Schoolhouse Rock: Cyber Edition

Cyber Security, High Technology, Technology Posted Aug 30, 2019 by Doug De Orchis

With Labor Day Weekend on the horizon, one can’t help but think back on years past when this time signaled the inevitable start of a new school year. By this time, my parents made sure my trapper keeper was fully loaded with 3 hole-punched paper, folders, and some colorful pencils while my teachers were soaking up the last few days of freedom they had before returning to work.

Even as a “millennial,” I look back at my time as a student in the 90’s/early 00’s and marvel at how much the school experience has changed. Students, teachers, and faculty have far more to worry about these days security-wise – both from a physical and cyber perspective. And while the former deservedly dominates the news headlines and our share of mind, our increasingly connected school systems have seen a sharp uptick in cyberattacks – with operations shuttered while the data systems they’re dependent on are held hostage by attackers.

Today, we’re going to shine a brief light on the recent cyberattacks schools across the nation have suffered, and how they are responding to such threats.

The cyber challenges schools face today

More than 100 American school districts reported cyberattacks in 2018, likely a significant undercount of an inherently sensitive event. The weapon of choice for attackers – ransomware – is software that locks down part or all of a website until the owner pays ransom, usually in difficult-to-trace cybercurrency such as Bitcoin.

School districts maintain reams of sensitive information about employees, students and families – all of it online and accessible to varying degrees to hundreds or thousands of employees. With annual budgets in the tens or hundreds of millions, their pockets are deep – from a hacker’s perspective – for the purposes of paying ransom. And for the majority of victims, they can’t afford not to retrieve their data.

In many scenarios, like that of the Rockville Center, N.Y. School District, school districts that fall victim to these hackers will pay the costly ransom for decryption key that restores all their data and operations as fast as possible. But in other scenarios, attackers are not so virtuous. Nevada’s Lyon County School District was attacked by a virus that encrypted data and shut down the phone and email systems this summer. The school district’s insurance carrier negotiated with the hackers and ultimately paid the ransom. However, only some systems were restored, and remaining assets must be slowly rebuilt by the district.

 

Protecting our schools – it’s a group project

In crafting more effective defenses, educational institutions have a dual challenge: executing all the must-have risk mitigation measures, and then tailoring the user experience based on the unique student/faculty/staff population. Here are some recommended strategies and tactics that can address both challenges:

  1. Limit Administrative Privileges. Cybercriminals view networks with excessive administrator privileges as low-hanging fruit. Effective malware and ransomware defense demand privileges are granted only to staff that truly require them to do their job.

 

  1. Assess third-party vendors thoroughly. School administrators and IT staff must understand that if school district vendors and sub-contractors have less than optimum security protocols in place, they expose the school and student population to considerable risk. Case in point: A breach in AIMSweb (part of the Pearson Education online learning products) hacked the identities of as many as 13,000 schools and university accounts in upstate New York school districts.

 

  1. Stay current on all application updates. This one’s for the IT staff. Executing critical patches and updates is essential to prevent new attacks. It should be a top priority of IT staff and cover third party applications as well as operating systems. Such updates do run the risk of disrupting school operations if not coordinated correctly, but the outcome is still far better than leaving several doors for cyberattacks.

 

  1. Create an ongoing cyber education program for employees. Costly ransomware attacks are caused by simple acts of opening email or clicking on a website. Cybercriminals employ social engineering tools that look non-threatening and encourage employees to click through links in fraudulent emails. Even sophisticated users can fall prey to such schemes, especially if they’re having a hectic day at work. It’s highly recommended that IT staff put continuing education programs in place that keep staff up to date on new cyber attack trends, as well as the school district’s cyber defense policies and post-cyberattack protocol.

 

  1. Engage students to become part of the cyber defense team. The current generation of students is the most mobile-device friendly ever. Just as IT can help train and encourage employees to be more cyber-vigilant, IT can work with teachers and administrators to help students understand how school data breaches affect them personally and can cause great harm to their peers and their school. Schools and school districts can also leverage their social media platforms to remind students and parents about hacking tactics like pop-ups linking to dangerous websites, or opening texts that are not from recognized senders.

 

  1. Consider cyber insurance policies tailored to schools/municipal governments. Just like Nevada’s Lyon County School District did, school systems are progressively adding cyberattack coverage to their insurance policies. Some carriers will even cover the cost of security experts to unlock computer and email systems (followed by a healthy deductible). Administrators and finance staff need to examine the costs of this type of coverage, weighing it against the cost of restoring operations from a system lockdown and/or privacy breach, and determine what is the appropriate level.

 

Keeping the issue of cyberattacks in front of all parties – administrators, IT, teachers, students and parents – is an essential step in helping to prevent costly disruption to school operations. It takes a village, but it will help the steady workflow of students’ education and strengthen defense against a data breach.