By Pam Clifton
One of the biggest security threats for school districts isn’t necessarily posed by an intruder in the building. Instead, it’s an anonymous intruder who attacks the school from cyberspace. Districts across the nation are scrambling to protect themselves from the threat of data breaches, malware attacks, phishing emails and more. This cybersecurity violence is a direct assault to expose and access employees’ and students’ personal information.
These cyberattacks were once aimed at major corporations, banks and credit card companies. Now school districts’ networks are being targeted. Schools have been shut down for days and education halted due to cyberattacks. While some districts have been accustomed to closing for weather-related reasons, they certainly have not been prepared to close their doors due to technology-related attacks. The new reality is that school districts have become the victims of cyberattacks.
According to a school safety report by Campus Safety, there were 122 cyberattacks on K-12 schools in 2018. In a July 2019 Associated Press story, the FBI warned of the rise in cyberattacks against schools, but there are steps K-12 schools can do to protect themselves before disaster strikes.
Chris Warden, technology director for Central R-3 in Park Hills, is responsible for ensuring that online data for more than 2,000 students and 200 staff members is kept safe. The district has policies and procedures in place, along with equipment and software, to make sure staff and students are educated on the best practices of online safety.
“It’s important to keep data safe and secure,” said Warden. “From our SIS that holds student information on current and past students, to our financial system that holds sensitive employee data, to our servers and computers, to give staff and students access to the internet. It’s a school district’s responsibility to keep its data safe and secure and to give a safe and secure learning environment.”
One way Central R-3 keeps its data safe is to maintain policies for passwords, computer shutdowns and locking screens, and device do’s and don’ts. They also utilize procedures such as how quickly an account is disabled when a person leaves the district, who notifies who, and training and professional development for staff for safe internet and computer usage.
Warden said cybersecurity is about changing a school district’s behavior because “it’s about guarding against the potential damage that can be inflicted on a district’s entire technical system, from email to student data to employee information.”
Central R-3 staff members watch an annual cybersecurity video and complete a quiz. They also participate in Security Awareness Month activities when each week focuses on security topics (password, email safety, internet safety, student data). The tech department presents information and a weekly activity such as a fake phishing email to see how many click on the email and follow the link. Room-to-room checks are also done to see which computers are locked. Candy bars are left for staff who followed procedures while “sad face” notes are left for those who didn’t.
“We try to have fun with a serious topic,” said Warden. He also sends out a monthly tech department newsletter which includes a security section.
Students complete internet safety lessons at the beginning of each school year, and the district’s librarians complete lessons throughout the year with them.
To keep Central R-3’s computers and users safe, they use a firewall, content filter, antivirus software and other protocols. They also use Google’s Admin Console for the tech department to enable policies that provide protections and scanning in emails, which either block bad emails or give warnings to staff on potentially harmful emails.
Area school district tech departments meet quarterly to discuss how they handle certain issues.
“It’s good to know what others are doing and learn from one another,” said Warden.
He’s also on the MOTechTalk planning committee, a Missouri K-12 tech department conference. At its third conference recently, security was a focus.
“Tech departments need to stay on their A-game with knowing what’s out there, what the threats are, and what can be done to prevent or stop the threats,” said Warden.
Tech Director Cory Smith has been working with an average of 1,000 students and 125 staff members at West County R-4, another school district in Park Hills, for nearly six years. They also have a Technology Security Awareness Month in November when staff members focus on cybersecurity activities on topics like phishing attempts, safe internet usage and password management.
With students, they take an even more proactive approach by limiting what they can do with district technology. In addition, there are safeguards in their district-provided email account such as restricting with whom they can communicate.
Smith said because of how sensitive student data is, the practice of safeguarding against cybersecurity attacks is a must. “Every year more school districts find themselves targets of a cybersecurity attack and it is of the utmost importance for a district and its staff to be prepared and always be proactive, not reactive.”
