Lean staffing levels mean few schools have someone dedicated to cybersecurity. But there are ways to stay protected.
Computer security in schools has come a long way since Ferris Bueller, the character from the hit movie of 1986, hacked the school’s network to change his absences. School districts are making progress, but with cybersecurity impacting every part of society from the election to Twitter and Netflix, it seems the education sector is still not as secure as it needs to be.
According to Verizon’s 2016 Data Breach Investigations Report, the education sector experienced 254 security incidents in 2015, including 29 with confirmed data loss. Those numbers have almost certainly increased over the last year. Likewise, education technology leaders showed a 64 percent increase in concern over privacy and security of student data since then, according to the 2016 IT Leadership Survey from the Consortium for School Networking (CoSN).
“Looking back and learning from the past, we can surmise that cyberthreats will continue and gain in sophistication,” said Steve Langford, a CoSN member and chief information officer at Oregon’s Beaverton School District. “School systems have much student and staff data that are valuable and, coupled with lean staffing levels, make us an attractive target for those seeking access and information. Regardless of size, school districts will need to invest in staff who are experienced in cybersecurity, now and into the future.”
Having a full-time staff person dedicated to cybersecurity is not possible for most school districts for several reasons. Few districts can afford to hire someone who has the skills and experience to run what has become a complex operation. Even those that have the funds are finding it difficult to hire skilled cybersecurity personnel because the demand for talent is at an all-time high. In 2015, more than 200,000 cybersecurity jobs went unfilled due to a talent shortage, according to the Bureau of Labor Statistics.
Schools are attacking the problem from a number of angles. After all, one simple solution doesn’t exist. Communities expect school districts to protect data the same way they protect a school building, but it’s a far more complicated process, said Aaron Barnett, IT director of the Moreno Valley School District and board member of the California Educational Technology Professionals Association (CETPA). “It’s like not locking your windows or doors,” he said. “Our systems should be locked so anyone from anywhere in the world can’t just walk in the school door.”
The Verizon report noted that most cyberattacks are about money. Cybercriminals pursue information they can use to steal identities or passwords to access accounts. Besides accessing sensitive personal information, cyberattacks can disrupt or devastate a school district in many ways. For instance, attackers overwhelmed Salt Lake City’s school district by an attack in 2015 that brought down its websites, phone systems and online grading system. In Minnesota, an attack disrupted student testing, and in New Jersey, extortionists shut down a district’s entire network and held it for ransom.
These are the most common types of attacks:
Phishing, social engineering or other end user attacks: Attackers attempt to infiltrate a system through the end user, such as a teacher checking email. With phishing, an email from a deceptive address tempts the recipient to click on a link and input private information such as credit card numbers or passwords. Likewise, social engineering attacks use psychology to trick users into breaking security procedures, allowing attackers access to sensitive information.
Hacking: An illicit coder, or hacker, modifies or alters computer software and hardware to steal information or disrupt usage.
Malware: Short for “malicious software,” malware is unwanted software installed on a computer without consent, and often with the purpose of gathering information or controlling the device. Viruses and worms are examples of malicious software that are often grouped together and referred to as malware.
Crimeware: this category of cyberattack covers the use of malware that doesn’t fit into a more specific pattern.
Denial of Service: DoS attacks use botnets, a “zombie” army of infected computers working in concert to overwhelm a network with malicious traffic, which can cause the entire system to crash.
Ransomware: Malicious software designed to block access to a computer system until victims pay a sum of money. Ransomware is one of the most popular attacks currently used against schools.
Internet of Things (IoT): Devices from the Internet of Things include webcams, security cameras, air conditioners, printers and anything connected to the Internet that can be infected and turned into a botnet to drive large amounts of traffic and cause the system to crash. While IoT attacks are not common, the possibility of problems will increase as buses, sprinkler systems and other devices in a school district go online.
