CDW-G School Safety Index 2009

CDW-G School Safety Index 2009 May 18, 2009 2009 CDW Government, Inc. 1

CDW-G School Safety Index 2009 Study Focus and Objectives Now in its third year, the CDW-G School Safety Index provides a nationwide, firsthand view of school safety issues from the perspective of district IT and security directors. Additionally, the index enables schools to measure themselves against a national benchmark. CDW-G expanded the survey to understand the steps districts are taking to strengthen security, protect wireless networks, and monitor buildings. CDW-G surveyed more than 400 K-12 district IT and security directors to: Evaluate districts cyber and physical security Assess current cyber and physical security measures Understand the proliferation of security breaches Understand the impact of cyber and physical education and communication 2

CDW-G School Safety Index 2009 Contents Executive Summary 4 Understanding the Index 5 The School Safety Index 6 Cyber Security 8 Physical Security 17 Homework: Calls to Action 23 Methodology 24 Respondent Demographics 25 2009 Cyber Safety Index 26 2009 Physical Safety Index 28 3

Executive Summary Report Card: Threats outpace school security improvements CDW-G School Safety Index 2009 K-12 districts scores fell in the 2009 School Safety Index Continued threats, such as breaches and lack of end-user compliance, coupled with budget and staffing challenges make progress difficult» In the last 12 months, 55% of districts report experiencing a cyber security breach and 67% report experiencing a physical security breach» Only 19% of districts are confident that students are following acceptable use policies Schools are taking positive steps to improve security» The majority of districts (87%) report that the IT and physical security departments are collaborating» 88% of respondents say their district has a wireless network; of these, 92% use encryption to secure the network» 70% of districts report using a mass notification system to improve emergency communication But security perceptions do not align with reality While K-12 districts report an increase in physical and cyber breaches in the last year vs. previous years, most still say their schools are safe. By their own self-assessment:» Just 22% of respondents indicated that their cyber security needs improvement» Just 24% of respondents indicated that their physical security needs improvement Budget is the top impediment to improving security Despite increased threats and breaches:» Just 34% of districts plan to make a case for increased investment in these areas» Less than a quarter (20%) say they seek best practices from other districts 4

CDW-G School Safety Index 2009 Understanding the Index Based on online survey research, the CDW-G School Safety Index s 10 positive indicators and 4 contraindicators represent the elements of an overall security program. The CDW-G School Safety Index sets a national benchmark to gauge the current status of school safety and outlines steps for improvement. Additionally, the index aims to focus attention on the convergence of IT and physical security in public school districts. Cyber Security Indicators» Self-Assessment» District Cooperation» Strengthening Security» Security Updates» Wireless Security» AUP Contraindicators» IT Breaches» IT Barriers Physical Security Indicators» Self-Assessment» Strengthening Security» Campus Monitoring» Mass Notification Contraindicators» Physical Breaches» Physical Barriers 5

CDW-G School Safety Index 2009 The CDW-G School Safety Index** Taken together, the Cyber Safety Index and the Physical Safety Index comprise the School Safety Index. In 2009, K-12 districts scores fell, in line with continued threats and budget and staffing challenges. The 2009 National Cyber Safety Average was 22.2; the Physical Safety Average was 32.2.* The results point to a need for increased focus on both cyber and physical security in K-12 districts. *See slides 26-29 for expanded information on the cyber and physical indexes. **This year, CDW-G provided specific definitions of breaches for the first time. 6

Cyber/Physical Security Collaboration: Teamwork Lightens the Load CDW-G School Safety Index 2009 Districts are working to integrate cyber and physical security efforts, with the majority 87% reporting collaboration, up from 65% in 2008. 50% 45% 40% 46% 35% 30% 25% 20% 15% 35% 33% 21% How does your district IT department share or collaborate with the security department on plans and/or purchases?* 10% 13% 5% 0% Share staff Share resources Meet regularly Consult on purchases Do not collaborate *Respondents were asked to select all that apply. 7

