Is your school district prepared to handle a cybersecurity attack, or is it not as fail-safe as it should be?
In 2019 alone, there were 348 cybersecurity breaches at K-12 schools. That number was likely far greater than reported, according to Lenny Schad, the Chief Information and Innovation Officer at District Administration and former CIO at two large school systems in Houston.
Speaking at the virtual Future of Education Technology Conference (FETC) on Friday, Schad said incidents such as ransomware attacks are on the rise, a deep concern given the amount of faculty, staff and students operating online during the COVID-19 pandemic.
“What we’re seeing is this is not a trend that is going to slow down,” said Schad, highlighting the prominent attacks on the Baltimore County and Miami-Dade systems in 2019 and 2020. “Cyber incidents have gone through the roof since start of school. We think this is a trend that is going to continue.”
Using data and information from the the Consortium for School Networking (CoSN) and the National Institute for Standards and Technology (NIST), he said no districts are safe from attacks. In fact, the smaller the school system the more likely it will be to experience an intruder – either an outside agent or one operating from the inside. Schad said 39% of incidents occurred in districts with 2,500 to 10,000 students, while 18% occurred in those with 1,000 to 2,500 students.
“What this should tell you is it doesn’t matter what size of school system you are, cybercriminals don’t care,” Schad said. “They’re looking for the areas that have the easiest ability to get access.”
What are they targeting? Social media, mobile devices, software vulnerabilities, cloud computing and third-party access. Citing CoSn statistics, Schad said bad actors find different ways to tunnel in and affect devices and networks, including: phishing, which attempts to gain access to personal information; DDoS attacks, which overburden and shut down systems; ransomware attacks, which gain access and force payments; and breaches of data and Internet of Things (IoT).
Schad said there are ways districts can work to prevent these attacks, which can take down servers, expose personal information and be a financial burden for districts. In his speaker session – “What Is Your District’s Cybersecurity Story?” – he offered up a framework for success along with a series of questions to help guide superintendents, school board members and IT leaders better manage their technology and data security.
Schad said the story must start with school leaders and IT leaders communicating effectively and clearly – and seriously addressing cybersecurity needs – or districts will end up experiencing one or more attacks. He says it is imperative for all stakeholders – not just technology teams – to share responsibility and be involved in sound decisions around cybersecurity, and understand costs, which should include separate insurance and legal counsel that deal specifically with these incidents.
He urged school districts to ask themselves these five “gut-check” questions to ensure they they are both on the right path and responding to incidents smartly:
- What is our risk exposure/profile?
- What cybersecurity actions are we taking to protect the district during remote operations?
- When a breach occurs, what is our response plan (both internal and external)?
- Whom would we engage in the event of a cyber incident?
- What are we doing to address cybersecurity with our employees, parents and students?
“We need to have the mentality of when it happens, what are we going to do?” he said. “And in between now and when it happens, what are the best practices that we’re putting in place? So now, let’s start building your story.”
From that, Schad says districts can implement five steps recommended by NIST to beat or mitigate potential attacks when they happen:
- Identify: Create a risk assessment and management strategy
- Protect: Promote awareness, instill training and protect technology
- Detect: Ensure continuous security monitoring and identify anomalies
- Respond: Forge policies for communications and response when incidents occur
- Recover: Discuss further planning, improvements and communications
For those looking for more guidance, District Administration is hosting academy sessions for CIO and leadership teams on April 20, 22, 27, 29 and on June 15, 17, 22 and 24. More information can be found at https://daleadershipinstitute.com/events/technology-leadership-academy-spring-2021/
