Imagine someone breaking into your house, staying there undetected for four years, and stealing from you the entire time. That is exactly what happened to global hotel chain Marriott, virtually speaking.
In 2014, cybercriminals broke into Marriott’s reservation system. By the time an internal security tool detected them in 2018, approximately 500 million guests’ personal data, including names, mailing addresses, phone numbers, email addresses, and passport numbers, had been compromised.
In an age when each of us is leaving a permanent digital footprint, Marriott’s story is quickly becoming the norm, not the exception. In fact, a report by the K-12 Cybersecurity Resource Center noted that last year, a public education institution suffered a cyberattack every three days.
School districts that do not make cybersecurity a priority often pay the price in the form of downtime, unexpected administrative costs, and, perhaps most importantly, loss of public trust. They also have to consider potential fines for exposing data protected under the Family Educational Rights and Privacy Act.
Why School Districts?
School district computer systems are rich with student Social Security numbers, birthdates, addresses, health records, and other personally identifiable information (PII). For cybercriminals, PII is an asset that can be bought and sold as easily as a car or house.
Most of these clandestine transactions take place anonymously on the dark web, a section of the internet that is inaccessible without special software. The going rate for a Social Security number on the dark web is about $1. A driver’s license is worth around $20, and medical records fetch up to $1,000.
Exacerbating the issue is the fact that criminals consider district data low-hanging fruit. That is because in many cases, cybersecurity investments have not kept pace with the influx of educational technology.
Every computer, tablet, and interactive whiteboard on which students consume content represents a potentially open doorway into a district’s network. The same goes for visitor management systems; cafeteria cash registers; smart heating, ventilation, and air conditioning systems; and anything else connected to the internet. If the network is not protected, criminals simply choose the easiest path and let themselves in.
Cybersecurity Golden Triangle
When talk turns to cybersecurity, we often think of firewalls, spam filters, and other tools best left to information technology (IT) professionals. Technology is certainly a core element of any solid cybersecurity program, but it alone cannot keep criminals out and data in.
Technology has to work in concert with the other two-thirds of the cybersecurity golden triangle: processes and people.
Processes serve as a roadmap for preventing cyberattacks and responding quickly and effectively when attacks happen. Led by a chief information security officer, people do their part by consistently following processes and reporting potential breaches immediately.
Building a cybersecurity program requires funds that are often in short supply. Any district that wants to make a case for cybersecurity should start by demonstrating the potential returns.
Money for Nothing?
A recent winter morning started like any other for one Texas school district. But when employees tried to log onto their computers, they were greeted by a disturbing message that derailed their day:
The files on this computer have been encrypted. You have seven days to submit payment via bitcoin, or all files will be permanently deleted.
This real story is an example of ransomware, a type of malicious software (malware). Ransomware locks, or encrypts, computer systems, files, or data, or steals data and holds it for ransom. At that point, no security software or system can restore or return it.
Furthermore, paying the ransom doesn’t guarantee criminals will return the data. A strong security program that incorporates technology, processes, and people can be the only thing standing between a district and a difficult decision:
- Technology: Spam and web filters can block malicious emails and websites that expose networks to malware. If attackers get past filters, real-time alerting tools, such as network intrusion detection systems, are designed to catch them before they have the chance to wreak havoc.
- Processes: Districts can control the risk associated with malware by requiring employees to contact IT before downloading software, regularly reviewing event logs for suspicious network activity, and saving backup files on a server that cannot be accessed from the network.
- People: Employees should be trained to recognize the red flags of malware, such as frequent computer crashes, unfamiliar error messages, and unexpected pop-ups, and report them immediately. Because malware often takes advantage of software vulnerabilities, employees should consistently allow their computers to download the latest patches.
The National School Boards Association cites ransomware as one of the top five cybersecurity threats facing schools. Still, criminals don’t always confiscate district data and make ominous demands for payment. Sometimes they just ask nicely.
The TASB Risk Management Fund recently issued an alert about a wave of cyberattacks targeting Texas school districts. Criminals searched school websites for board packets, check registers, and other public information to identify district vendors and business partners. They then used that information to craft emails that appeared to come from legitimate parties.
The emails asked unsuspecting district staff to send payment for services rendered, such as construction-related work. In each case, criminals walked away with more than a half million dollars in district funds. This is known as phishing—the practice of sending fraudulent emails purporting to be from reputable companies with the intent of gathering information or requesting payments.
Well-trained staff can be a district’s first line of defense against phishing attacks. Employees should learn to recognize fraudulent emails that slip past spam filters. Common red flags include requests to open an attachment or enter credentials, as well as subject lines with words such as payment, transfer, or urgent.
Cybersecurity experts have also traditionally advised users to be wary of emails that include spelling errors and poor grammar. As scams get increasingly sophisticated, however, staff should not assume an error-free email is legitimate.
Strong processes can provide an additional layer of security against phishing. For example, districts could ask each vendor to assign a single contact who has exclusive authority to request payments or changes to a contract or invoice. Every time a district employee receives a transaction request from the vendor, the employee calls the number on the contract and confirms the request with the designated contact.
To learn more about phishing scams and how districts can protect their employees and their funds, visit tasbrmf.org/phishing.
Expert Help from the Fund
The TASB Risk Management Fund provides cybersecurity and data incident response coverage to members of the Property and Liability programs. Losses will be covered if members work with Fund vendors on response and recovery. Members that suspect they have been the target of cybercrime should call the Fund immediately at 855.295.8344 to report a claim.
Republished with permission from the April 2019 edition of Texas Lone Star magazine, published by the Texas Association of School Boards.