It Takes A Village to Protect a Child: Why K12 Cyber Security is Everyone's Businessby Brian Casey, Ed.D, Director of Technology, Stevens Point Area Public School District If you haven’t suffered a data breach, you’ve either been incredibly well prepared or very, very lucky. Are you incredibly well prepared? - 2017 Data Breach Investigations ReportThe 2017 PK-12 Cyber Threat LandscapeIt has never been more important than now for schools to look at their cybersecurity practices and data privacy policies. Schools collect, store and use data from students, parents and employees. If one compared the total number of users in any given school district, they would often outsize most local businesses. Schools are dependent on computer systems and most could not function for more than a day without them. In 2016, a Minnesota school district closed for an entire day to remove ransomware installed by an employee downloading an email attachment (Hollingsworth, 2016). Another school in Minnesota paid over $25,000 for identity theft protection for all employees after an employee fell for a phishing scam and set personal information to a cyber-scammer (Dupay, 2017). There have been over 200 cyber-attacks on schools since January 2017 (EdTech Strategies, 2017) and if the rate of attacks continues it will make 2017 the biggest year ever for cyber-attacks on the education sector (Chang, 2017). Schools are under threat from phishing, ransomware, denial of service and even from telephone fraud using vishing. Why are Schools Prime Targets for Cyber Criminals?Many schools offer lucrative and easy pickings for cyber criminals. K-12 school districts are responsible for collecting and storing digital personal and financial information of staff students and parents. These digital data include social security numbers, health records, tax records, birthdates, addresses, phone numbers, bank accounts and student records. For many hackers obtaining information on children is often more desirable than stealing an adult’s personal information. Children do not apply for credit and their parents are not checking their credit reports. A complete set of records for a child can be used for Medicaid fraud, tax fraud and credit fraud, which can go unnoticed for years. Our communities trust schools to keep these data safe yet schools often lack the depth of resources in both personnel and funding to provide robust cyber security. Schools typically invest in IT hardware but do not allocate a corresponding investment in their IT staff. Technical resources such as, better backups, monitoring systems, storage and next generation firewalls will definitely help schools improve cyber security. Because these systems are not directly connected to instruction they are often underfunded, under prioritized and even categorized as wants versus needs. The general rule of thumb is for districts to spend at least 2.5% on technology systems. If you think this is a lot, ask the largest employer in your District what they spend on cybersecurity. The results will most likely surprise you. The Human Factor is the Weakest Link in Cybersecurity DefenseTechnical solutions can help K12 school districts but the most important aspect of cyber security is the human factor. In 2017 phishing emails tricked one in 14 users into following a link or opening an attachment (Verizon, 2017). The mission of schools requires accessibility to information for students, teachers, parents and educational vendors. Email is the most used and accessible system for exchanging resources and communicating internally and externally. Cyber criminals are using social engineering techniques such as phishing, spear phishing and vishing to circumvent technical protections and exploit human weaknesses. Phishing is the practice of sending out enticing emails that offer “bait” in the form of alarming messages about bank accounts, taxes, fake security or antivirus scans, rumors, free vacations and deals. The goal is to trick the user into clicking on a link or downloading an attachment. Once the user has downloaded an attachment, it installs malware, which begins to pry deeper into networks, and helps steal information. Sometimes the malware is ransomware, which encrypts all of the files on the affected computer and requires the payment of a ransom before the files can be unlocked. Ransomware is quick easy money for cyber thieves and has increased over 270% since 2013 (Glassberg, 2016). The links in the Phishing emails take users to realistic looking spoofed web pages, which often convince them to divulge their account credentials. Once the cyber thieves have credentials they can log in and start stealing information. The days of easy to spot outlandish emails replete with grammatical errors are long gone. Current phishing emails are hard to detect. These emails are often well crafted with professional logos and spoofed email addresses and web sites. This technique has also evolved into spear phishing, which is a much more sophisticated form of social engineering. Spear phishing uses information that is available from websites and social media to design an attack directed at specific users. Often employees will be sent a fake email that looks like it came from a supervisor directing them to take action. In one Oregon school district, an employee was duped into sending all of the W-2 for all employees to a scammer using a spoofed email that appeared to come from the Superintendent (Foster, 2017). Vishing involves using phone calls to illicit account and personal information from employees. Scammers will pose as parents, vendors, other school districts and even governmental officials. Area codes can be easily spoofed to appear as a local number. Without training, most employees will not have the tools and knowledge they need to ward off social engineering attacks. Employee Training is the Best Defense Against