This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Not long ago, in a sleepy town in Central Illinois, an email request from the district Superintendent was sent to an employee asking for social security numbers and wage information for employees. Shortly thereafter, 400 school district employees had their private information compromised, and now, months later, the incident leaves a bitter taste in the mouths of families impacted by the security breach. More information here.
In fact, the email hadn’t come from the district Superintendent at all; it had come from Russian cyber criminals who knew exactly what they were doing.
If this doesn’t make you nervous, perhaps this will. From Orange County, California to Midland, Texas and from Wichita, Kansas to Independence, Missouri; from Washington County, Minnesota all the way to New York City, school districts are being hacked by bad actors every month, and in the process, millions of records and files are compromised each year. With a little bit of refection, it’s not difficult to understand why this is happening. Cyber criminals know that security policies and practices within schools is relatively perfunctory compared to our counterparts in the corporate world. Accessing confidential records from a school district is fairly low-hanging fruit in comparison to businesses of many sizes.
For certain, there’s no immediate end in sight, but there are steps any school district can implement to secure their information from the rampant theft of student and personnel files. First and foremost, security awareness must be policy driven, and like any district-wide policies, it starts at the top. It also starts with accepting the new rules of the game; information security needs to move from the dark corners and backrooms of a school district’s IT Department to a front and center position where everyone understands, from school boards to facility managers, that cyber attacks are now becoming commonplace. All we need to do is look at the world around us.
Every employee in a school district needs to be part of the security team. And that means every employee needs to be trained about security on a regular basis, most likely quarterly. Security awareness is about educating employees to be the intrusion detection sensors; it’s not about embarrassing them regarding mistakes that might have been made, but empowering them with knowledge and real world occurrences. Without getting too deep into the details, all employees need to be involved for a few of the following reasons:
- Schools and their employees are still sending secure information through emails
- When cyber criminals send an email to an employee, and, in turn, send it or resend it to an employee, the bad actors can see this information between the email correspondences
- Inadvertently, employees can download Malware that allows cyber criminals to peruse through the network and capture the data they’re looking for
- Remote Access Trojans (RATs) can also be installed inadvertently from a malicious email causing exposure to confidential information as well as network downtime
In the end, there is untoward cyber behavior around every corner and that’s why each employee of the district needs constant training.
But before that, the policies need to be tightened and refined. Most districts that I’ve been involved with either have policies that are old and need updating or have policies that simply don’t go far enough. The landscape of cyber threat is constantly changing, and without question, becoming increasingly sophisticated. Policy updates are critical as often as they need to be regular. It’s important to keep in mind that security is a process; it’s not one policy or a single designated tool, on the contrary, it’s multiple steps that require adaptation to maintain effectiveness and keep current.
Because of this, my suggestion has always been to conduct security awareness training three to four times per year. I find these training sessions to be far more effective when they are convened departmentally; smaller groups are a better way to discuss vulnerabilities, particularly if there are departmental idiosyncrasies that need to be reviewed.
In some school districts that don’t employ security personnel, there are resources that can assist these districts with policies and training. For instance, the SANS Institute offers Information Security Policy templates that can prove very useful, and on the LogmeOnce website, you can find valuable information and security policies from the National Institute of Standards and Technology that will go a long way in helping districts enhance their security awareness initiatives.
Finally, who should be conducting the training and who should be writing policy? The answers, most likely, rest in the school district’s resources. If there are internal resources who can draft cyber security policies, most preferably from a Certified Information Systems Security Professional (CISSP), and conduct the training, that’s ideal. If those resources aren’t available, at the very least, look to the outside for policy review and development. From that point forward, the districts I.T. department can conduct the training.
As budgets tighten and available time for important initiatives ranging from student achievement to curriculum excellence is at a premium, distractions are not what we need now, and cyber breaches are distractions of the highest magnitude. Think about it this way; security awareness and training within your district is a “drop-in-the-bucket” compared to the cost of providing an employee or student with a lifetime of identity theft protection. That is a cost no district can afford.