These articles originally appeared in ASBO International's School Business Affairs magazine and are reprinted with permission.
The text herein does not necessarily represent the views or policies of ASBO International, and use of the imprint does not imply any endorsement or recognition by ASBO International and its officers or affiliates.
Security awareness training is crucial to protect the district’s network.
By Kevin Richmiller
The average cost of a data breach in the global education sector is $4.77 million, or $265 per record. The cost to remediate the impact of a ransomware attack—including the cost of downtime, data recovery, device and network repairs, security updates, and lost opportunity, as well as ransom payments—is $2.73 million, according to StealthLabs, a computer security service company.
Schools are one of the most vulnerable and lucrative targets for data breaches and ransomware. In fact, out of 17 industries surveyed, education is ranked last for cyber preparedness. According to the Federal Bureau of Investigation, 57% of all reported ransomware attacks
in August and September 2020 were targeted at U.S. K–12 schools.
Why is education such a lucrative and easy target for hackers?
• Education institutions often struggle to find or afford qualified security experts to help defend their growing information technology (IT) needs.
• Districts lack funding to protect resources adequately.
• End users generally lack awareness about cybersecurity.
What do schools have that hackers want? School financial information and personal identifiable information about students, parents, and employees. If an
elementary school student’s data are compromised, it may be a decade before parents look at their child’s credit report and realize there’s a problem.
Now that we know why cybercriminals want data from educational entities and the potential cost of a cyber incident, let’s examine key components we can implement to help protect our students and staff.
Data governance plan. First, districts should have a data governance plan. Data governance plans formulate policies and procedures for an organization to handle any data issues. The data governance plan, at a minimum, should address
• Data life cycles
• Management and storage
• Security and protection
• Usage and dissemination
• Archive and destruction
• Critical incident response
These individual policies and procedures help ensure that student and staff data are secure and detail how to handle certain situations if an incident arises.
Security awareness training. Security awareness training is a strategy that IT and security professionals use to prevent and mitigate user risk. These programs are designed to help users and employees understand the role they play in helping combat information security breaches. Security awareness training is critical for all staff members.
A recent IBM Cyber Security Intelligence Index report found that 95% of all successful cyberattacks are caused by human error. Misconfigured networking equipment, lack of firewalls, or one click on a malicious phishing email may be all that stands between a hacker and access to your network.
In relation to staff awareness, all district email accounts are property of the district, not the individual. Individuals should not use their district-provided email account when signing up for personal accounts on nondistrict websites.
If an individual signs up for an account on another company’s website using his or her district email address and the same password used to access that person’s email, and said company has a data breach, the individual has potentially caused a data breach for the district because a cybercriminal now has the email username and password for the district.
Administrative privileges. One easy way to prevent malicious email links from being executed and run in the background is to ensure that no staff members, including IT staff, have admin rights to the machines they use
A password reset policy should require users to change their passwords every specified number of days.
daily. Admin rights on a machine increases the likelihood of someone clicking on a link they shouldn’t.
IT staff members should have separate login accounts with admin rights they use only when they need elevated privileges to complete their work.
Password policies. A strict, enforced password policy can protect your district. A strong password should
• Be at least 12 characters long
• Be unique from previously used passwords
• Contain no words that are spelled completely
• Include a variety of characters, including uppercase letters, lowercase letters, numbers, and symbols
Consider passphrases instead of passwords. A passphrase is a password composed of a sentence or combination of words, including numbers, symbols, and upper and lowercase letters. A passphrase is typically longer than a password and includes spaces. An example of a passphrase is “New York w1nters R c0ld!”
A password reset policy should require users to change their passwords every specified number of days.
All educational organizations should have a data governance plan that lays out security policies and policies and procedures for handling data. Districts should have cyber insurance to cover district liability for a data breach involving sensitive data and strong local and offsite or cloud backups to protect against ransomware. Security awareness training is crucial to protect the district’s network and help staff protect themselves at home.
Kevin Richmiller is director of technology for the City of St. Charles School District in St. Charles, Missouri. Email: krichmiller@stcharlessd.org
Increasingly, school administrators are facing the critical challenge of cybersecurity threats.
By Bryan Kaplan
In September 2021, hackers demanded millions of dollars from the Allen Independent School District in North Texas, threatening to publish stolen personal information online if the ransom was not paid (Carter 2021). Hackers also attacked GPS routing software used by the district’s transportation workers, sending the network offline and delaying school bus routes (Gravley 2021). The school district refused to pay the ransom.