Cyber Security Wireless Networks: Connecting to Learn Wireless networks are proliferating, bringing increased access to the Internet and other computing resources. 88% Of districts report they have a wireless network Where are the networks located?* 59% administrative offices 59% classrooms 58% common areas Small districts lag in classroom connections: 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 45% 66% Have wireless in classrooms Of those districts without a wireless network, approximately two-thirds (65%) are currently considering or implementing one Under 1,000 students Over 50,000 students *Respondents were asked to select all that apply. 8

Cyber Security Wireless Networks: Connecting to Learn Wireless networks also bring new security concerns. Districts are taking steps to protect themselves. How does your district secure its wireless network?* Firewalls Wireless Encryption Protocol (WEP) 38% 54% 92% Wireless Protected Access 2 (WPA2) Wireless Protected Access (WPA) 23% 24% of districts use some type of encryption Open, segmented, VLAN, multiple SSID 16% Perimeter and/or wireless intrusion detection WPA Enterprise/802.1x 9% 11% *Respondents were asked to select all that apply. 9

Cyber Security Network Monitoring: Hall Pass for Hackers? Districts are not taking all possible steps to ensure their systems have current security software, leaving their networks vulnerable. How do you ensure that district computers have the latest security patches and updates?* 58% 48% 35% Patch management Use Network Access Control (NAC) to view and control who is on the network and provide updates and patches Prevent computers from connecting until security updates are complete *Respondents were asked to select all that apply. 10

Cyber Security Acceptable Use: Engage the Community Acceptable use policies (AUP) enable school districts to ensure that users follow the policies and procedures that protect students and the network. The data shows that districts need to put a greater emphasis on compliance monitoring. How confident are you that your students are following AUP regarding Internet use? Low confidence may result from lack of supervision Very confident; we filter, monitor logs extensively, and test for gaps in our protection Somewhat confident; we filter and monitor filtering logs only 40% of districts say they are strengthening network security by enforcing their AUP 17% 19% 64% additionally 40% say they spend 4 or fewer hours per month reviewing/investigating questionable Internet activity Not at all confident; we only do basic filtering 11

Cyber Security IT Breaches: Threats on the Rise District IT breaches*, defined as unauthorized user access, hacking, or viruses, are rising rapidly, with districts reporting that the majority of IT breaches are internal confirming the need to bolster AUPs and improve end-user education and monitoring. Consequences of IT Security Breaches** Experienced a breach in the prior 12 months: 60% Loss of staff hours to deal with/correct the breach 59% Purchase of new software/hardware to correct the breach 19% Compromised data or loss of confidential data 18% 50% 55% Negative publicity 17% 40% Personnel terminated 4% 30% 20% 2007 2008 2009 Causes of IT Security Breaches** Internal breach student 41% 10% 0% 9% 14% IT Breaches External breach 35% Internal breach staff employees 22% Unsure 21% *The study defined IT breaches in 2009, which was not done in previous years. **Respondents were asked to select all that apply. 12

Cyber Security IT Barriers: Holding Back Progress For the third year in a row, budget challenges, lack of staff resources, and hardware/software barriers top the list of cyber security challenges. Still, few districts are planning to reallocate IT budget for increased focus, and just a third plan to make a business case for improving IT security. What are your district s top three barriers to improving IT security?* 70% 60% 67% 50% 56% 40% 42% 30% 20% 10% Most districts are not allocating additional budget to address the top concern:» Just 20% say they plan to reallocate district IT budget to address security needs and/or reallocate staff resources to address security concerns» Just 33% say they plan to make the business case to the administration/school board for improving IT security 0% Lack of budget Too few staff resources Hardware/software barriers *Respondents were asked to pick their top three. 13

Cyber Security IT Barriers: Holding Back Progress K-12 IT professionals are examining a variety of options to address security concerns; there is no consensus on the best path forward. How do you plan to overcome your district s barriers to better IT security in the next 12 months? 36% 33% 27% 25% 20% Engage the district s administration to improve IT processes and procedures Make the business case to the administration/school board for improving IT security Purchase additional software Change IT security policies for users Purchase additional hardware Reallocate district IT budget to address security needs Reallocate staff resources to address security concerns *Respondents were asked to select all that apply. 14

