Vinson Logo


Rotate Your Device

Top Ten Suggestions to Enhance Your Cyber Security Posture

John LaPlante

November 17, 2022

Protecting your information is an ongoing, regular, and evolving process. No easy button, product, or single task will protect you from every attack. A good information security program encompasses many regularly performed activities that protect your valuable systems, infrastructure, data, and overall technology investment. These 10 processes will help you get your security program started.

Adopt a Security Framework

Ohio has recently enacted ORC 1354, also known as the Ohio Data Protection Act or the Ohio Safe Harbor for Cybersecurity Compliance.  ORC 1354 encourages businesses to comply with an industry-recognized cybersecurity framework, such as the NIST Cybersecurity Framework. Those who do may use such compliance as an affirmative defense to any tort action arising from an alleged failure to implement reasonable information security controls. Music to many a Superintendent’s, Treasurer’s, or Technology Director’s ears!

Initial Assessment

Assess the School District’s security program and its alignment with the selected framework.  Review the controls described in the control framework, review practices in your organization against the controls, and adjust practices where necessary.

Security Awareness Training

Schools should deploy simulated phishing campaigns and regular security awareness training on data protection, incident identification and response, and insider threats.  This training applies to everyone, even the most senior school district members.  The training should be bite-sized (short, recurring sessions instead of a single longer session) and well-communicated.  The simulated phishing campaigns should be unannounced and conducted regularly (quarterly is recommended) and use various templates, delivery dates, and delivery times.  

Asset Inventory

Complete an inventory of information systems on the network, including workstations and servers, virtual machines, configurations, software, IP cameras, smart boards, and other information appliances.

Account Management

Employ a variety of account management strategies, such as:

  • Multi-Factor Authentication for VPN, Administrative, and Cloud Services\
  • Strong passwords (min character length, complexity requirements, reuse limits)
  • Password age – minimum 1 day and maximum 365 days.
  • Least privilege – Separate accounts for system administration and least access required to perform job duties
  • Remove inactive/unneeded accounts

Patching & Updates

At a minimum, review all systems monthly, and apply patches or update the firmware. Apply any identified critical vulnerability remediation within 48 hours of detection.


Have a plan!  Your district backup plan should include multiple copies over time and should be stored offsite or offline.  Backups should be tested at least annually and should follow the “3-2-1 rule”:

  • 3 copies of the data
  • Stored in 2 different formats and
  • 1 copy stored offsite

Endpoint Protection

Run a centrally managed anti-virus solution or EDR on all endpoints with daily updates.

Vulnerability Scanning

Begin utilizing CISA’s free vulnerability scanner.  The minimum configuration should include monthly full and weekly remediation scans and target internal and external resources.

Incident Response, Business Continuity Planning, and Disaster Recovery

Plans should be documented and tested annually. All personnel with responsibilities within the plans should participate in the test for training. See already developed templates.

  • Incident Response Plan defines the actions and activities the Incident Response Team takes in case of a security incident or breach.
  • A Business Continuity Plan defines the resumption of business processes in other than normal conditions.
  • The Disaster Recovery Plan defines the resumption of IT services in support of the Business Continuity Plan.

If you have any questions or need help with any/all of these points, please don’t hesitate to contact us.  We’d happily set up a complimentary initial discussion about Vinson Protect and increasing your cybersecurity readiness.  

Reposted with permission from the Management Council and Filament Essential Services.

get in touch