Comparably, in 2019, Georgia Tech reported a cyberattack in which hackers stole the personal data of more than 1.3 million former and current students, employees, and professors. The university blamed the attack on a vulnerable web application that allowed outside entry (Osborne 2019).
Cyberattacks are the fastest-growing crime in the United States (Freedman 2020). Cybersecurity threats are increasing at such a high rate that schools and universities are often unaware of being victims of an incident. According to research from the Ponemon Institute, many businesses are hacked but do not identify the attack for upward of 287 days (IBM Security 2021).
Like a natural disaster, a cyberattack can cost millions of dollars and severely disrupt an organization. An organization’s underinvestment in cybersecurity and a lack of attention to maintaining situational awareness can worsen the effects of a cyberattack. The average cost of a data breach increased from $3.86 million in 2020 to $4.24 million in 2021, according to the Ponemon Institute (IBM Security 2021). The longer it takes to identify and respond to an attack, the greater the costs.
Preparation and response time are critical components of a cybersecurity strategy. Beyond the cost of downtime and data loss, a cyberattack often affects a company’s
reputation; organizations lose credibility and trust when customers’ personal information is compromised. Here are some ways academic institutions can better manage cybersecurity preparedness to mitigate invisible threats and keep systems secure.
School business officials should implement a comprehensive communications plan that involves educating faculty and students on what cyberattacks entail and what to do when attacks occur. Administrators need to fully communicate these plans to partners, suppliers, and other outside organizations and government agencies.
Steps may include informing the news media and posting on social media information about what has occurred. The U.S. Department of Homeland Security recommends using social media to effectively communicate the severity of emergencies using images, videos, and audio recordings.
increasing at such a high rate that schools and universities are often unaware of being victims of an incident.
Leveraging various communication channels, such as voice, text, and email, can also be an effective strategy for communicating with stakeholders. Where possible, automated systems should maintain contact with employees through users’ preferred means when regular communication channels may be unavailable.
An effective incident response platform allows emergency managers to share critical information about a cyberattack and send updates to state and local agencies. Quick communication regarding a cyber incident can help mitigate negative consequences for education institutions.
Schools should prioritize making precise decisions quickly and using digital tools and solutions efficiently. The best decisions are made with a complete understanding of events as they unfold. Accessing real-time data on customizable dashboards creates greater situational awareness and facilitates quick decision making.
Technology can promote precise and quick decision making when it provides greater situational awareness, enhanced communications and collaboration capabilities, automated workflows, and coordination between law enforcement and school business officials.
Cyberattack defense measures include regularly testing an organization’s procedures and running periodic training drills that simulate actions to take if malicious actors gain access to critical digital infrastructure. Training exercises can reduce the panic that education institutions often suffer when confronting a malware or ransomware attack.
With the help of an incident management platform, school business officials can train to respond to potential threats as often as deemed appropriate while maintaining a stronger sense of situational awareness. Through training and simulations, teams gain confidence in the tools that aid in response and are ready to act swiftly if these events unfold.
Many institutions mistakenly think that assigning a budget and a dedicated resource will automatically create resilience. Unfortunately, that isn’t enough; organizational resilience takes the preparation, training, technology, and focus of all stakeholders.
If, for example, leadership is absent during drills and staff and student leaders treat these exercises as a chore, the resilience programs are undermined. If, however, leadership and community stakeholders are present and take part in drills, the entire organization will be better prepared.
No education organization, large or small, is immune to cyber threats. The consequences of a lack of preparation can be chaotic and can damage reputation and credibility. Leveraging an incident management platform empowers school business officials to gain situational awareness and streamline communications so all stakeholders can react with speed and precision.
These strategies—combined with using the organization’s data sources—give administrators a single source of truth in a cyberattack. With a solid plan for fighting back against cyber threats and responding decisively and promptly, school business officials can isolate these threats and repair the damage so students can continue their studies.
Carter, S. 2021. Hackers demand millions from Allen ISD, the latest district targeted by cybercriminals. Dallas Observer, October 6.
Freedman, L. 2020. C-suites: Cybercrime damages expected to reach $6 trillion by 2021. National Law Review, November 12.
Gravley, G. 2021. Allen ISD faced cybersecurity attack and attempted extortion, district officials say. Allen American, September 28.
IBM Security. 2021. The cost of a data breach report 2021. www. ibm.com/security/data-breach.