Cyber Security Cyber Security: How to Raise the Grade When asked what needs to be done to strengthen network security, 71% of respondents said improve enduser education. But just 52% report that they are taking steps to do so. Improving end-user education Enforcing the acceptable use policy (AUP) 37% 40% Increasing access control, such as network log-ons 28% 43% Improving URL content management/web filtering 27% 37% Sharing best practices with other districts 24% 25% Utilizing students to identify security gaps/white hat hackers 21% 14% Increasing the granularity of network authentication 20% 22% 52% *Respondents were asked to select all that apply. Ranking shows most popular responses. 71% What needs to be done to strengthen your network security?* What steps are being taken to strengthen your network security?* 15

Cyber Security Cyber Security: How to Raise the Grade K-12 districts may be missing an opportunity to leverage lessons learned due to lack of communication with other districts on security issues. 67% 25% cite budget as their most significant challenge but just of districts say they are sharing best practices with other districts $ Leverage lessons learned from other districts to save money and improve security 16

Physical Security Campus Monitoring: Under the Microscope Districts report a slight increase in security camera use, with 79% reporting they use cameras (up from 70% in 2008). Still, just 50% say their district uses cameras to monitor indoor common areas. Does your district currently use security cameras to monitor the following? Outside of buildings/parking lots 58% Entry/exit points 57% Common areas (cafeteria and hallways) 50% Offices 17% Gymnasium 12% Classrooms 11% Rural schools at greater risk? Use cameras: 82% of urban/suburban districts 70% of rural districts 36% 24% of districts enable local emergency response personnel, such as police, fire, or dispatchers, to view security camera footage in real time (up from 33% in 2008) of those who do not link to local authorities are planning or implementing a program within the next 12 months 17

Physical Security Mass Notification: Critical Communications Districts report a significant increase in use of mass notification systems, strengthening real-time safety communication. Use a Mass Notification System: 46% 2008: 45% 2009: 70% of those without a mass notification system are planning or implementing one within the next 12 months 75% Rural Districts Lag: Have a Mass Notification System: Yes 71% Yes 59% Yes Urban Suburban Rural 80% 70% 60% 50% 40% 30% 20% 10% 0% 18

Physical Security Mass Notification: Critical Communications Despite increased deployment of mass notification systems, districts are not taking advantage of all available communication methods. Text alerts, which may provide the fastest communication, are in place in fewer than half of districts with mass notification systems. And 1/3 of parents are not able to receive communication from districts with mass notification systems. Most commonly cited mass notification capabilities: 80% 70% 60% 50% 40% 30% 20% 10% 0% 70% 69% Automated phone messages 61% 65% 32% 39% 28% 38% E-mail alerts Text message alerts Sirens/loud speakers 2008 2009 The following groups receive messages from their district s mass notification system: Faculty/staff 91% Administration 85% Parents/guardians 62% Students 49% Local police and emergency personnel 42% 19

Physical Security Physical Breaches: Lock Down K-12 districts report a rise in physical security concerns. While most respondents believe their physical security is adequate, the data indicates a need to strengthen. Experienced a physical security breach* in the last 12 months, defined as a break-in, unauthorized persons in school buildings, or vandalism 70% 60% 50% 40% 30% 20% 10% 0% 21% 31% IT Breaches 67% 2007 2008 2009 Consequence of Physical Security Breaches** Loss of staff hours to deal with/correct the breach 53% Loss of physical assets 51% Negative publicity 24% Purchase of security cameras to deter crime 21% Purchase of new software to correct the breach 9% Personnel terminated 4% Causes of Physical Security Breaches** Unidentified person(s) 42% Students 37% Unsure 29% Staff/employees 13% *The study defined physical breaches in 2009, which was not done in previous years. **Respondents were asked to select all that apply. 20

Physical Security Physical Barriers: Holding Back Progress Nearly all (84%) districts encounter obstacles to physical security improvement. For the third year in a row, budget is cited as the top barrier, but just a third (35%) of respondents report they plan to make a business case to the administration/school board for improving physical security. 70% 60% 50% 40% 30% 20% 10% What are your district s top three barriers to improving physical security?* 69% 46% 27% How do you plan to overcome your district s barriers to better physical security in the next 12 months?** Make the business case to the administration/school board for improving physical security 35% Engage the district s administration to improve IT processes and procedures 31% Change security policies 26% Purchase additional hardware 23% Reallocate staff resources to address security concerns 23% Purchase additional software 17% 0% Lack of budget Too few staff resources Need for more tools Reallocate district IT budget to address security needs 14% *Respondents were asked to pick their top three. **Respondents were asked to select all that apply. 21

