we typically see is when we start to put multi-factor in, you'll get

421
00:26:07,300 --> 00:26:11,760
push back from the teacher saying, well, I own this phone, you don't, therefore I'm not

422
00:26:11,760 --> 00:26:15,400
going to put the tool on my phone, or you have to pay for it.

423
00:26:15,400 --> 00:26:17,260
There's ways around that too.

424
00:26:17,260 --> 00:26:23,840
You can look at biometrics or physical keys or something along those lines to, again,

425
00:26:23,840 --> 00:26:25,880
help remove the friction that goes with it.

426
00:26:25,880 --> 00:26:29,300
And then the last other point that I wanted to dive into, and I'll be quiet for a little

427
00:26:29,300 --> 00:26:33,760
bit, is we often see shared administrative accounts.

428
00:26:33,760 --> 00:26:38,640
So historically when you look at the schools, they may just have school district admin as

429
00:26:38,640 --> 00:26:41,400
the name of the account, and all of them use it.

430
00:26:41,400 --> 00:26:43,800
We definitely recommend getting rid of that too.

431
00:26:43,800 --> 00:26:48,720
Everybody should have a daily user account that is no admin, and then when they need

432
00:26:48,720 --> 00:26:53,400
it, they've also got an additional account that they can use for the accelerated administrative

433
00:26:53,400 --> 00:26:58,400
privileges or look at some sort of privilege access management tool set, which would also

434
00:26:58,400 --> 00:27:02,480
reduce friction, but it also has a cost associated with it.

435
00:27:02,480 --> 00:27:07,000
That's a great list.

436
00:27:07,000 --> 00:27:08,000
Thanks.

437
00:27:08,000 --> 00:27:17,720
I was going to mention the privilege access management as well, but again, the budgets

438
00:27:17,720 --> 00:27:23,040
are the main thing, so that's why I really just wanted to focus on the free initial things

439
00:27:23,040 --> 00:27:26,200
to get started.

440
00:27:26,200 --> 00:27:31,680
I hope that more of this falls into e-rate down the road, with everything starting to

441
00:27:31,680 --> 00:27:34,520
get more and more of a requirement.

442
00:27:34,520 --> 00:27:39,560
Unfortunately, it's just not there yet.

443
00:27:39,560 --> 00:27:44,760
I did want to mention, I think too, a lot of what you all had stated here today is pretty

444
00:27:44,760 --> 00:27:52,240
basic if we look at it from a wider lens of just taking a moment, so you know where you

445
00:27:52,240 --> 00:27:56,080
are and then can kind of take those steps forward.

446
00:27:56,080 --> 00:27:59,920
So I like the fact that we're able just to say, at the base level, here's where we're

447
00:27:59,920 --> 00:28:06,120
at and where we need to go and then pick those off as you can and just making those small

448
00:28:06,120 --> 00:28:11,840
little changes into that because they do have a bigger impact globally across that.

449
00:28:11,840 --> 00:28:16,880
So I know one of my jobs is here is to make sure that we kind of stay as far as the time

450
00:28:16,880 --> 00:28:17,880
goes.

451
00:28:17,880 --> 00:28:20,400
So we will be looking to kind of wrap up this podcast.

452
00:28:20,400 --> 00:28:24,240
I wanted to make sure we left enough time for everybody to kind of get in their last

453
00:28:24,240 --> 00:28:27,360
comments as we close out the segment.

454
00:28:27,360 --> 00:28:33,880
But anybody want to go first on some closing thoughts for our education community?

455
00:28:33,880 --> 00:28:39,440
Yeah, I feel like we've kind of danced around something a little bit.

456
00:28:39,440 --> 00:28:43,320
We've kind of mentioned it without really giving any guidance, which is the education

457
00:28:43,320 --> 00:28:48,940
industry doesn't have any cybersecurity frameworks that they're required to follow.

458
00:28:48,940 --> 00:28:53,280
They aren't forced to follow anything like the finance industry is.