Osborne, C. 2019. Georgia Tech reveals data breach, 1.3 million records exposed. ZDNet, April 4.
Bryan Kaplan is chief information officer of Juvare, headquartered in Atlanta, Georgia. Email: Bryan.Kaplan@Juvare.com
School business officials can decrease their vulnerability to a cyberattack with adequate software, plans, and technology.
By Maria Parry, CPA, PSA, SFO
It isn’t just the weather that’s causing school districts to cancel classes—it’s ransomware as well. According to the K12 Security Information eXchange, since 2016, more than 1,600 cyberattacks in the U.S. K–12 community have put students’ personal information at risk and have frozen district operations.
Monmouth Regional High School in New Jersey was one of 89 school systems affected in 2019. The attack took place at the beginning of the school year. Because the district’s accounting/payroll/personnel software system was not web-based, district personnel were able to remotely dial into the desktops to access files and programs. Over the weekend, a virus had been introduced into the district system by way of an email or remote access. Nine hosts—including a virtual machine loaded with 17 servers and 20 workstations—were encrypted, as was the file link to the server backups.
When the technology supervisor realized a cyberattack had occurred, he looked for and found a “ransom note” in the files on the hard drive. Labeled “readme,” the note gave specific guidelines on how to retrieve the district files.
The technology department attempted to restore a pre-attack backup, but the attempt failed. None of the files on the hard drive were accessible.
Because the district had a cyber insurance policy, the insurance agent was notified of the situation, as were the superintendent, business office, and county office. The insurance agent put the technology supervisor in contact with the policy’s underwriter (insurance consultant), who reviewed the district files and policies and prepared a report to the district recommending changes necessary to make the district’s servers more secure. The district approved the underwriter’s negotiating the payment to recover the files.
Eventually, the ransom amount was agreed on and paid. The insurance consultant was sent the “key” that would unlock the files, and the district initiated measures to protect and preserve the affected files. The district also changed accounting software programs, purchased
a higher-level antivirus software program, and migrated the district financial files to a cloud-based system. This experience was a wake-up call for the district. The number of important files that were inaccessible during the lockout was overwhelming. All business administrator files for the past 20 years were gone. During the 11-day lockout (the average is 10 days), the business office could not process bills and payroll or access personnel files.
Many aspects of school district technology (and technology in general) have changed since 2019, but the threat of a cyberattack has not. Whether you are a new or veteran business official, being aware of your district’s technology security plan and communicating with the technology team can help secure vulnerable areas. Although cyber insurance is not mandatory, it is highly recommended. When purchasing an insurance policy or performing an internal audit on the policies and procedures of the department, consider doing the following:
• Speak with the insurance agent about the benefits of cyber insurance.
• Discuss the data security plan with the technology team and ensure that all computers and programs are up-to-date.
• Contract with an outside firm to prepare a technology audit and obtain a report of the health of the data and devices in the district, along with a corrective action plan.
• Create a technology plan for the purchase of programs and devices and for the removal of those that are outdated or unsecured.
There are no guarantees that a district will be invulnerable to a data breach. However, business officials can regain control of this vulnerability by being prepared with adequate software, plans, and technology.
Maria Parry is the school business administrator for Monmouth Regional High School in Tinton Falls, New Jersey, and a member of ASBO International’s Editorial Advisory Committee. Email: mparry@monmouthregional.net
SBOs can prepare their districts for any level of cybersecurity breach with effective, comprehensive cybersecurity plans and processes.
By Louis J. Pepe, MBA, RSBA, SFO, and Christopher Summa
The first time you heard the expression “threat actor,” images of Steven Seagal or Liam Neeson may have come to mind. However, “threat actor” is the term most used to describe an individual or group that intentionally causes harm in the digital realm of computers, systems, and networks.
As leaders in education, school business professionals plot the course to bring our students and staff the latest technological advances that allow our students to engage in 21st-century learning. We are also responsible for ensuring that our districts have plans and processes to protect our data from and respond to cyberattacks. We provide these protections through incident response plans, which are written documents that guide our activities before, during, and after cybersecurity breaches.
How can we fully protect ourselves from a silent, unknown intruder and do so with the limited resources we manage in the public education sphere? We cannot. However, we can prepare our districts with effective, comprehensive cybersecurity plans and processes before an incident occurs.
We ensure that our systems remain operational by providing safeguards to protect our networks and the devices on those networks. This process requires continuous evaluation of our security plans, ongoing training, and sharing of best practices. Untested plans become stagnant and vulnerable to ever-evolving threat attacks.