Cyber AttacksThe best defense against social engineering attacks is security awareness training. Security awareness training needs to include all employees and take place on a regular basis. If you do not have security awareness training, you need to talk to your IT department and create a plan. Schools are fastidious about training for blood borne pathogens, slips and falls and many other compliance issues. It is inexcusable and unconscionable not to offer security awareness training. Creating and implementing training is well within the means of most school districts. Your IT department, however, may not be able to design and implement a good training program on their own. They may need help from educators experienced in training staff. Ideally, schools would dedicate the same level of resources to security awareness training as other training. Creating and implementing required training for all employees, however, is a challenge for school systems. There are many options available to schools including readymade training from companies like Knowbe4 and PublicSchoolWORKS. A good approach is to differentiate training based on roles. Districts could provide robust training to clerical workers and school leaders and use automated systems for the mass of other employees. Doing something is better than doing nothing, so do not let a lack of funds or time stop your district from taking action. Some school districts have opted for informational campaigns using, ironically, email. October is Cybersecurity Awareness Month and offers the opportunity to inform staff about the cyber security threats and their role in preventing them. Principals and school leaders can help by discussing cybersecurity topics with their staff and promoting existing policies and procedures in their District. Principals and School Leaders Need to Support CybersecurityPrincipals face a myriad of issues every day. They have very demanding and stressful jobs. Why should they also have to get involved with cyber security? Principals are the most important factor in improving and changing anything in a school. Improving cybersecurity requires good communication and collaboration between the IT department, other district departments, and educators. When technical staff identify weaknesses they often need to implement unpopular decisions, which revoke access to online resources, eliminate outdated software, impose requirements on software approval, improve password and account management and enforce policies and procedures. Educators need to understand the “why” behind many of these changes and school leaders need to be able to defend and support new security measures. A recent data breach in one of the largest school Districts in Texas affected 23,000 staff and students and could have been prevented by implementing better password policies (Letsch, 2017). Many school districts, especially smaller sized school districts, employ a limited IT staff that often do not have an educational background. If your District does not have an educational technology professional responsible for both the instructional and operational side of technology, it might be time assign a school leader to that role. The worst thing any district or school can do is to build a wall between educators and technical staff. Implementing any change requires the support of principals. If school principals do not understand or support security upgrades and change, then we can be assured that our teachers also will not. What Else Can School Leaders do?If you have not discussed these issues with your IT team or leadership team you need to do it as soon as possible. The odds are against us. Even with good security practices, investment and training it only takes one person to put the entire organization at risk. It has never been easier to pull off cyber-crime. The cyber-crooks are changing their tactics faster than the countermeasures of most businesses and organizations. If you have limited time and limited resources like most schools, here is a quick guide to the most important things every school District should have for cybersecurity:
References Chang, R. (2017, June 8). K–12 Cyber Incidents Have Been Increasing in 2017. Retrieved September 20, 2017, from https://thejournal.com/articles/2017/06/08/k12-cyber-incidents-have-been-increasing-in-2017.aspx Dupuy, B. (2017, February 13). Security breach steals tax info for all Bloomington public school employees. Retrieved September 21, 2017, from http://www.startribune.com/security-breach-steals-tax-info-for-all-bloomington-public-school-employees/413632393/ EdTech Strategies. (2017, September 19). The K-12 Cyber Incident Map. Retrieved September 20, 2017, from https://www.edtechstrategies.com/k-12-cyber-incident-map/ Foster, J. (2017, February 28). Redmond schools hit by major employee data breach. Retrieved September 20, 2017, from http://www.ktvz.com/news/scammer-gets-all-redmond-school-employees-w-2-info/364147629 Glassberg, J. (2016, August 26). America's Schools Have A Big Cybersecurity Problem. Retrieved September 20, 2017, from http://www.huffingtonpost.com/entry/americas-schools-have-a-big-cybersecurity-problem_us_57bf0366e4b06384eb3e770b Hollingsworth, J. (2016, March 17). Cloquet schools suffer 'ransomware' attack. Retrieved September 20, 2017, from http://www.duluthnewstribune.com/news/crime/3989320-cloquet-schools-suffer-ransomware-attack Lestch, C. (2017, January 5). Texas school district data breach affected nearly 23,000 students, faculty members. Retrieved September 20, 2017, from http://edscoop.com/texas-school-district-data-breach-affected-nearly-23-000-students-faculty-members Verizon. (n.d.). 2017 Data Breach Investigations Report. Retrieved September 20, 2017, from http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_execsummary_en_xg.pdf
Read more at: Elementary Edition - Secondary Edition - District Level Edition |