There was an interview this week with the director of technology at one district. Johnathan Kim works for the Woodland Hills school district and is a former staffer at the Navy Cyber Defense Operations Command. That's the type of training that I think few school district employees have. I've known a few people who manage technology inside schools, and while they are often smart, capable people, they aren't security professionals.
The interview talks about a few of the changes that Mr. Kim has made, such as enabling two-factor authentication (2FA) and removing local admin rights for many teachers. I know these are the types of rules that frustrate many workers who use computers. In fact, I ran into someone who rarely upgrades software on their development machine because so many applications require administrative rights and they don't want to bother opening tickets more than a few times a year.
Two-factor authentication can be a pain, and I know I get confused sometimes as I have both 2FA and MFA with different processes for different systems. It's good in that a few times in the last year I've caught a hacking attempt, but it's also a pain to deal with when I'm doing something simple. I can see why people don't like it when they don't understand the challenges of securing systems. Every time I find myself frustrated, I stop and remember the problems others have had, especially those that have dealt with ransomware in their organizations.
A good point in the interview is that education can help smooth the way for security practices that feel unnecessary or disruptive. It's good to remind ourselves why we want the least privileges needed assigned to others, and why those of us with privileged access need a second account for that access. We also ought to come up with a good story to educate others when they complain, perhaps using a story of a breach or loss to help remind others that our systems are constantly under attack.