The superintendent and district leaders in technology, operations, and education across Pennsylvania’s Lehigh Valley recently attended a cybersecurity tabletop exercise conducted by the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the U.S. Department of Homeland Security, to learn about strategies to strengthen our cybersecurity plans.
The scenarios presented in the session addressed a variety of attacks, but ransomware dominated the group’s discussions. This interest is not surprising, as ransomware was the leader in proprietary cyber claims data, according to multinational insurance provider Willis Towers Watson, accounting for 32% of claims in 2022, followed by accidental data breaches coming in at 25%. Ransomware and accidental data breaches drive increases in liability coverage and loss mitigation coverage premiums.
Most ransomware attacks occur when a user unknowingly responds to or clicks on a link within a “phishing” email believed to be from the on-site administrator—for example, clicking on a link to change or modify login credentials. Threat actors use that information to attempt to access additional internal systems to gain administrative access to file servers and sensitive information. If successful, they lock out all other administrators and staff and hold the locked-out files for ransom, demanding payment for their release.
Negotiating one payment may not be enough for successful cybercriminals, who continue to extort the target until the target’s insurance runs out or the cybercriminals decide to move on to other marks.
What happens if your district becomes a victim? Who will you contact? When do you inform the public, and how do you respond to their questions? Every district needs a policy that encompasses all stakeholders.
The primary goal of an effective plan is to educate staff members (users) about best practices for cybersecurity. Whether you use free online security awareness tools or subscribe to a service, be vigilant in instructing staff about phishing: how to detect it and what to do when they encounter it.
Rather than sending a long email that they will ultimately ignore, our district sends messages to our global distribution list, including online security awareness posters that are eye-catching and grab users’ attention. These graphics are available online at no cost. (For example, see posters at https://selinc.com/solutions/sfci/ cybersecurity-posters.)
More recently, we have begun looking at penetration software that gives us insight into possible liabilities. Many free, open-source tools allow network exploration and security auditing, which help tech departments stay ahead of potential threats. These systems send bait emails to staff members requesting information typically targeted by phishing emails. End users who click the links provided are redirected to a customized page informing them that the email was generated internally as a test and that they need to be more alert to the emails they receive and respond to.
The effects of a data breach extend long after the event. When one does occur, whether large or small, log that event to record what was compromised and to what degree. Depending on the information lost, a district could face legal ramifications that linger for years. Some effects are tangible and quantifiable, such as recovery costs through remediation efforts. Yet others, costly but intangible, are loss of trust, confidence, and goodwill.
Logs help law enforcement and insurance companies manage and close claims and are an excellent tool for debriefing your team and reviewing what went wrong, how the incident was processed, and what was learned from the event.
Logs must be detailed and must include important information, such as the date and time of the incident, the location, the priority, and the extent of the data breach. A form should contain the following sections:
• Incident Detector’s Information
• Reported Incident Information
• Attacking Computer(s) Information
• Victim’s Computer(s) Information
• Action Plan
• Conclusion or Summary
Escalation levels, as defined by CISA, are low, medium, and high; however, some organizations include an extreme level for catastrophic situations, such as a complete shutdown of all network services. The structure of levels assists not only in defining crisis level but also in determining how and when the organization responds.
Defined roles and responsibilities are critical to identifying who within the organization needs to take designated steps and when the incident needs to be bumped up or escalated on the basis of severity level. An escalation process provides a framework for managing the situation as the severity level increases. A severity level matrix guides organizations in their response measures by determining how incidents are handled according to their perceived or expected impact and when to escalate them should they climb to a more critical level, such as significant or severe.
An effective way to learn more about cybersecurity and ransomware attacks is to attend tech conferences in your local area and national conferences, such as ASBO International’s upcoming Annual Conference & Expo. These conferences provide attendees with real-world information that can guide districts in developing and customizing their plans and policies.
Louis Pepe is the director of business for Southern Lehigh School District, Lehigh County, Pennsylvania, an author, and a member of ASBO International’s Editorial Advisory Committee. Email: pepel@slsd.org; Twitter: @LouPepeRSBA
Christopher Summa is the technology director for Southern Lehigh School District, Lehigh County, Pennsylvania. Email: summac@slsd.org
Understanding today’s cyber landscape is essential for all school leaders.