459
00:28:53,280 --> 00:28:57,140
And while I think it could be great, I know that having something like that as a framework

460
00:28:57,140 --> 00:29:02,960
you have to follow could be, I don't want to say debilitating, but very difficult.

461
00:29:02,960 --> 00:29:06,720
So instead, I want to recommend finding something that works for you.

462
00:29:06,720 --> 00:29:11,240
The NIST cybersecurity framework is a great place to start.

463
00:29:11,240 --> 00:29:19,680
It's just a I think it's 120 ish questions to find out how you fit on their scale.

464
00:29:19,680 --> 00:29:22,680
You can also build up to some of the larger ones if you want.

465
00:29:22,680 --> 00:29:26,260
If you want to look at the NIST 853 guidelines.

466
00:29:26,260 --> 00:29:28,800
You know, there's more options out there.

467
00:29:28,800 --> 00:29:34,000
But starting with something like the NIST CSF is going to give you a guideline to see

468
00:29:34,000 --> 00:29:40,000
what the essentials could be, what it could be that you can follow and however you find

469
00:29:40,000 --> 00:29:43,040
yourself on that, that's your base.

470
00:29:43,040 --> 00:29:45,840
That's where you can start looking at what to do next.

471
00:29:45,840 --> 00:29:52,560
So just as a little guidance there, it's not just Google cybersecurity best practices.

472
00:29:52,560 --> 00:29:54,940
That is a great start.

473
00:29:54,940 --> 00:30:01,760
Finding a standard like the NIST CSF or shout out to my home country, the Australian Essential

474
00:30:01,760 --> 00:30:06,800
8, those will give you a great baseline.

475
00:30:06,800 --> 00:30:08,680
I can go next and I'll let Todd wrap it up.

476
00:30:08,680 --> 00:30:11,860
I was hoping you were going to say work up to NIST 800 171.

477
00:30:11,860 --> 00:30:15,640
For those that aren't familiar, it's a massive NIST for the federal government and everything.

478
00:30:15,640 --> 00:30:19,240
So I was going to say FFIC and I thought that might be too far.

479
00:30:19,240 --> 00:30:21,920
Yeah, it's a massive list.

480
00:30:21,920 --> 00:30:26,960
I guess my closing comment is going to be kind of what Taira touched on at the last

481
00:30:26,960 --> 00:30:33,000
little component is we talked about a lot of these basic recommendations.

482
00:30:33,000 --> 00:30:36,880
I love the idea that it kind of follows that Pareto principle.

483
00:30:36,880 --> 00:30:43,160
You put in 20% of the effort and you're going to remediate 80% of the risks.

484
00:30:43,160 --> 00:30:48,040
You start with the low hanging fruit, the baby steps, and that's going to have the biggest

485
00:30:48,040 --> 00:30:49,740
change to the network.

486
00:30:49,740 --> 00:30:55,760
You can get deep in the data classification and data encryption, but again, if the entire

487
00:30:55,760 --> 00:30:58,720
network is non-segmented, you don't have multifactor.

488
00:30:58,720 --> 00:31:00,180
You didn't do the basics.

489
00:31:00,180 --> 00:31:01,480
It's all for a waste.

490
00:31:01,480 --> 00:31:04,360
So to a degree.

491
00:31:04,360 --> 00:31:06,080
So just start with that.

492
00:31:06,080 --> 00:31:10,980
Before we jump past that, what are the basics?

493
00:31:10,980 --> 00:31:15,120
Just a couple items you'd recommend as those basics.

494
00:31:15,120 --> 00:31:18,280
Starting with the readiness assessment.

495
00:31:18,280 --> 00:31:21,920
You're familiar with that, Matthew, you talked about if you don't have some type of framework

496
00:31:21,920 --> 00:31:23,960
to start navigating down.

497
00:31:23,960 --> 00:31:29,800
So once you know where you stand, picking out the road that you want to drive down,

498
00:31:29,800 --> 00:31:34,640
that would be picking the framework and then starting from there.

499
00:31:34,640 --> 00:31:38,480
When we're talking about something like the NIST cybersecurity framework, the first two

500
00:31:38,480 --> 00:31:42,160
pillars of that is identify and protect.

