“The best of times are when nobody knows we exist.”
That’s pretty much the way Andrew Winter, Clackamas ESD’s information security analyst, describes a “good day” on the job. While a lot of work in school districts is highly noticeable, the constant, high-level efforts that go on behind the scenes to keep student, staff and district data safe are, by design, quiet and understated, even as they are absolutely critical.
Andrew moved into his cybersecurity role just before the COVID pandemic hit, after spending several years as a network engineer. The creation of this position was timely, as the cyberlandscape began changing dramatically. Ransomware attacks have targeted schools – and actually forced closure of one metro-area district’s classes for several days.
“The rate of cyberattacks directed at K-12 is increasing, and we need to be aware of it,” Andrew said. “And size doesn’t matter. Being small doesn’t protect you from an attack. Anybody is vulnerable.
“Cybersecurity really is an organization-wide responsibility, and every employee plays a part. But it helps to have someone with a dedicated lens focused on security and organization-wide processes all the time.”
Because Clackamas ESD hosts data and/or internet services for our 10 school districts as well as a number of other agencies and organizations, Andrew has an elevated responsibility to focus on the back-end of all our systems and constantly ask questions. How do we better develop and secure our systems? Are they adequately protected? How do we safely get data in and out of our systems and maintain data integrity?
“My job is to focus on what we do if something slips through the cracks, evades that first line of defense,” Andrew explained. “I help create the layers of security an attacker would have to get through.”
By all accounts, he and the Clackamas ESD technology team have been successful at that work. In fall 2022, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency completed a comprehensive test of Clackamas ESD’s data security systems. This “remote penetration assessment” tested our cyber environment in many of the ways an attacker would.
“It was a really positive experience for us, and we got excellent feedback that our external network is well maintained,” Andrew said. “We came out of the assessment with no major findings, which the agency tells us is very rare. We invest a lot in our data security, so it’s great to have that validation.”
Andrew and the broader team he works with are focused not just our own data security, but helping our regional partners boost theirs as well. In 2022, we hosted a cybersecurity panel discussion featuring former intelligence community personnel who have worked on both cyber-offensive and cyber-defensive initiatives. More than 50 participants from state agencies, K-12 schools and higher education institutions attended to learn the latest tactics attackers are using to try to breach data security.
Over the past year, we’ve also played a key role in expanding affordable data security protection to our partner school districts. We spurred creation of a new consortium through the non-profit Organization for Educational Technology and Curriculum. The consortium negotiated an agreement with a leading endpoint security company to provide more affordable protection. As a result, both the ESD and five of our local school districts have been able to invest in high-quality endpoint security.
“We provide a level of service that sets us apart from other ESDs,” Andrew commented. “We’ve had nothing but positive feedback from districts we serve. We have great teamwork, and mutually invest in safety.
“We also have a unique service model. In addition to hosting student and financial data for most of our districts, we offer a range of other services, from providing internet services through dark fiber, private cloud hosting within our over 4,000-square-foot data center, to hosting the whole domain for k12.or.us – the domain all public school districts in the state use. So we have a lot of influence on a regional scale.”