As Melissa Tebbenkamp sees it, cybersecurity is as much about district behavior as it is about the damage any bad actor tries to inflict.
Tebbenkamp, the director of instructional technology for the Raytown Quality Schools, a 9,000-student school system outside Kansas City, is expected to run point in guarding against phishing scams, malware, and other forms of cyberattacks.
But she鈥檚 also counting on her colleagues, from top administrators to the district鈥檚 teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn鈥檛 seem quite right.
So Tebbenkamp has put an emphasis on training staff to do their part to make the district鈥檚 system鈥檚 more secure. Her district also puts restrictions on the tech applications that staff can access online, to keep the chances of unwanted intrusions to a minimum.
鈥淚t鈥檚 about protecting where you have control鈥攚hich is your house鈥攆irst,鈥 says Tebbenkamp. 鈥淲e do have a growing concern about outside malicious attacks directly targeting us. But the biggest and most frequent [vulnerabilities are posed by] our staff.鈥
Tebbenkamp has served in her tech role in Raytown since 2006. She鈥檚 also sought to help other district officials by serving as co-chair of the Consortium for School Networking鈥檚 Student Data Privacy working group, and as a member of CoSN鈥檚 professional development and cybersecurity committees. She鈥檚 also served on CoSN鈥檚 national board since 2014.
In addition, she鈥檚 consulted for the Federal Trade Commission and U.S. Department of 91制片厂视频 on the impact of federal privacy laws on schools and online instructional tools. She鈥檚 also led several workshops aimed at helping schools and districts improve their data governance programs.
Tebbenkamp recently talked with 91制片厂视频 Week Associate Editor Sean Cavanagh about the lessons she鈥檚 learned about cybersecurity, and what she sees as critical steps for districts trying to protect themselves.
Q: What is the biggest cybersecurity risk school districts face?
Your staff and students. Our biggest risk is ourselves. That鈥檚 your biggest preventable risk. You do have some students who are really smart and intentionally try to hack or gain access when they鈥檙e not supposed to. But with your staff, it鈥檚 more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.
Q: What kinds of intrusions are you most worried about?
Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, 鈥淚鈥檓 the superintendent and I need you to give me this information.鈥 Those are our most frequent, and they鈥檙e hitting our business offices, mostly.
On the staff side, if teachers have administrative access to machines鈥攁nd many districts still do allow it鈥攖heir biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that鈥檚 going to install malware on their machine. Whatever trojan or virus attached to it will wreak havoc or exploit you in a way that鈥檚 preventable.
This 91制片厂视频 Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.
Q: There have been instances of students hacking their districts鈥 systems. How significant is that risk?
If your students have administrative access, and they have the ability or the permissions on their computers to download malware, you also have that same risk of them clicking a button and triggering something. We do have that small population of students鈥擨 think every district does鈥攖hat are incredibly brilliant, and you run that risk of hacking. And being aware of who those students are and being mindful of what鈥檚 happening on your network is an important piece.
Q: Can students access your internal networks?
In our district, absolutely not. They don鈥檛 have that level of access. But in some districts, if you have iPads or other devices that aren鈥檛 locked down, and people can install Chrome extensions or download applications, you absolutely have that threat. Students can bring in some of that on USBs, as well. That inadvertent threat, that can be managed at the core device-management-rights level.
Q: What鈥檚 the information that bad actors in the cyber arena covet the most?
Information is probably not the number one thing. Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It鈥檚 not necessarily about the information. But they do want student records. The latest from the Department of 91制片厂视频 is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they鈥檙e going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It鈥檚 really the resource-utilization they鈥檙e interested in.
Q: Can you describe in more detail the 鈥渞esource-utilization鈥 cyber-attackers want?
It鈥檚 running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace鈥攖hey don鈥檛 want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people鈥檚 processing power. And those are the ones that go really unnoticed. We hear a lot about the big data hacks where [hackers] stole everybody鈥檚 credit card numbers.
Q: So if hackers were getting access to your processing power, how would you know that?
If you鈥檙e monitoring our network and tracking the traffic on your network鈥攚e do that鈥攜ou know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.
Q: What鈥檚 your biggest worry about student records getting accessed?
Social security numbers aren鈥檛 worth much anymore. But that information that is tied to the individual...the really scary part is some of our student information is valuable to people who want to prey on students. That鈥檚 one of the pieces I used in my training with teachers: We wouldn鈥檛 let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we鈥檙e protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.