By Joseph Saracino
Cybercriminals have increasingly made schools a primary target. The K–12 Security Information Exchange, a Virginia-based nonprofit providing cybersecurity services to schools, reported having tracked over 1,200 cyberattacks on U.S. public school districts since 2016, including 209 ransomware attacks, 53 denial-of-service attacks, 156 Zoom-bombing attacks, and 110 phishing attacks. Primary and secondary schools, public and private schools, and colleges and universities have all been victims of cyberattacks.
In its report titled The State of K–12 Cybersecurity: 2020 Year in Review, the K–12 Cybersecurity Resource Center refers to 2020 as a record-breaking year for cyberattacks on schools. It reports that 408 publicly disclosed cyberattacks against K–12 schools or districts occurred in 2020, an increase of 18% over the prior year.
As it compiles data for 2021, the organization anticipates a higher number of incidences; data from other
sources support this expectation. In July 2021, Check Point Software noted a 29% increase in cybercriminals’ targeting schools worldwide over the previous six months.
As the data suggest, it is no longer a matter of if, but when your school may become the next target of ransomware, phishing, denial of service, or other cyberattacks. Understanding today’s cyber landscape related to the education market is essential for all school leaders. Knowing what best practices should be deployed is critical.
Schools are under siege by cybercriminals looking to access valuable, sensitive data, such as the addresses, phone numbers, and financial information of students or their parents, as well as that of educators. A high
percentage of cyberattacks on schools stems directly from their information technology (IT) vendors. K–12 Security Information Exchange data found that 75% of all K–12 school breaches in 2020 were implemented through the schools’ vendors. These and other attacks were already increasing before the pandemic, but remote learning and the technology vulnerabilities it introduced gave cyberthieves more ammunition to fuel their attacks. In fact, having access to more technology in education is generally regarded as a good thing; however, it opens up a school to more cyber land mines and gives cyberthieves new pathways for ransomware and malware attacks, and others.
No geographic region is off-limits for school cyberattacks; however, some areas have been dubbed “hot spots.”
No geographic region is off-limits for school cyberattacks; however, some areas have been dubbed “hot spots.” These targets are states with the most significant number of institutions and largest student bodies, such as California, Illinois, New York, Ohio, and Texas. Following are some of the recent high-profile cyberattacks on schools:
• The January 4, 2022, ransomware attack on Finalsite, a leading school website services provider, disrupted access to its network of 8,000 schools and colleges in an estimated 115 countries.
• The January 2022 cyberattack on Albuquerque Public Schools forced the cancellation of classes for approximately 75,000 students for two school days.
• In a business email compromise attack on the San Felipe Del Rio Consolidated Independent School District, the district’s comptroller was sent phishing emails from cyberthieves pretending to be officials from the financial institution to which the district makes bond payments. As a result of the attack, three of the district’s four bond payments were diverted to the cybercriminals’ financial account; the district sustained a loss of $2 million.
• Classes were disrupted for school systems in Baltimore County, Maryland, and Miami-Dade County, Florida, as well as in New Jersey and Wisconsin school districts, among others.
Many more cited examples of attacks have prompted a heightened response by school leaders.
Reports of cyberattacks have become an eyeopener for school leaders who recognize the need to prioritize cybersecurity and formalize their related practices. After the Finalsite breach, for example, many school leaders realized they needed a tighter communications policy between themselves and their vendors in the event a vendor experiences a cyberattack that affects the schools. Further, many school systems now require their vendors to submit a cyberattack response plan for alerting the schools regarding attacks, along with measures to be implemented to restore their systems’ secure operations.
Schools are instituting other policies, including allowing only school devices to access the network, providing access to secure data on a need-to-know basis, and eliminating guest networks. Educating all constituents, including vendors, faculty, parents, and students, regarding sound cyber practices has also become a priority for many schools.
That education covers such practices as changing passwords regularly, ensuring that devices are protected with security software, and not opening suspicious emails. These and other essential measures should be adopted and incorporated into a comprehensive, proactive school cybersecurity program.
In its October 2021 report to congressional requesters, Critical Infrastructure Protection: Education Should Take Additional Steps to Help Protect K–12 Schools from Cyber Threats, the Government Accountability Office (GAO) laid out federal resources for K–12 schools. Of note was a data breach scenario training kit, a guide for ransomware prevention and response, a notice on the use of malicious emails to compromise operations, a distributed denial-of-service alert, and a document covering videoconferencing disruptions.
