Survey: Cyber Top-of-Mind for Pennsylvania School Districts

According to a statewide survey, 87 percent of school districts are concerned about cybersecurity risks, but lack the resources to properly defend their systems and data.

by Emily Balser, Natasha Lindstrom, The Pittsburgh Tribune-Review / October 17, 2017
Shutterstock

(TNS) -- A majority of Pennsylvania school districts are concerned about cybersecurity but say they don't have enough resources to prepare for potential breaches, concluded a statewide survey released Thursday by state Auditor General Eugene DePasquale.

“While a lot of attention, rightly so, is being put on the data breach at Equifax, we cannot ignore the cybersecurity needs of our school districts and local government offices,” DePasquale said in a statement.

Western Pennsylvania school districts have been preparing for possible cybersecurity attacks with backup networks, cyber liability insurance packages and making sure they are up-to-date on security software.

October is National Cybersecurity Awareness Month.

“The concern grows more deeply ever year,” said Scott Gutowski, information and technology officer for Pittsburgh Public Schools, who oversees more than 28,000 students in 65 schools. “It is something that we constantly have to evaluate.”

DePasquale's office conducted the anonymous survey over three weeks in August and September. It received 954 responses from 177 school officials and 777 municipal officials.

More than two-thirds of respondents said they do not employ or consult a cybersecurity professional.

Of 113 school districts represented, 87 percent said they were concerned about cybersecurity, 87 percent said they expect cybersecurity risks to increase and 81 percent said they needed more resources to combat cybersecurity challenges.

DePasquale said the findings should be a “wake-up call.” He called for increased state aid, including funding, a resource center and a state agency assigned to assist during emergencies.

Potential breaches could affect everything from internal personnel data, such as Social Security numbers and tax information, to student records, including grades and special-needs education plans.

“It is a huge priority,” said Jon Amelio, chief technology officer for Allegheny Intermediate Unit, which provides support to 42 school districts countywide (not including Pittsburgh Public). “There's a lot at risk at the district levels.”

For districts with a high population of low-income students, a key piece to subsidizing cybersecurity measures has been the federal School and Libraries program, also known as E-rate.

E-rate is an effort under the FCC to provide schools with telecommunications and information services at cheaper-than-market rates. The program provides discounts using a sliding scale based on each district's percentage of students who qualify for free- or reduced-priced lunches.

Pittsburgh Public gets a 90 percent discount, Gutowski said. Last year, the district spent $2.3 million in E-rate funding, which meant it had to provide a match of $230,000.

The E-rate program dates to 1997, and for the first several years most districts used the discounts primarily on the likes of increasing bandwidth and wireless internet capability. Gutowski said the program increasingly is being used instead for cyber protection.

Several districts in Western Pennsylvania were affected by a data breach in 2016, when a Franklin Regional student launched a series of cyber attacks against more than a dozen school districts, the Catholic diocese and Westmoreland County government.

Brandon Wagner, director of technology at Hempfield Area School District, said the attack prompted his district to set up a secondary network as a backup in case the first goes down. The district also has a more robust antivirus system and is improving processes for backing up data.

“We're constantly making changes, constantly making improvements,” he said. “We have to.”

Chris Suppo, coordinator of technology with Greensburg Salem School District, said last year's student hack didn't have negative effects on them and has not led to any changes in the district's cybersecurity practices.

The district takes standard precautions to protect its computer systems by regularly updating its computers' operating systems, installing antivirus software and keeping staff computers on a separate network from those used by students.

Beyond that, Greensburg Salem regularly informs employees about potential cyber threats such as phishing and ransomware attacks.

“A lot of it is really educating users,” Suppo said. “They're the first and best line of defense.”

Pittsburgh Public urges employees and students to be good “digital citizens.” The district strives to explain the significance of digital footprints and share tips for protecting personal information, including refraining from sharing logins and passwords with friends.

Freeport Area School District added a cyber liability policy to its insurance coverage this year, said Business Manager Ryan Manzer. The district has been targeted in cybersecurity attacks but not impacted by one yet.

“If we did have a breach, we know that the policies and procedures as far as protecting employee data and helping our employees through that recovery process,” he said.

Manzer said Freeport Area would be happy to partner with local universities to help prevent cybersecurity breaches.

“We're certainly always open to those partnerships,” he said.

Staff writer Jamie Martines contributed. Emily Balser and Natasha Lindstrom are Tribune-Review staff writers. Reach Balser at 724-226-4680, emilybalser@tribweb.com or on Twitter @emilybalser. Reach Lindstrom at 412-380-8514, nlindstrom@tribweb.com or on Twitter @NewsNatasha.

©2017 The Pittsburgh Tribune-Review (Greensburg, Pa.) Distributed by Tribune Content Agency, LLC.