The sheer size of some school districts makes them tempting targets for hackers, cyberthieves and online extortionists. Moreno Valley School District is one of California’s larger school systems, with about 34,000 students, 14,000 laptops and desktops, and 28,000 Chromebooks, but Barnett doesn’t have the staff to keep them all updated. That makes the technology more vulnerable to hacks and malware problems. “We think we’re at the little schoolhouse on the prairie, but we are running some of the biggest networks in the cities and becoming very vulnerable to cyberattacks,” he said.
Ten years ago, few technology departments, let alone school districts, had cybersecurity on their list of IT priorities. Today, just about everyone ranks it as one of the biggest problems facing information technology. And it’s not cheap. The Wichita School Board estimated the cost of implementing a proper cybersecurity program to be $2 million. Not many districts have that kind of cash on hand, making it hard to establish a robust set of cybersecurity policies and practices with up-to-date defenses.
“The ideal would be to have a dedicated person for security, but districts might not be able to justify it,” said Laura Iwan, chief information security officer for the Multi-State Information Sharing and Analysis Center (MS-ISAC), an organization that facilitates collaboration and information sharing among members, private-sector partners and the U.S. Department of Homeland Security on cybersecurity threats. That’s because their size and workload may not support the salary of a full-time security person, making it more practical to share a dedicated person across multiple school districts. “I look at security as somewhat like an orchestra and a conductor,” she said. “If you don’t have a conductor, everyone may be playing the same song, but not playing it well enough because they don’t have someone to guide them through the music. The key is that someone be responsible and accountable for establishing a cohesive program.”
MS-ISAC publishes a nontechnical guide to getting started in cybersecurity that focuses on institutional and organizational checklists for executives and managers. Schools can use the guide to recognize a problem, and then set up daily, weekly and monthly tasks to keep systems secure.
While the stakes are high for K-12 education, cyberattacks on higher education institutions have some additional complicating factors. Consider the research data held on networks at the nation’s universities, as well as the vast number of unsecured devices brought on campus.
Educause, a nonprofit association whose mission is to advance higher education through the use of information technology, listed information security as the No. 1 issue facing higher education in both 2016 and 2017. Yet many institutions, particularly small colleges, face the threats without a dedicated cybersecurity officer. Educause has published a free Information Security Guide to help these institutions.
John Bruggeman is the only certified computer security staff member at the Jewish Institute of Religion, where he serves as the chief technology officer and information security officer for the seminary that has four locations. But he has three network staff members versed in computer security fundamentals and incident response and remediation. Bruggeman trained through sans.org, which focuses primarily on the technical security training arena. Additionally, Bruggeman contracts with local vendors who can provide incident response assistance.
The Jewish Institute of Religion’s first incident was a denial-of-service attack in 2001. While the incident didn’t result in a data breach, it motivated him to become certified through sans.org, as well as to present at national higher education computer conferences on the topic of cybersecurity.
Bruggeman recommends other small schools focus on three primary steps:
“What I learned from that first experience was that we, the Internet, are only as strong as our weakest link,” he says. “Small schools like us can do a lot without a lot of money or a lot of staff. This is not a “technology” problem so much as it is an attitude and awareness problem.”
Some states are trying to prod schools into action to prevent cyberattacks. Missouri performs audits to help schools in the state identify where they must improve. Kevin Carpenter is IT director at Boonville R-1 School District, which participated in Missouri’s Cyber Aware School Audit. Boonville R-1 has 1,500 students and five school buildings, and employs two IT staff, Carpenter and his assistant. The two are responsible for IT for the entire district, including monitoring cybersecurity.
The audit spurred Carpenter to create some policies and procedures for monitoring and responding to cybersecurity threats. He developed a disaster recovery program, a comprehensive life cycle policy, incident response protocol, a regular forced password change and a minimum password length. This year, Boonville purchased a cybersecurity training video course for its staff.
While most school districts can’t afford a full-time cybersecurity position on an already-limited public education budget, they still have the responsibility to do the best they can with the staff they have, said Carpenter. “It’s the kind of thing that can be easily overlooked in the day to day without a clear policy and procedure,” he added. “You don’t want to be that district that makes the headlines for having an incident.”
