The third in the Super-Connected: Empowering Superintendents & District Leaders CoSN and edWeb.net series, “Cyber Security: A Critical School District Priority” took place on November 12, 2018. Moderated by Ann McMullan, Project Director, CoSN Empowered Superintendent Program, this webinar spotlighted the cybersecurity concerns that are rapidly becoming part of the school district’s daily operations. According to CoSN, the fastest growing and most common cyber incidents in K-12 schools are phishing attacks and unauthorized data breaches. McMullan warned that district leaders can’t “just check it off” when it comes to policies and procedures around cybersecurity. She emphasized that “it is an ongoing issue that needs to be looked at in new ways that are comprehensive, strategic, and persistent.” The three guest panelists Steve Bradshaw, Superintendent, Columbia Falls SD 6, Columbia Falls, MT, Juan Cabrera, Superintendent El Paso ISD, El Paso TX, and Dr. Gary Lilly, Director of Schools, Bristol Tennessee City Schools, Bristol TN don’t just check it off when it comes to cybersecurity.
It is not hypothetical
McMullan affirmed that “while school districts are very familiar with closing schools due to weather, we never expect to have to close schools for cyber-attacks.” Yet that is exactly what happened in Columbia Falls SD 6. What began as one strange text message quickly turned into a physical threat created by a remote access breach. This cyber security incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments. Bradshaw reflected on one action that he felt helped get his school district get through the cyber security attack. That action was the school district’s transparent communication approach with the community and the “honesty and integrity that went along with it.”
“Some lessons you have to learn the hard way” was how Lilly described the cyber security breaches in the Bristol Tennessee City Schools. The district was completely taken by surprise once when a HVAC controller was hacked and again when 20% of the district’s employees failed a phishing test. His takeaway, from these two events, was that liability will always an issue but as long as a school district “takes reasonable steps to mitigate the exposure, then they can weather the breaches and hacks.” These reasonable steps, according to Lilly, include the cyber security education of faculty, staff, students, and administrators and the awareness of all potential “holes” in school buildings’ infrastructure systems.
Cabrera conveyed that, as El Paso ISD tried to be more accessible for students and employees by giving them 24/7 access to their systems, they inadvertently, created access points for potential data breaches. His district’s vulnerability point did not impact student data but impacted another critical data group’s PII – employees. He described how the El Paso ISD payroll system had been hacked twice and it took an FBI team involvement to recover over $100,000 in payroll. His suggestion, for other district leaders, is to elevate the level of cyber security importance within the district to protect both students and employees. He also recommended that school districts create a cyber security team, that includes the CTO, the IT department and HR department, to collaboratively allocate resources, train staff, and heighten the awareness of school boards.
The New Reality
Cabrera affirmed that “people may think that they are late to the party but it’s ok because we are all late to the party. As our school districts are becoming more dependent on cloud technology and remote access, the safety and security of our schools has become extremely critical.” When Lilly testified at the meeting of the Committee on Education and the Workforce at the US House of Representatives, he focused on this new reality with the legislators. “I wanted them to know that cyber security and privacy are very big deals as school districts are collecting a tremendous amount of information on students, faculty, and staff. While most district are taking steps to protect that information, district leaders need the federal government to take a look at the laws and update those laws for the world that we live in now.”
Don’t Wish This on Anyone
While these three superintendents hope that no other school districts experience cyber security breaches and hacks as they described in this webinar, they understand that all school districts are vulnerable to these types of attacks. Even though Bradshaw felt as though he was the “poster child of cyber security”, he explained that it also opened the doors to reallocation of resources within the district for employee training and creation of an IT staff that was experienced with cybersecurity. For other school district leaders, Lilly recommended over communicating with all stakeholders about the district’s cyber security needs, expectations, challenges and issues. “After you think you have said it, you need to say it again. People need to hear it more than once.” Cabrera urged school districts to hire good leaders who understand that both the infrastructure and the learning and teaching aspect of technology need to be under the umbrella and protection of cyber security.”
November 30, 2018