Physical Security Physical Security: How to Raise the Grade Respondents recommend a wide range of tactics to improve physical security there is no silver bullet. What needs to change to improve overall building security?* What steps is your district taking to improve overall building security?* 38% Better physical access control, such as RFID, door badges, locks, etc. 36% Better faculty/staff cooperation 36% Better surveillance 26% Better physical security plan 21% Better student cooperation 14% Better collaboration with IT 12% Sharing best practices with other districts 6% District building security does not need improvements 31% Better physical access control, such as RFID, door badges, locks, etc. 29% Better faculty/staff cooperation 29% Better surveillance 25% Better physical security plan 17% Better student cooperation 16% Better collaboration with IT 14% Sharing best practices with other districts 5% District building security does not need improvements *Respondents were asked to select all that apply. Ranking shows most popular responses. 22

CDW-G School Safety Index 2009 Homework: Calls to Action Renew Your Self-Assessment: Given lower year-over-year scores and increasing numbers of reported breaches, assess your district s current security, use of available tools, and user community compliance with established security policies and leverage those findings to prioritize. Visit www.schoolsafetyindex.com to use the 2009 School Safety Index Self-Assessment Tool and receive instant scores and feedback Cover the Basics: Prevent computers that do not have security updates from connecting to your network. Increase use of cameras for indoor common areas Strengthen Acceptable Use and Monitoring: End-user education is cited as a significant need. Strengthen education, but don t rely on the end users. Deploy automated tools to assist, particularly in the face of staff shortages Learn From Your Peers: Reach out to other districts to share real-world advice and security best practices. Collective knowledge will help prioritize investments and maximize stretched budgets 23

CDW-G School Safety Index 2009 Methodology CDW-G conducted an online survey of district IT and security personnel in March and April 2009 A total of 408 IT and security personnel from a variety of K-12 public school districts from urban to rural completed the survey The sample size equates to a +/- 4.80% margin of error at a 95% confidence level Calculating the CDW-G School Safety Index:» Each positive indicator question is based on a value of 10» Each contraindicator question is based on a value of -10» Using the data from the national survey, the percentages were divided by 10, resulting in a numeric value 24

CDW-G School Safety Index 2009 Respondent Demographics Job Function:» 26% IT director/coordinator» 16% Network systems administrator» 9% Chief Information/ Technology/ Security Officer» 8% Superintendent» 4% Assistant superintendent for network security or emergency planning» 2% Director of emergency planning or security» 35% Other IT or security title Metropolitan Statistical Area:» 32% Urban» 48% Suburban» 20% Rural District Enrollment:» 15% 1,000 or fewer students» 34% 1,001-5,000 students» 24% 5,001-20,000 students» 27% 20,001+ students Job Responsibilities Include*:» 69% IT or network security» 14% Emergency communications» 17% Emergency planning» 14% Building security IT Budget:» 20% Average percent of district IT budget spent on IT safety for 08-09 school year *Respondents were asked to select all that apply. 25

CDW-G School Safety Index 2009 2009 Cyber Safety Index Element Question % Self Assessment Strengthening Security Strengthening Security Strengthening Security Strengthening Security Strengthening Security Would you rate the overall security of your district's IT network as safe or very safe? What steps are you taking to strengthen your network security? Improving end-user education 78% 52% Increasing access control 43% Utilizing students to identify security gaps/white hat hackers 14% Enforcing acceptable use policy (AUP) 40% Improving URL content management/web filtering 37% Element Question % Strengthening Security Strengthening Security District Cooperation Security Updates Increasing the granularity of network authentication 22% Sharing best practices with other districts 25% Regarding plans or purchases that affect cyber security and physical security, do your district IT and physical security departments share or collaborate on plans and/or purchases? How do you ensure that district computers have the latest security patches and updates? Utilize network access control to view and control who is on the network 87% 48% Security Updates Prevent computers from connecting until security updates are complete 35% Security Updates Patch management 58% 2009 National Cyber Safety Average = 22.2 0 50 100 Factors in red are 2009 School Safety Index additions. 26