The report’s publication came close to President Biden’s October 8, 2021, signing of the K–12 Cybersecurity Act of 2021, which authorized the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to study cyber risks affecting K–12 schools and to provide recommendations for enhanced cybersecurity.
In its report, the GAO presented an overview of the cyber landscape affecting schools. It identified the players in cyberattacks (i.e., criminal groups, terrorists, nations, and insiders with access to a school’s information system and enterprise). It delineated the responsibilities and roles of CISA, the Department of Education’s Office of Safe and Secure Schools (OSSS), and the Federal Bureau of Investigation.
Malware is malicious software that is placed on computers or a network and enables the cybercriminal to take control of the computer to monitor the user’s keystrokes and actions and access confidential data. The malware gets into a computer when the user clicks on a link or opens an attachment.
SQL (structured query language) injection attacks target servers that store proprietary/critical data and use SQL to manage their databases. An SQL injection attack uses malicious code to target the server and cause it to convey privileged information.
In addition, the report presented the programs and services the entities developed to help K–12 schools incorporate cybersecurity measures. It is important to know, however, that the report states that the OSSS has not kept the education subsector’s cybersecurity plan up-to-date, admitting that it was last published in 2010, although it was required to update the plan every three years. As a result, the plan no longer reflects the current cyber environment.
What is clear from the report and the increasing cyberattacks on the education sector is that schools must be proactive in their own organization’s cybersecurity. That requires several key initiatives:
Detection. Every school should begin by benchmarking its current cybersecurity status. To ensure its integrity, benchmarking should be performed by a third-party cybersecurity firm and not the school’s internal IT department or its managed services provider.
Detection involves two components: (1) a comprehensive vulnerability assessment to evaluate the school’s IT
Ransomware attacks by hackers deploy malicious software to encrypt a school district’s data and demand a ransom in return for the district’s regaining access to its data.
Phishing attacks occur when a cybercriminal sends emails, presumably from a legitimate organization (often one with which the individual or organization has a relationship), requesting personal data (e.g., financial account information, passwords, etc.)
Denial-of-service attacks temporarily shut down a machine or network and render it inaccessible to its intended users.
systems and assess risk levels and (2) penetration testing, also known as “ethical hacking,” to determine how easily cybercriminals could enter the school’s IT systems, including the network, ports, database, emails.
Mitigation. Following the vulnerability assessment and penetration testing, measures should be taken to mitigate system weaknesses and vulnerabilities. Such measures range from installing firewalls, encryption software, and end-point protection to multifactor authentication, password and SSH (secure shell protocol) key management, and solutions to lock access to proprietary data.
Best practices. Best practices include data backups and backup data recovery, along with keeping up with software updates and limiting access to sensitive data to authorized staff members.
Cybersecurity policies. Policies—including best practices, responses to cyberattacks, and related communications—should be formalized in a cybersecurity policy manual and provided to all vendors and staff members who manage, use, or have access to school information systems and technology.
Training. Cybersecurity awareness training for staff should be conducted regularly to ensure that cybersecurity policies are understood and adhered to, and that staff are kept abreast of the latest developments in cyberattacks on schools. As part of this training, staff should be educated regarding the various forms of cyberattacks, including the most common forms, highlighted in the sidebar on the previous page.
A cyber incident management and reporting plan. This comprehensive plan helps the organization prepare for, detect, respond to, and recover from network security incidents.
Regular review of cyber insurance coverage. A regular review ensures that the insurance covers the latest threats and is adequate in covering the school’s total exposures and liabilities.
Avoiding the many land mines dotting today’s cyber landscape is not easy. It requires heightened awareness and the commitment of education leaders and their staffs to follow prudent cybersecurity practices.
Comparitech, a security testing site, estimates that 77 ransomware attacks on 1,740 schools and colleges took place in 2020, affecting over 1.36 million students and costing the schools approximately $6.62 billion in downtime alone. Not included were the costs associated with recovering data, restoring the computers, and implementing new security measures. These data reflect just one type of cyberattack and not the countless others that have affected schools. Vigilance is essential for avoiding financial and reputational damages stemming from a lax attitude toward cyberattacks.
Joseph Saracino is president and CEO of Cino Security Solutions Inc., in Coram, New York. Email: jsaracino@cinoltd.com
Five steps human resources departments can take to help districts safeguard digital access to important data.
By Bill Haber and Dean Mechlowitz
As cybercriminals and their methods become more sophisticated, so must school systems and their prevention measures. This is an admittedly tall order, given the number and variety of network end users: students, faculty, staff, and administrators.
