“Are you ready for your security breach? No longer is it a matter of if or when. It is simply going to happen. It may have already happened and you just don’t know it.”
That’s Ryan Cloutier, an edtech security specialist, framing the security challenge for educational institutions with implacable candor.
Cloutier was speaking Wednesday at a webinar on cybersecurity sponsored by the Consortium for School Networking during DC CyberWeek, presented by EdScoop’s sister publication, CyberScoop.
Three other edtech and security professionals joined Cloutier on the panel: Diane Doersch, chief technology and information officer for the Green Bay Area School District in Wisconsin; Amy McLaughlin, information services director at Oregon State University; and Nathan Mielke, director of technology services at Hartford Union High School in Wisconsin.
Making a plan — then improving it
Cloutier, principal security architect at TIES, a technology collaborative in Minnesota that helps school districts enhance their use of technology, said that education data has accounted for 2 percent of all data breaches in 2017 alone.
“That number is higher than health care, social media and retail,” he said. “While those data breaches get all the media attention, it’s actually education data that is seeing a larger uptick in breaches.”
The situation could even be more severe than it appears: some states fail to report education breaches at all. “It isn’t that they haven’t had them. It’s that they’re not reporting them,” Cloutier said. “That’s a bad trend that we see in the education industry — a bit of covering up of the breach or, worse yet, not knowing that it’s happened at all.”
The most important thing is having a plan before a breach happens, he said, “so you know what to do, who to call, how to get the insurance company involved and when to get legal involved, and if you need to notify the attorney general.”
To start, districts must have robust policies around data privacy and acceptable data use for staff, students and the community and then implement procedures that back up those polices, Cloutier said.
“You also need to identify and rank your risks,” he said. “You won’t be able to solve everything. It’s too cost-prohibitive and time-prohibitive. So having an idea of what your risks are and ranking them by priority is going to allow you to effectively manage any data breach that you have.”
Finally, he said, “Strive for continuous improvement. Starting today, one step in the right direction is better than no steps in the right direction. Every day, strive to improve upon and apply lessons learned as you navigate through this never-ending journey of security.”
Heightened risks for students, classrooms
Doersch noted that the data of children is 51 times more likely to become the target of identity thieves than that of adults.
“No credit history and virtually unused Social Security numbers are what make children the focus of identity thieves,” she said. “Many times young adults don’t realize they’ve had their identity stolen until they’re applying for a first loan and they’re rejected for poor credit and debt that they did not accumulate.”
She also stressed that risk increases as more and more online classroom resources are based in the cloud and student data flows outside the confines of school district firewalls.
“It’s important for school districts to set up processes and guardrails for teachers so that they have guidance on selecting learning resources that are both educational and safe,” Doersch said.
Green Bay officials also have implemented a program called GBAPS Secure, a set of processes and materials to help teachers and administrators ensure that the district is compliant with laws intended to protect the data of students and their families, she said.
In addition, the district issues at the beginning of each term a “red list” of online resources not approved for student use “because they don’t provide the necessary level of student data privacy or don’t align with the district’s curriculum and instructional framework for the identified content areas,” she said.
McLaughlin said that phishing — in which scammers attempt to trick email or messaging users into supplying critical data — is one of the most common attacks today on organizations. Further, there has been a huge surge of phishing attacks this year on schools, colleges and universities, she said.
“These attacks ask for important information like passwords, bank account numbers, W-2 forms and Social Security numbers,” McLaughlin said. “This type of attack is based on [casting] a wide net to see who can be caught in the attack.”
The average cost of remediation for a data breach is $245 per individual record loss, she said, a cost that can multiply quickly when it involves hundreds of individuals’ records.
“Additional costs are a loss of productivity for employees and students, documented increases in anxiety and depression among victims, and loss of institutional trust and reputation with your parents, your students and your staff, which has a long-term impact on an organization,” she added.
Preventing phishing attacks, she said, requires a three-pronged approach involving people, processes and technology.
“People are the first line of defense,” she said. “Train staff and students about phishing early and often.”
Taking necessary precautions
Schools also should develop processes for handling data requests and critical data, such as W-2 forms, according to McLaughlin.
As for the technology piece, schools should avoid public access to listservs, stop putting email addresses on web pages to prevent harvesting and screen scraping, and deploy email filtering — but don’t rely entirely on filtering to handle the risk.
“There are no perfect technical solutions,” she added.
Communication is key
Distributed denial-of-service attacks (DDoS), said Mielke, also present a major challenge for schools. The attacks are designed to shut down a machine or network, making it inaccessible to its intended users.
Mielke’s own school had firsthand experience with one a year ago.
“When we had a Cybersecurity Awareness Day, we actually had a real, live distributed denial of service that cut off our access to the things we were going to do during that 45 minutes,” he said.
“But it was a real-world teachable moment that I was able to share with the whole school over the PA. We [decided] it was somebody internally who knew about this awareness event and dialed up a DDoS attack just for that time.”
The chief “killer app” is communicating to students the severity of instigating a DDoS on the school, he said.
“While there are technical solutions to combat this, what I and others have found is that communication and relationships save the day at the end of day,” he said.