This cyber security incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments.
The third in the Super-Connected: Empowering Superintendents & District Leaders CoSN and edWeb.net series, “Cyber Security: A Critical School District Priority,” took place on November 12, 2018. Moderated by Ann McMullan, Project Director, CoSN Empowered Superintendent Program, this webinar spotlighted the cybersecurity concerns rapidly becoming part of the school district’s daily operations. According to CoSN, the fastest growing and most common cyber incidents in K-12 schools are phishing attacks and unauthorized data breaches. McMullan warned that district leaders couldn’t “just check it off” regarding policies and procedures around cybersecurity. She emphasized that “it is an ongoing issue that needs to be looked at in new ways that are comprehensive, strategic, and persistent.” The three guest panelists Steve Bradshaw, Superintendent, Columbia Falls SD 6, Columbia Falls, MT, Juan Cabrera, Superintendent El Paso ISD, El Paso TX, and Dr. Gary Lilly, Director of Schools, Bristol Tennessee City Schools, Bristol TN, don’t just check it off when it comes to cybersecurity.
It is not hypothetical.
McMullan affirmed that “while school districts are very familiar with closing schools due to weather, we never expect to have to close schools for cyber-attacks.” Yet that is exactly what happened in Columbia Falls, SD 6. What began as one strange text message quickly turned into a physical threat created by a remote access breach. This cybersecurity incident shut down Columbia Falls SD 6’s 25 schools for three days and impacted 1600 students, staff, and local sheriff and police departments. Bradshaw reflected on one action that he felt helped get his school district to get through the cybersecurity attack. That action was the school district’s transparent communication approach with the community and the “honesty and integrity that went along with it.”
“Some lessons you have to learn the hard way” were how Lilly described the Bristol Tennessee City Schools’ cybersecurity breaches. The district was completely taken by surprise once an HVAC controller was hacked and again when 20% of the district’s employees failed a phishing test. His takeaway from these two events was that liability will always be an issue, but as long as a school district “takes reasonable steps to mitigate the exposure, then they can weather the breaches and hacks.” According to Lilly, these reasonable steps include the cybersecurity education of faculty, staff, students, and administrators and the awareness of all potential “holes” in school buildings’ infrastructure systems.
Cabrera conveyed that, as El Paso ISD tried to be more accessible for students and employees by giving them 24/7 access to their systems, they inadvertently created access points for potential data breaches. His district’s vulnerability point did not impact student data but impacted another critical data group’s PII – employees. He described how the El Paso ISD payroll system had been hacked twice, and it took an FBI team involvement to recover over $100,000 in payroll. His suggestion for other district leaders is to elevate the district’s level of cybersecurity importance to protect both students and employees. He also recommended that school districts create a cybersecurity team that includes the CTO, the IT department, and the HR department to collaboratively allocate resources, train staff, and heighten school boards’ awareness.
The New Reality
Cabrera affirmed that “people may think that they are late to the party, but it’s ok because we are all late to the party. As our school districts are becoming more dependent on cloud technology and remote access, the safety and security of our schools have become extremely critical.” When Lilly testified at the Committee on Education and the Workforce at the US House of Representatives, he focused on this new reality with the legislators. “I wanted them to know that cybersecurity and privacy are massive deals as school districts are collecting a tremendous amount of information on students, faculty, and staff. While most districts are taking steps to protect that information, district leaders need the federal government to take a look at the laws and update those laws for the world that we live in now.”
Don’t Wish This On Anyone.
While these three superintendents hope that no other school districts experience cybersecurity breaches and hacks as they described in this webinar, they understand that all school districts are vulnerable to these types of attacks. Even though Bradshaw felt as though he was the “poster child of cybersecurity,” he explained that it also opened the doors to the reallocation of resources within the district for employee training and the creation of an experienced IT staff with cybersecurity. Lilly recommended that other school district leaders communicate with all stakeholders about their cybersecurity needs, expectations, challenges, and issues. “After you think you have said it, you need to repeat it. People need to hear it more than once.” Cabrera urged school districts to hire good leaders who understand that both the infrastructure and the learning and teaching aspect of technology need to be under the umbrella and protection of cybersecurity.”
Source: District Leaders Take on the New Reality of Cyber Security in Schools. Tech and Learning Magazine December 2018