Safety and security in the new landscape

Ransomware can burn down a school system’s IT function in an instant. You can be locked out of what is yours and be asked to pay $1 million to get it back. Shady characters knock at the door of K-12 facilities because many schools, specifically public schools, do not have the top end resources for cyber defense. 

Armor, a security company, reported 500 cases of ransomware attacks on schools the first nine months of 2019.

As Executive Director for Information Services for the City Schools of Decatur (Georgia), Eston Melton is tasked with overseeing an independent public school district on the outskirts of Atlanta that includes nine schools: one early childhood learning center, five K-2 primary lower elementary schools, two 3rd-5th grade upper elementary schools, one middle school and one high school. In total, there are approximately 5,700 students in Melton’s stead.

One of the key items on his agenda is to protect their safety—inside and out. That means blocking multiple doors, front and back, which he calls “defense in depth.” Melton says protections also must be built into email, individual computers and firewalls that monitor and can limit traffic by geography, or by the protocol being used to exchange information. Lately, the cleverest of the criminals is launching spear-phishing attacks on employees with emails that look authentic.

Some of the best security, Melton says, is training K-12 employees on what to look for in the spear-phishing. Another key component of a secure system is that access to information should be limited to what people need to do their jobs.

Meria Carstarphen believes that technology in schools has to keep pace with today’s cyber criminals. As superintendent of Atlanta Public Schools (APS), she leads the district’s nearly 52,000 students, 6,000 full-time employees and 87 schools, and oversees the system’s $1 billion annual budget. Before coming to Atlanta, she worked as a superintendent in diverse, major metropolitan public school districts like Austin, Texas, and Saint Paul, Minnesota.

From what her experience has taught her, artificial intelligence (AI) is a tool of choice. “There is a move toward the use of AI and machine learning in technology solutions. This significantly enhances the capability of systems and allows them to become better over time as they ‘learn’ your environment.”

Atlanta Public Schools has a host of defensive strategies in cyber warfare, such as randomized administrator passwords (LAPS), implementation of a non-traditional antivirus solution (Cylance), and making strategic changes to segment students from accessing staff networks and systems.

But for public schools, funding can be an issue. With corporations, if there is not a solution in-house for a cyber-related challenge, they can turn to outsourcing. But that is expensive and beyond the budgets of some school systems.

“Outsourcing gives the district some more flexibility to find top talent in specific technologies,” Carstarphen says. “Outsourcing, of course, is very expensive. APS uses a hybrid approach. We have a small security team, but use external vendors to support our needs.”

The problem is that most organizations, including school districts, do not invest significantly in cyber security until after a breach has occurred. “K-12 CTOs are incredibly mindful about the importance of investing and advocating for resources when it comes to cyber security,” Melton says. “We need to make every dollar count. So when you do have limited resources, compared to IBM, then we need to be really mindful that we’re putting as much as we can into ensuring a safe data environment.”

“We need to make every dollar count. So when you do have limited resources, we need to be really mindful that we’re putting as much as we can into ensuring a safe data environment.”

— Eston Melton, Executive Director, IT Services, City Schools of Decatur (Georgia)

Getting aligned means being protected

Educators say that one of the best defensive mechanisms is making sure your security program aligns with the National Institute of Standards and Technology (NIST), or other security frameworks. 

The Partner Alliance for Safer Schools (PASS) released the fourth edition of its Safety and Security Guidelines for K-12 Schools. The guidelines give school administrators, school boards and public safety and security professionals guidelines for implementing a layered and tiered approach to securing and enhancing the safety of school environments.

One of the challenges for school cybersecurity is the laptops students and teachers can take out of the building. They hook up to a Wi-Fi network outside the school and guard rails can come down. So the system not only has internet content filtering within the school hallways, but there is also a safety net outside of the school.

“We have extended that protection to include take-home devices that we have recently provided to 1st, 2nd, 6th, 7th and 8th grade students as part of our Digital Bridge program,” Carstarphen says.

And what happens if your school system does not successfully fight off an attack?

“A big piece of the incident is recovery and so part of an incident response is ensuring that you have the backups that you need to throw back onto a machine if it has been compromised,” Melton says.

Then there are the human elements that play into cybersecurity.

One of the key parts of a school system’s defense is accepting “false positives” from staff. There is no such thing as “crying wolf” and being overly suspicious. “The false positive is great because someone’s just had their spidey sense triggered, and they’re asking for help, they’re asking for guidance,” Melton says. “And, you know, there’s no shame when we go back and say ‘No, this is legitimate.’”

Melton says there is also no shame in admitting when a defense mechanism did not work. “I don’t know this is necessarily written in anyone’s checklist, including our own, but I think a hallmark of a good incident response is a bit of humility and getting back up on your feet and recognizing what went wrong, and have we restored this system in a better condition than it was. If you don’t figure out how someone got in in the first place, you are just inviting them to come back.”

In the end, the key is to respect the cyber criminal. Do not assume you are smarter. This is not a side hustle; it is their day job to find unprotected W2s, Social Security numbers and other confidential information. “It’s hard work to break into systems,” Melton says. “The criminals do the hard work because it pays off. So when they knock on your door, make it so it is not worthwhile for them.”

The truth is that criminals will not stop trying, so you must be determined not to let your guard down. “We don’t know what will hit us and it would be arrogant for me to say that nothing bad will ever happen,” Melton says. “We’ve done a pretty good job, I think, modeling and preparing and reaching out to experts to think through what we might need to confront. Security and privacy are never far from our mind.”