In the age of the Equifax breach, school administrators tighten data security:
Cybersecurity is an expensive challenge to tackle, but a fatal one to ignore. Last year, state analysts identified the fingerprints of a cybercriminal on finance software at Clackamas Education Service District.
“They didn’t get any data, but it scared us,” said Stuart Long, chief information officer at Clackamas ESD. “We were very lucky. We’re trying to prevent that from happening again. We want to get everybody better educated.”
“Eighty-five percent of cyberthreats occur by taking advantage of or tricking people. This is called social engineering.”
Long swiftly organized a task force to elevate cybersecurity awareness in Clackamas County schools. For initial advising, he reached out to the Federal Bureau of Investigation (FBI) and the Multi-State Information & Analysis Center, the focal point for cyberthreat prevention, protection, response and recovery for the nation’s government entities, including schools.
The group meets to learn to identify and prevent cyberthreats. Joining Long on the task force are four business managers from Clackamas ESD and its component districts, three information technology directors, three communications staff, and two superintendents. Eight of the ten Clackamas County school districts are participating in the group.
Internet security became a focal point in mainstream conversation last year when 145 million people had sensitive information compromised in the Equifax data breach.
“IT security is one of those things everybody is waking up to after that (Equifax) identify theft incident,” Long said. “It’s becoming less of an IT-only conversation and more of a let’s-work-on-this-together conversation.”
He compared minimizing risks in using the internet to driving a car. Even though laws for speed limits, seatbelts, airbags and distracted driving have minimized driving risks, car accidents still occur.
In forming the task force, Clackamas ESD is positioned at the forefront of guarding its school districts from cyberthreats. Only 15 percent of school technology leaders nationwide have implemented a cybersecurity plan in their district, according to Education Week.
Determining threats and risks
At the February 14 task force meeting, Stefan Richards, the chief information security officer for the State of Oregon; Leslie Golden, an IT security consultant and president of Instill Security; and Wayne Machuca, faculty at Mount Hood Community College for the Oregon Center for Cyber Security; guided a conversation about risk and vulnerability.
Eighty-five percent of cyberthreats occur by taking advantage of or tricking people. This is called social engineering. For example, a cybercriminal will trick someone into offering sensitive information, such as a bank account, a social security number or a login password. And district staff safeguard and store a large amount of sensitive data about students and staff.
In the coming months, the task force will help districts prioritize their biggest threats, will consider threats on a countywide level and will set goals to address the threats. The task force will meet with Clackamas County district superintendents to report its findings and their next steps. Staff culture and cybersecurity awareness education will likely take center stage.
Budgeting for a new priority
With school district budgets stretched, Long said, “Schools are scrambling. A lot of schools don’t have the money or the knowledge as to where to get started.”
As the group moves forward, it will continue to seek out resources. Long said the state has indicated a willingness to help locate resources. By working together, members of the task force can share resources. Already the group is sharing its knowledge with Clackamas County school districts. Some districts asked Long to arrange for an FBI special agent to speak to their staff.
Cyberthreats are increasingly sophisticated as criminals research individuals and target attacks. Last year, Southern Oregon University unwittingly paid $1.9 million to a criminal posing online as a university contractor.
“This is not a fix-it and you’re done kind of problem,” Long said. “This is an ongoing problem. And it’s not a problem any of us can solve on our own.”
If you believe your school computer has a phishing threat or has been compromised, contact your district’s IT team immediately.