Don’t Push the Panic Button! (But Rather… Take Proactive Steps to Protect Yourself, Your Students, and Your Community)

by Jennifer Lotze, Instructional Technology Coordinator, Hudson School District

When most people think about cyber threats, they often picture hackers sitting in a dark basement working on multiple computer screens. However, in reality, cyber threats are everywhere and that’s the bad news. The good news is that we can all take proactive steps to protect ourselves and the data we secure. The even better news is that by taking proactive steps now and having an increased focus on cyber security, your district can minimize the impact of a cyber attack. The key to remember is that we aren’t preparing for if a cyber attack occurs, we are preparing for when a cyber attack occurs. 

We were ready and it still happened to us.

Thankfully, our staff and students have worked really hard to improve the overall cyber security posture for our district. For this reason,  we knew something was up right when we walked in the door that morning in March of 2021. We had received about 20 calls and emails from staff members reporting an odd email they had received in the early morning hours. Out of an abundance of caution, we supported the staff members as they updated their passwords and started our work to dig into what was really going on. It was critical that we not raise alarms until we truly knew what we were dealing with and we didn’t deal with it alone. We worked with the Wisconsin Cyber Response Team (a Department of Homeland Security funded group of cyber security experts that support schools at no cost) and our cyber insurance provider to get to the root of the problem. In many ways, we took our time as we dug into the data but we also focused solely on this incident. We called our building leaders that were connected to the staff members impacted right away so they knew we were connecting with their teachers. The one thing I appreciated the most about our building leaders was that they didn’t ask questions. I provided the need to know information and they worked to provide coverage for teachers who needed to update their network credentials. 

We were lucky. Things certainly could have been worse. A lot worse.

The incident we lived through was minor compared to the situations many other districts are facing. I am choosing to believe it was because we were ready. Not only did we take reasonable steps to prevent an incident in the IT department by partnering with cyber security experts, we also created a culture of asking questions. Our staff members verify the information and then trust the sender. 

The most important thing to remember is that improving the cyber posture of the district is everyone’s lift. It’s true that your friends in IT need to take reasonable precautions to protect district information and infrastructure, but in reality, because our staff members are always playing on the cyber offensive, their first response to anything that is unusual is to reach out to IT. They verify the information is accurate and then trust the sender. 

With all of that being said, what can you do to protect the data your district secures? 

• Make sure that all of your accounts are secured by two factor authentication. Most financial institutions already use this technology and our student data is just as valuable as your checking account. 

• Google Two Factor Authentication

• Outlook Two Factor Authentication

• Create a secure password and change it regularly.

• The most secure passwords are actually passphrases. A passphrase is essentially a sentence. Spaces make passwords even more secure! Consider creating a passphrase that only makes sense to you. Look around your office, what do you see? Create your password with those items. A birthdate, pets name, or child's name is often very accessible on the internet and therefore not considered a strong password.

• Ask yourself where you are currently sharing data. 

• How are files shared with your staff? Do you have spreadsheets that contain sensitive information such as assessment scores, student names, addresses, or email addresses? 

• Consider making these files private and only sharing them with the exact people who need that information. “Anyone with the link can view” means exactly that. 

• How are teachers selecting web based resources that they use in their classrooms? Do these resources require a student to create an online account? If so, the district needs parent permission to share this information with a third party application. 

• Remember, free sites aren’t really free. Typically, they are selling the information they collect to other sites for marketing purposes. As a district or building level leader, do you want to be the person that makes the decision to share student data without parent permission or knowing where that data is shared once it leaves the district?

• What rights do you have in your student information system? If someone got your password, what would they see?

• Train your staff! Teach them to question emails they receive. Phish them regularly, but also reward them for reporting simulated malicious emails. We send users an individually wrapped Swedish fish each time they report an email created by our phishing campaigns. It might seem silly, but a small gesture goes a long way when it comes to protecting district data.

While it may seem like a lot, sadly, there are some pretty terrible people out there trying to access the data your district stores. Your role as a leader in your district ultimately sets the tone for how staff, students and families will respond to new initiatives and security procedures. If we have learned anything from the incidents occurring on a daily basis, it’s that we are better if we all work together to protect district data and infrastructure.