Remote learning, which increased during the COVID19 pandemic, further challenges information technology (IT) professionals and school leaders trying to secure system networks being accessed from multiple locations. The good news? Human resources (HR) departments can play a key role in safeguarding digital access. Perhaps the biggest wild card in protecting schools from cyber intrusions—which can expose health
information, student classifications, and professional credentials—is the very people whose information is at risk. Human behavior, already unpredictable, becomes even more difficult to control in a busy school environment where students and teachers move quickly from one task to another, logging in and out of accounts at various times throughout the day, researching different topics, and using school computers for personal as well as academic purposes.
End users unwittingly expose school systems to cyber threats through routine behaviors that seem innocuous
on their face. Many students and teachers, for example, access their school systems using personal Gmail accounts, which are not subject to multifactor authentication (MFA) to store log-ins and passwords.
As the name suggests, MFA requires two or more authenticators to verify a person’s identity before access is granted to the school’s network. Without this extra protection, accounts can be more easily compromised, revealing school log-ins and passwords that can be used to access the school’s network and the personal information stored there.
Teachers often share their school log-in credentials with substitutes covering their classes during absences. This practice gives the temporary teachers access to lesson plans and other important information they’ll need for the day. However, if the primary teachers don’t change their password upon their return, information is at risk.
It is important to note that cyber risks are rarely the result of a nefarious attempt to gain access to a network; a breach will more likely follow an unintentional action done out of habit or in the interest of saving time.
For example, some school districts provide Chromebooks to students, who use them for academic as well as personal reasons—why carry two laptops around when one will do? And people who release emails from quarantine without spending a few extra seconds checking their legitimacy expose school networks to phishing and the potential cyber intrusions that result.
To protect against cyber risk, school districts should assess their current system’s capabilities and vulnerabilities using standard industry methodologies, as well as proven human-driven questioning techniques to ensure the reliability of information. Districts can then implement a twofold approach, starting with system controls, such as preventing the opening of certain websites. This procedure eliminates the possibility of a hacker’s using domain squatting to trick someone into entering a fraudulent site that could wreak cyber havoc. DNS
(domain name system) filtering can also be used to prevent access to such web content as gambling or adult entertainment. Simply stated, system controls should block noneducational content to lessen exposure to cyber risk.
The second strategy involves using HR staff to educate the entire school community on the importance of safeguarding personal information and blocking unauthorized access to the school’s digital network. HR staff members are uniquely qualified to balance district needs with those of employees, and even students. As such, these professionals must play a central role in getting the school community’s buy-in for cybersecurity efforts, which are not typically difficult but do require a change in behavior.
Here are five steps HR staff can take to support cybersecurity measures:
1. Work in tandem with IT staff to establish and implement cyber-risk prevention policies that address security concerns while ensuring workforce protections. It is important not to frame security efforts as civil liberty issues; instead, the focus should be on the need to preserve individual personal data.
2. Emphasize the importance of everyone’s participation in cybersecurity efforts. Prepare and share basic precautions with current and new students and staff members, instructing them not to share log-in credentials and to take the extra time to change passwords often and to review quarantined emails for potential phishing exposure.
3. Create a culture of cyber wellness, employing educational techniques appropriate to the learners, whether adults or children.
4. Educate school boards and other policy makers— who often concentrate on instructional and building issues—on the need for appropriate cyber controls from the standpoint of both the employee and the student. Include union officials, who can be important and valuable allies in promoting efforts to safeguard their members’ personal information.
5. Handle cybersecurity policy violations on the basis of the situation’s gravity and requisite protocols related to the individuals involved.
The HR staff can and should play a leading role in promoting cybersecurity for school districts. Their unique knowledge and skill sets position these professionals well to educate and support students, teachers, other staff members, and administrators in this important endeavor.
Bill Haber is cofounder, business strategy, with TEKRiSQ. Email: bh@tekrisq.com
Dean Mechlowitz is cofounder, technology operations, with TEKRiSQ. Email: dm@tekrisq.com
ins
By Donna Williamson
Given the amount of valuable student and staff data they collect and hold, K–12 school districts are increasingly susceptible to data breaches. Data breaches decrease community trust and damage a school district’s reputation. They also cause major interruptions in learning and operations. School districts must respond to potentially devastating breaches, but breach response is expensive. Everevolving government regulation further increases costs.
