When it comes to cybersecurity, school districts don’t present the content-rich targets that major corporations or government agencies might, but they also don’t have the same resources to protect themselves, says Jim Flanagan, chief learning service officer at the International Society for Technology in Education.
For example, he’s heard about several districts that fell victim to “ransomware” scams in which hackers hold a network or data hostage until they are paid off. “That’s a definite concern – breaches from individuals not being as guarded as they could,” Flanagan says.
Finding the right balance of network and server infrastructure security can be tricky, says Wayne Donjon, technology director at Desoto 73 School District in Shawnee, Kansas, which has four schools and slightly less than 3,000 students.
“The most secure thing would be to shut everything off and not offer the services,” he says. “But that doesn’t work. We’re making sure we have a data governance program. A lot of school districts probably don’t have these things hammered out.”
Phishing and spam campaigns are perhaps foremost on the mind of Emil Ahangarzadeh, coordinator of technology integration services at Santa Ana USD. “We get thousands of these,” he says. “We’re not Chase Manhattan. We’re not a military facility. But we have accounts. There is plenty of opportunity for identity theft. We have Social Security numbers.”
Flanagan suggests that districts consider moving their data and information to the online “cloud” rather than continuing to maintain their own servers, given the continuously updated expertise that’s necessary to prevent breaches. “They need trusted partners who are experts in cybersecurity and be renting that service vs. continually having to staff for the latest expertise,” he says.
Districts need to be on guard against inside jobs when it comes to preventing hackers from shutting down servers, particularly at certain sensitive times, Flanagan says. “A student can, for $50, or even free now, download denial-of-service protocols and shut down a district, just as a high-stakes test is about to happen, not coincidentally,” he says.
Schools and districts need to train faculty, staff and students to be appropriately suspicious and think critically when opening an email or attachment that looks unfamiliar, Flanagan says. “You need increasingly sophisticated network managers,” he says.