And there鈥檚 a lot of marketing that comes with identifying someone as a student. There鈥檚 a lot of money in that. Our kids under the age of 13 are protected by COPPA for that, but how valuable is that information? Also, in the development of new products鈥攚here are they succeeding, where are students struggling? I鈥檇 hate to accuse any company of buying that information to find out where there鈥檚 a need in the market, but I could see that, as well.
Q: So what are the most fundamental strategies to protect school districts from cyberattacks?
You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection. The majority of schools do that pretty well.
The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it鈥檚 important to share student information, and where it鈥檚 not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can鈥檛 be once a year. You have to keep it front of mind.
On-Demand Webinar: Attacking the K-12 Cybersecurity Challenge
K-12 districts face an array of threats from cyberattacks and security breaches. In this 91制片厂视频 Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.
Register now.
Q: What other steps do you recommend to encourage staff to manage cybersecurity?
The other thing is restricting access. My teachers don鈥檛 need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It鈥檚 a little more load on my department, but we stay safe. We don鈥檛 have the threats of someone having all their documents encrypted, and then having ransomware.
And then making sure you have all your data backed up. And there鈥檚 a layer of protection between what鈥檚 being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren鈥檛 infected and you have a restore point. If you accomplish those big pieces, you鈥檙e so far ahead of the game.
Q: How are you defining 鈥渁dministrative access鈥?
Some people refer to it as a power user. It鈥檚 what allows you to install software on your computer. If I click on 鈥渋nstall now,鈥 and it doesn鈥檛 prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.
That stops most of those malicious attacks that come through that user interface鈥攆rom someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn鈥檛 have the rights to run what it needs to run.
Q: How easy or difficult would it be for a district to restrict administrative access?
It鈥檚 a big culture change. I implemented it about 12 years ago, and it鈥檚 a very, very hard change. But even I, as CTO, don鈥檛 have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. When you鈥檙e talking about how most malicious attacks come in, which is through the end-user, that鈥檚 one of the key things you can do to keep yourself safe. That culture change goes all the way through to your superintendent, your CTO, your CFO. There鈥檚 no reason for any of us to have that level of access.
Q: You mentioned the importance of backing up your data. What makes for an effective backup?
If your permissions aren鈥檛 set right on your backup server, and you鈥檙e backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It鈥檚 things like] making sure your directories don鈥檛 have the ability to write between each other.
My backups are in a read-only state; they鈥檙e not able to have any write permissions. If you鈥檙e using a backup system software, you鈥檙e going to be able to set that up properly. Where you run into trouble is where you鈥檙e doing something homegrown and you鈥檙e just doing copies of data over to a separate server.
Q: We hear of districts moving to the cloud. What implications does that carry for cybersecurity risks?
Anytime you鈥檙e moving your data to a location where a lot of other people have their data, you become a bigger target. Do you have a risk? Absolutely. In terms of what are you willing to put on the cloud versus in-house. Every district has to make that decision. And you have to look at your provider, who you鈥檙e hosting with. What are their security protocols? What is their business continuity, how are they protecting their files? Are they backing up in a way that if something happens or there鈥檚 a virus or encryption, can you restore to a point that you鈥檙e healthy again? Those are great questions to ask your cloud provider. Some of them do it great. Some will have a challenge. There鈥檚 just certain data I don鈥檛 put in the pool of everyone else鈥檚 data.
Q: For example?
If I host my student information system [in the cloud], I have 9,000 student records here. If I go with a hosted SIS that hosts 50 other districts, now they have 500,000 records. Now, it鈥檚 a lot more of a lucrative hack at this point. A lot of school hacks we hear about are the [really large ed-tech platforms]. They鈥檙e big targets. You have to look at what data you鈥檙e willing to put out there. And what are the practices the cloud-provider has out there?
Q: What other advice do you have?
We look not just at cybersecurity, but data privacy. We do a video at the beginning of the year, and we do a staff meeting at the beginning of the year. Every Thursday, we send out a communication. We send out a lot of training videos. We try to use humor, so people will actually watch them. On May 4, we did one on a Star Wars theme about phishing e-mails, and how to become a master in spotting a phishing e-mail. We try to keep them under four minutes and focused on best practices. We also do a poster campaign. We鈥檙e attacking it through several angles.