501
00:31:42,160 --> 00:31:46,320
Work down through all the identification steps there to know what you have because you can't

502
00:31:46,320 --> 00:31:48,320
protect if you don't know what you have.

503
00:31:48,320 --> 00:31:53,200
And then at that point, start considering what do we actually need to protect that data

504
00:31:53,200 --> 00:31:55,840
or devices or users, right?

505
00:31:55,840 --> 00:32:03,400
So but again, 20% of the effort will fix about 80% of the risks there.

506
00:32:03,400 --> 00:32:07,000
Yeah, I'll keep my closing comments brief.

507
00:32:07,000 --> 00:32:10,360
So I think Nate and Matthew covered a lot of really good ground.

508
00:32:10,360 --> 00:32:14,480
There is a lot of baselines that are covered by these frameworks, which is why that we're

509
00:32:14,480 --> 00:32:16,280
mentioning them.

510
00:32:16,280 --> 00:32:21,760
The last piece that I'll mention is as you're going through these things, the good or the

511
00:32:21,760 --> 00:32:26,620
bad is that they do align with a lot of other things that we're seeing industry wide.

512
00:32:26,620 --> 00:32:30,680
So whether you're in finance or if you're in schools, it doesn't matter.

513
00:32:30,680 --> 00:32:32,680
Cybersecurity insurance is incredibly important.

514
00:32:32,680 --> 00:32:36,000
And the things that they're looking for in that are exactly the things that we're talking

515
00:32:36,000 --> 00:32:37,000
about.

516
00:32:37,000 --> 00:32:40,720
So it's all of the things we just covered through the podcast, but it also is referencing

517
00:32:40,720 --> 00:32:43,000
those frameworks and saying where do you start?

518
00:32:43,000 --> 00:32:44,900
What do you need to put in place and so forth?

519
00:32:44,900 --> 00:32:48,640
So there is a lot of benefits going through that as you start your journey on your security

520
00:32:48,640 --> 00:32:49,640
process.

521
00:32:49,640 --> 00:32:54,520
It does map to a lot of other requirements that we'll see continue to come down the pipe.

522
00:32:54,520 --> 00:32:59,680
I would also anticipate at some point to Nate's comments and Matthew's is there may be some

523
00:32:59,680 --> 00:33:01,080
requirements in the future.

524
00:33:01,080 --> 00:33:06,040
The more of this that happens, government will eventually get involved in that.

525
00:33:06,040 --> 00:33:09,120
Again, pluses and minuses, you'll be held to a standard.

526
00:33:09,120 --> 00:33:11,120
The plus would be that there'll be more funding available.

527
00:33:11,120 --> 00:33:12,320
So I would anticipate it's coming.

528
00:33:12,320 --> 00:33:15,080
I just don't have any insights as to when.

529
00:33:15,080 --> 00:33:16,080
Wonderful.

530
00:33:16,080 --> 00:33:20,680
You guys all three did a great job of wrapping that up.

531
00:33:20,680 --> 00:33:22,720
I appreciate that.

532
00:33:22,720 --> 00:33:26,920
Thanks so much, Nate, Todd and Matthew and also Kelsey for joining us on the Tech for

533
00:33:26,920 --> 00:33:33,000
Business podcast on protecting the education industry and discussing some best security

534
00:33:33,000 --> 00:33:34,000
practices.

535
00:33:34,000 --> 00:33:38,760
I know we went over a lot, but we're definitely we'll get this out onto our website, which

536
00:33:38,760 --> 00:33:45,800
you can find at www.cit-net.com slash podcast.

537
00:33:45,800 --> 00:33:51,480
Or as always, if you have any questions from our podcast today or have any additional topics,

538
00:33:51,480 --> 00:33:56,520
please email us at info at cit-net.com.

539
00:33:56,520 --> 00:34:00,280
And as always, too, we look forward to chatting with you guys next week.

540
00:34:00,280 --> 00:34:08,920
Thanks so much.