States began adopting data breach laws, such as California’s CA SP-1386 in 2003. Now, there are laws in all 50 states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. These data breach notification laws require private organizations or government entities (including K–12 public school systems) to notify individuals of a security breach involving their personally identifiable information (PII).
The laws in each state vary in how they define PII, what constitutes a breach, and how and when school districts must communicate breaches to affected parties. Although all the laws are different, they all impose increasing costs. As a result, more and more districts are taking a closer look at purchasing cybersecurity insurance to offset costs or at renewing policies already in place.
Districts may have good reasons to act now. The federal and state governments are becoming more involved with cybersecurity laws and mandates. On October 8, 2021, President Biden signed the bipartisan K–12 Cybersecurity Act into law. Although the act offers little actual reform, it does show Washington’s increasing interest in studying and regulating the space. Added regulation will increase prevention costs for school districts and response costs for insurers, driving higher premiums.
States are jumping in too, particularly in the area of regulating ransomware payments. If districts cannot pay ransoms to quickly retrieve data, they may face longer downtimes and greater response costs. These laws may then affect cyber insurance costs, requirements, and payouts. Ultimately, the district must consider the cost of the insurance versus the amount and likelihood of a payout before making a final decision.
To take advantage of cybersecurity insurance, a district must meet all the insurer’s specified conditions to receive a payout. Because of the high number of cyberattacks in recent years, insurers are evaluating their vulnerability. Rates are rising and tighter controls are being put into place. Districts that do not provide sufficient documentation or that apply without the required controls might not receive coverage, may be required to pay higher premiums, or may risk having lower coverage limits for the account.
The Consortium for School Networking (CoSN) reports that most insurers require that districts have, at a minimum, tools and protocols in place for identification, authentication, authorization, and accountability, as well as a reasonable amount of network security, including at least intrusion, firewall, and demilitarized zone traffic inspection.
A review of several cybersecurity insurance checklists suggests that districts have the following controls in place if they are preparing to qualify for or request a quote for cyber insurance:
• Remove or reduce administrative rights to reduce the attack surface. Practice least privilege enforcement.
• Manage all privileged remote sessions from vendors and employees.
• Eliminate unsupported operating systems and platforms.
• Review the environment for indicators of compromise to confirm that none are found. If found, remediate.
• Document the steps taken to detect and prevent ransomware attacks.
• Assign someone to handle all data security.
• Conduct regular security awareness training for all employees.
• Put in place written information security and privacy policies.
• Have a tested business continuity and disaster recovery plan.
• Install antivirus and firewall systems and update them regularly.
• Stay current on updates and patches for all critical information technology systems and applications.
The Cybersecurity Coalition for Education (cybersecurityrubric.org) is a group of edtech organizations committed to making cybersecurity preparedness and training more accessible for schools. Their Rubric for Education, can serve as a guide to review a school’s current cybersecurity level using the cybersecurity framework for education. This framework has five functions and 23 categories.
To download the rubric: https://cdn.prod.websitefiles.com/63d950884eacca28676c5951/6414cdc5 ce86d1136c264ede_Cybersecurity%20Rubric%20 for%20Printing%202023-03%20-%20Portrait.pdf
• Back up critical data and systems regularly.
• Require employees and applicable age-appropriate students to use multifactor authentication.
• Require the use of strong passwords and force password changes for employees and age-appropriate students.
Remember, all insurers are different, and some may require additional measures. Further, this list is intended to reflect basic measures that insurers may need and is not intended to be a cybersecurity plan.
Data security in schools is a complex problem beyond the narrow scope of this article. To learn more, visit CoSN’s website (www.cosn.org). There, you’ll find a variety of educational technology tools and resources. Also read Eileen Belastock’s 2022 article “Our Biggest Nightmare Is Here” in Education Next (www. educationnext.org/wp-content/uploads/2022/03/ednext_ XXII_2_belastock.pdf).
Keep in mind that a policy that may work for one district may not work for another. Law firms, companies, and organizations offer example policies online that try to “break down” the evolving state laws. But the internet cannot substitute for personalized counsel. The law is constantly evolving and varies widely across states.
A school district attorney, the district’s chief financial officer, and technical and security experts should review any proposed policy to ensure that it meets the district’s needs. It is equally important that those same entities review any renewals for those districts that currently have cyber insurance.
Donna Williamson, former chief technology officer for Mountain Brook Schools in Alabama, is a project facilitator for the CoSN Early Career K–12 CTO Academy. Email: Donna.davis. williamson@gmail.com