CDW-G School Safety Index 2009 2009 Cyber Safety Index, Cont. Element Question % Wireless Security If your district has a wireless network, how do you secure it? 38% Wireless Encryption Protocol (WEP) Wireless Security Wireless Protected Access (WPA) 23% Wireless Security Wireless Protected Access 2 (WPA2) 24% Wireless Security WPA Enterprise/802/1x 9% Wireless Security Firewalls 54% Wireless Security Intrusion detection perimeter and/or wireless 11% Wireless Security Open, segmented, VLAN, multiple SSID 16% Wireless Security No encryption 8% AUP IT Breaches Are you confident that your students are following the acceptable use policy (AUP) regarding Internet use? Has your district had an IT breach in the last 12 months? 19% 55% Element Question % IT Breaches IT Barriers Compared to this time last year, have the cyber security breaches in your district increased? What are your district's main barriers to improving IT security? Yes Budget 7% 67% IT Barriers Too few staff resources 56% IT Barriers Lack of defined policies 21% IT Barriers Out of date hardware 26% IT Barriers Out of date software 16% IT Barriers Lack of IT infrastructure 15% IT Barriers Lack of user participation 19% 2009 National Cyber Safety Average = 22.2 0 50 100 Factors in red are 2009 School Safety Index additions. 27

CDW-G School Safety Index 2009 2009 Physical Safety Index Element Question % Self Assessment Strengthening Security Strengthening Security Strengthening Security Strengthening Security Strengthening Security Strengthening Security Would you rate the overall security of your district s buildings as safe or very safe? What steps are you taking to improve overall building security? Better physical access control, such as RFID, door badges, locks, etc. 76% 31% Better physical security plan 25% Better collaboration with IT 16% Better surveillance 29% Better student cooperation 17% Better faculty/staff cooperation 29% Element Question % Strengthening Security Sharing best practices with other districts 14% Campus Monitoring Does your district use security cameras to monitor any of the following? 58% Outside of buildings/parking lots Campus Monitoring Common areas such as cafeteria and hallways 50% Campus Monitoring Entry/exit points 57% Campus Monitoring Classrooms 11% Campus Monitoring Gymnasium 12% Campus Monitoring Offices 17% Campus Monitoring Does your district enable local emergency response personnel, such as police, fire, or dispatchers, to view security camera footage in real time? Yes 36% 2009 National Physical Safety Average = 32.2 0 50 100 Factors in red are 2009 School Safety Index additions. 28

CDW-G School Safety Index 2009 2009 Physical Safety Index, Cont. Element Question % Mass Notification Does your district use a mass notification system? 70% Mass Notification Does your mass notification have any of the following capabilities? 69% Automated phone messages Mass Notification Text message alerts 39% Mass Notification E-mail alerts 65% Mass Notification Sirens/loud speakers 38% Mass Notification Who can receive messages from your district's mass notification system? 91% Faculty/staff Mass Notification Administration 85% Mass Notification Students 49% Mass Notification Parents/Guardians 62% Mass Notification Local police and emergency personnel 42% Element Question % Physical Breaches Physical Breaches Physical Barriers Has your district had a physical breach in the last 12 months? Compared to this time last year, have the number of physical security breaches in your district increased? What are your district's main barriers to improving physical security? Budget 67% 7% 69% Physical Barriers Too few staff resources 46% Physical Barriers Lack of defined policies 19% Physical Barriers Need for more tools 27% Physical Barriers Poor infrastructure 19% Physical Barriers Lack of student participation 12% Physical Barriers Lack of faculty/staff participation 18% 2009 National Physical Safety Average = 32.2 0 50 100 Factors in red are 2009 School Safety Index additions. 29

CDW-G School Safety Index 2009 Thank You For all media questions and inquiries, please contact: Kelly Caraher Meredith Braselman CDW Government, Inc. O Keeffe & Company (847) 968-0729 (703) 883-9000 ext. 107 kellyc@cdw.com mbraselman@okco.com www.cdwg.com/schoolsafetyindex www.schoolsafetyindex.com 30