Cybersecurity needs to be reimagined, because it’s not an IT problem

"We’ve been seen as a very lucrative and interesting target for these bad actors," says Scott Elder, superintendent of Albuquerque Public Schools. "They want to come in and hurt us. We’re educators. We’re not thinking that way. We need to start thinking that way."

Schools have adopted the assumption that cybersecurity threats can and should be dealt with by IT, and that some computer whiz is capable of deterring large criminal organizations. That’s a heavy misconception.

“If your systems go down, how do you take attendance? How do you manage the buses? How do you do food service? How do you do instruction? IT can’t build that for you,” says Dr. Tom Ryan, co-founder of the K-12 Strategic Technology Advisory Group and former chief information officer of Santa Fe Public Schools and Albuquerque Public Schools.

“You have to have continuity plans that are built by the various departments that say, ‘This is how we will take attendance. This is how we will get people on the bus.’ You need to think about that before you have the attack, not afterward.”

Ryan was joined by Scott Elder, superintendent of Albuquerque Public Schools, at the 66th Council of Greater City Schools annual conference in October. There, they conducted a cybersecurity session intended for superintendents and board members at the C level. Their message was that cybersecurity needs to become an enterprise issue.

“We were trying to take a complex issue and help people understand ‘why it’s important to me,’ says Ryan. “We have seen the awareness of ransomware and cyberattacks increase with superintendents and school officials, but we haven’t seen an associated increase in resources that are dedicated to cybersecurity or positions that are dedicated to cybersecurity. We’re seeing awareness, but we’re not seeing that awareness turned into action.”

Ryan explains that schools must consider it as a much more personal issue, similar to how we view our banks. For example, there are various multifactor-verification procedures one must go through to access their account information. The same should be done for the protection of our students, he explains, because there’s comfort in knowing that no one else can access what belongs to them.

To do so, schools must break away from relying on IT alone by developing cross-departmental teams to asses and review cybersecurity threats. “This team would have legal, it would have risk, it would have instruction and IT,” Ryan explains. “That committee then establishes a preparedness plan that can enforce those policies.”

“Bringing this cross-functional team and changing it from an IT problem to an enterprise problem means having active engagement and maybe even leadership of that security team that’s not being done out of IT. It’s assumed that they have some wizard behind the screen that’s making everything work, and it’s just impossible to do it that way.”

Elder explains that the increase in technological capabilities since the pandemic has given criminal organizations better access to their systems.

“I think most of us feel like, ‘OK those guys are handling it.’ But the reality is we had moved to more online learning as we were forced to by the pandemic, and we have created a lot more access points for these bad actors,” says Elder, whose district was hit by a ransomware attack in January. “Therefore, it’s everyone’s issue, because we all have to do our part to keep the district safe. With the increase of social media and the increase of online learning, we have just created a lot more ways into our system. And if we’re not making everybody aware that they’re a part of the solution, we’re not doing our due diligence.”

Solely relying on IT during such an event is seemingly impossible, as was evident from the ransomware attack affecting APS. Schools were shut down for five days, yet on the day students returned to school, their technological capabilities were still limited.

“When you can’t get into your information system, you can’t do basic things like verify that the person in front of you is authorized to pick up a child,” he explains. “And we had really awful dreams of handing a kid over to somebody who was under a restraining order or had lost custody. We don’t know where kids are during the day. You can’t pull up their schedule to look and see where they are. We couldn’t run school.”

Being the victim of a cyberattack usually comes with assumptions that the district did something wrong, both Ryan and Elder explain. But just as if a house were equipped with an alarm system, an intruder can break a window and enter the home, and that was exactly the case for APS.

“It’s an automatic assumption that we’ve done something wrong or that we’ve failed,” Elder says. “I actually had a board member say, ‘What were we lacking?’ We weren’t lacking anything. We were attacked.”

More from DA: Districts can only do so much to prevent cyberattacks. They need federal support

For district leaders, Elder says, getting the message out to parents and families is rather difficult as superintendents are accustomed to sharing every detail to keep the community in the loop.

“Our tendency is to share everything so that people really have a deep understanding, but it actually flies contradictory to the advice you receive from the authorities,” he says. “You have to understand that whenever you say ‘here’s what we’re doing,’ you’re telling them [cybercriminals] what you’re doing and it allows them to counter your steps. So all we could do for parents and families was reassure them that, as far as we knew, nothing had been removed and that we would notify them immediately if we received information indicating their personal information had potentially been compromised.”

So what needs to be done? In addition to getting each department involved in cybersecurity prevention, strong communication between districts and law enforcement must be established.

“Counsel (CGCS) needs to start developing a network for these information officers and tech officers to get together and share resources and strategies and talk about what happened,” Elder advises. “One of the biggest issues I think we face is that you can’t talk about what happened with other people because when you do you expose your vulnerabilities. We need to know we’re talking to secure, safe people to make sure we are sharing appropriate information and receiving appropriate support back.”

Micah Ward
Micah Ward
Micah Ward is a District Administration staff writer. He recently earned his master’s degree in Journalism at the University of Alabama. He spent his time during graduate school working on his master’s thesis. He’s also a self-taught guitarist who loves playing folk-style music.

Most Popular