Cyberattacks, unfortunately, are all too common. They are perpetrated by individuals, groups, and even nations. In 2016, the White House Council of Economic Advisors shared that online threats cost the U.S. economy between $57 billion and $100 billion annually. Herjavec Security Group projects cybercrimes will cost the U.S. economy more than $6 trillion by 2021. This estimate doubled in the last four years. The same document articulated that “cybersecurity is a common good.”
School districts are vulnerable to hacking. A recent review by Flashpoint of a “dark web” marketplace for access to compromised RDP (remote desktop protocol) servers proved that. Two-thirds of the server information available was apparently from educational entities.
School boards should ensure that district administrators are taking cybersecurity seriously and implementing reasonable safeguards. Ultimately, it is the board’s responsibility to make sure realistic precautions are in place to protect student and staff privacy. The ability to recover data in case of an emergency or disaster also is crucial.
One of the easiest areas to address is password security. Password and account security need to be ramped up. Required password changes should be implemented at least each semester, if not every 90 days. Often information technology (IT) staff members are hesitant to require such changes since password changes take up a great deal of help desk time. Gartner Group reported that about a third of all help desk calls are password related.
Leadership should try to insulate the IT staff from these types of complaints, and at the same time, put strong password policies in place. Passwords are moving towards a dozen characters and reQu1ring! the inclusion of capital letters, numbers, and special characters. Sharing passwords with colleagues and students should be discouraged.
Boards should ask about how account security is addressed and, if necessary, draft policy to make sure best practices are followed. Account security requires that when people leave the organization, their accounts are deactivated.
Imagine my surprise when I received an email from a person I didn’t recognize from an internal account. My assistant told me that the person had been retired from the district for more than five years. Yet, he was still using a school account. Besides retirees’ emails, student teacher accounts and substitute accounts are often overlooked avenues that cybercriminals use to breach systems.
Account security should ensure users have access to what they need, but not a wide range of additional resources just because it is easier not to restrict resources. If they don’t need them for everyday work, even IT staff should have accounts that don’t provide root or core access.
Photo Credit: JAMDESIGN/STOCK.ADOBE.COM
Backup accounts with root access and a complete list of root passwords for all district resources should be maintained in a corporate safe. This is essential for data recovery and in case of the corruption or exploitation of staff accounts.
Additionally, there is some conversation in the security community about the need to address single sign-on (SSO) protocols that allow multiple data systems to use a single systemwide sign-on. When one aspect of such an SSO account is compromised, it may not be immediately apparent to the end user. Until technology catches up, some mission-critical systems may need to avoid the use of single sign-on for core users.
Boards should consider spending additional resources to support the physical and virtual separation of instructional and administrative network resources. Where possible, segment the district’s resources so instructional resources and financial and personnel information are segregated.
This makes it inherently more difficult for students or others to reach the school’s business documents. It also limits the ability of viruses and online villains to move from student documents saved in portfolios and learning management systems to payroll databases, etc.
Training is essential
Routine cybersecurity training is essential for all employees and students. Boards should insist on regular reminders and refresher training. This could be a wonderful opportunity to include netiquette and internet safety training. Cybersecurity is too important to be left as a once-a-year reminder, especially as a single individual lapse can have organization-wide consequences.
The board may consider incentives for staff and students to take part in regular training. One portion of training should be teaching staff and students to report suspicious online activities in the same way airports and other public venues remind patrons to report suspicious activities.
The board should ensure that the administration properly secures data being shared with vendors or other entities. Data security should be formally addressed in all contracts with vendors and in intergovernmental agreements. Such agreements should ensure that any data breach is reported to other potentially impacted entities.
Boards should ask about how smart devices that are attached to their district’s network are monitored. The convergence of HVAC systems, security devices, and other smart technologies is a reality. These operational technologies are sometimes known as the Internet of Things or IoT. Others define these as OT or operational technology.
Photo Credit: STUDIODIN/STOCK.ADOBE.COM
In either case, conversations to discuss cybersecurity in an open public meeting are not appropriate, just as you wouldn’t discuss the details of physical security protections. However, boards should ensure that the IT staff isn’t neglecting the convergence of IoT or OT as a potential place for security breaches.
The board should review the physical security of IT resources. Password protection and the best firewall won’t protect a piece of hardware that is kept in an unlocked custodial closet. Any complete review of IT security must include a review of the physical access to core IT devices.
A related consideration is the need to make sure the district’s technology assets are all accounted for. The inventory of IT devices (along with all other equipment and materials) should be up to date regarding condition, location, and current users. A district laptop that has disappeared from a student club but is already registered on the network beckons like an open door to a cyber thief.
Along with maintaining control of the district’s hardware assets, the staff should maintain an up-to-date inventory of software. Unauthorized software should be immediately removed. End-user downloads of software or apps from the web often can form security holes to be exploited immediately or at some future point.
As the board’s primary role is policy development and governance, it should make sure that the policies and administrative procedures that touch on cybersecurity issues are regularly reviewed. By reviewing cybersecurity frequently, the board will be contributing to the safety of students and staff as well as to the integrity of the district’s data.
Steven M. Baule (firstname.lastname@example.org) is an assistant professor of educational leadership at Minnesota’s Winona State University.