West County uses equipment and data protection techniques including a leading-edge firewall, group policies to protect unauthorized usage of a district computer and a managed antivirus solution. They also employ Secure Sockets Layer certification on their information servers and use routine access control audits.
Smith said it’s a fact most data breaches begin with an employee opening a malicious email attachment or downloading an infected file from the internet.
“The best tip is to never download a file you are not expecting to receive and always consult your IT department if you question the file’s validity.”
He added that it’s also important to have up-to-date antivirus protection running on each computer and to use a trusted password manager to securely store passwords and to eliminate using the same password for multiple sites.
Josh Bauman said cybersecurity precautions are not a “one and done” type of solution but is an “ever-evolving and continuing process.”
Bauman is the tech director at Festus R-6 where he works with more than 3,000 students and close to 400 staff who have “least privilege” user rights which means they are assigned rights that are applicable to their job description. They also heavily restrict which users have administrative rights to their computers.
He said cybersecurity is about changing a school district’s behavior because it’s about “guarding against the potential damage that can be inflicted on a district’s entire technical system, from email to student data to employee information.”
Over the last few years, the tech department has added cybersecurity training to new employee orientation. They have also started randomly phishing their staff and providing overviews of how to spot phishing emails by using CoFense PhishMe service. Since starting this service, staff are much better at spotting legitimate phishing emails.
“The tip I offer most is, don’t click on a link or attachment if you weren’t expecting one from the sender,” said Bauman.
They also inspect new sites being used in classrooms for compliance with federal regulations like COPPA and FERPA.
For students, online safety lessons are built into classroom instruction as required by state and federal regulations.
Jason Rooks is chief information officer for the Parkway School District in St. Louis. He and the technology department are responsible for data security for 17,500 students and 3,500 staff members.
With that large of a population, Rooks said they must create awareness through multiple avenues. Over the years, they have taken advantage of face-to-face opportunities like staff meetings, new employee orientation and professional development. They sent regular emails with topics related to cybersecurity. They held contests with small prizes for those who demonstrated cybersecurity best practices. They also tried to increase awareness around how to report spam or phishing emails. Users wanted a place to report suspicious activity or ask questions. Once they recognized that, all the tech department had to do was provide them a way to do it.
“We have implemented many layers of security and try not to rely on any one system,” said Rooks. “We also try to make security a topic of discussion for all new projects or initiatives.”
Regardless of programs, software or services used, cybersecurity must be a school district’s focus.
“The process isn’t a new process, it’s just a different process.”
He said when school districts decide to tackle a topic, they are really successful. The struggle with cybersecurity is that unlike test scores, it can be tough to quantify or measure.
“If you’re doing everything correctly, nothing happens.”
Rooks said an organization’s greatest cybersecurity vulnerability is the individual at the keyboard.
“You can spend hundreds of thousands of dollars on technical protection, but if you haven’t done awareness with users, it can all be undone with the click of a mouse.”
At Parkway, they do their best to adhere to best practices and take the layered approach to security by using basics such as content filtering and a firewall, advanced malware protection, and Domain Name System security. They are more restrictive about what end users can do on their workstations and how they can share information. The tech department shares incidents with their users so they know the challenges that are faced in protecting the district and to include them in the fight against hackers.
“The days of being naïve are over,” Rooks said. “Most of us have either been the victim of a breach or know someone who has been a victim. We all need to be suspicious of every email, robo-call and website.”
Cybersecurity is about changing a district’s behavior—from students to all staff—because it’s about guarding against any potential damage which can be inflicted on a school district’s overall system, from employee information to student data to email. School districts’ technology departments must put strong programs and protocol in place to educate staff. It takes everyone to work together to ensure a school district is protected against potential cyberattacks.
Pam Clifton teaches sixth-grade English Language Arts and reading at West County Middle School in West St. Francois County R-4. She can be contacted by email at firstname.lastname@example.org.