The Orchard Farm School District is another Missouri district that underwent security auditing. IT director Bill Niemeyer oversees the district’s five schools and one full-time security administrator responsible for all computer and network security. School districts that lack a full-time cybersecurity employee can often get their district security administrator to work with contractors and automated systems to protect data, Niemeyer said. Orchard Farm utilizes a Security Information and Event Management (SIEM) architecture monitored by a third party. Niemeyer said SIEM has become a cost-effective and valuable tool for managing cybersecurity threats.
Even though Orchard Farm has several layers of technology in place to defend against attacks, the most important layer is the end user. “Security is everyone’s job,” he said, not just the job of one person in the technology department. “Districts need to create a culture that champions cybersecurity.”
Niemeyer recommends setting attainable goals for teachers, staff and students, such as a “clean desk” policy, regular password changes, and creating consistent engaging ways to incorporate cybersecurity topics into daily classroom use. Further, he suggests that all school districts should join CoSN and participate in its new privacy initiative called the Trusted Learning Environment (TLE) Seal, a set of best practices to safeguard student data.
California is an example of how one state provides assistance to its school districts as they beef up cybersecurity. Through a partnership between CETPA and a state-funded network connectivity program called K12HSN, California is offering free cybersecurity and network management professional development through the Technical Assistance Professional Development Program. It’s an approach that is gaining traction and one that IT education professionals say is needed. Moreno Valley’s Barnett said the program includes a combination of district IT staff policies and a subscription service. Having a third party who can come in and help districts recover after an attack will be an important part of the equation, he added.
While hiring a cybersecurity professional is, perhaps, the best answer to protecting a school’s data and networks, tech education professionals can follow several well regarded procedures to reduce the chances of a breach or successful attack:
Constant vigilance: Log files and change management systems can give early warnings of a breach. Also, encrypt data so that it is useless if stolen.
Back up regularly: If your network is attacked, a recent backup can help you get back to full capacity quickly without having to a pay a ransom to cybercriminals.
Good patch management: The first goal is to keep a clean machine that’s free from infections. Keep software updated and religiously apply security patches. Also make sure your Web filtering, firewalls and intrusion prevention programs are updated.
Secure the humans: This is perhaps the most important piece, said Barnett. Keep data on a need-to-know basis. Use two-factor authentication. Professional development that trains staff to recognize social engineering and phishing can go a long way toward preventing attacks.
Security awareness training has become critical as staff mistakes trigger more attacks. Chief Technology Officer Mark Finstrom of Highline Public Schools in Washington gave an example from his district, which enrolls more than 20,000 students and doesn’t have a cybersecurity specialist. A payroll technician received an email from firstname.lastname@example.org that asked for employees’ names, addresses and payroll information. The employee complied with the message, releasing personally identifiable information from nearly 2,500 employees in that attack.
Finstrom points out that the employee should have noted a couple of things. First, the email address didn’t come from a district domain. Second, the superintendent does not ask for payroll information via unsecure email. He explains that people have just become accustomed to doing everything online without always confirming the veracity of the email request. Following the incident, Highline instituted a phone call requirement before employees can release payroll data.
Some districts have started training staff by sending fake phishing emails to them to see if they get hooked. If someone does, they are rewarded with a short video that explains what to look out for in future emails. Free applications such as SecurityIQ and KnowB4 offer such training.
Finstrom has offered some of his own recommendations: Consult with vendors, read online articles from specialists, talk with your peers, and always confirm the answer.
“Knowing that threats will increase and become more complicated in nature, I believe we need to be extremely diligent to provide training and cross-training for staff,” he said. “While some districts may not be able to afford a cyberspecialist, the analyses of requirements, tools, options and communication requirements becomes something that every district must invest in.”
A version of this story originally appeared in the Converge spring 2017 magazine issue.