Education Week - November 29, 2017 - 11
'Nothing We Could
Columbia Falls, Mont.
Pflugerville, Texas, schools compromised
by others' missteps
Victor Valdez is laser-focused on cybersecurity.
As the chief technology officer for Texas' 24,000-student
Pflugerville Independent school district, Valdez said he faces
cyber threats every day. One of his responses: "hiring a thirdparty company to come in and hack us, so we can find out
where we're vulnerable and clean things up." Another strategy
is to constantly monitor Pflugerville's network, a tactic that
last school year led Valdez's team to identify and staunch a
sudden, unexplained surge of traffic from Europe.
Still, such vigilance hasn't been enough.
This past spring, an unknown number of the district's
employees-including Valdez himself-had their names and
Social Security numbers compromised, as a result of a breach
at the Texas Association of School Boards.
TASB is a statewide nonprofit group that, among other things,
administers an unemployment-insurance program for Texas
school employees. Spokeswoman Barbara Williams said TASB
officials learned in May that personal information for more than
half a million of those employees, in roughly 900 school districts
across the state, had been posted publicly on the internet.
The association has spent months trying to notify everyone
who may have been affected, offering a year of free credit
monitoring and identify-theft resolution services, Williams said.
The group has also stepped up its training, monitoring, and
security procedures. There have been no reports that any of the
compromised information was misused, according to Williams.
But for hundreds of other Texas districts, the breach is just
another example of how even the best-laid K-12 cybersecurity
plans can't cover everything.
"It's tough," said Valdez. "Short of communicating with our
employees, there's nothing we could really do."
Struggling to Maintain
SOURCE: EdTech Strategies, LLC
UNDERESTIMATING CYBERSECURITY THREATS?
The majority of K-12 information-technology leaders don't see the following
cybersecurity threats as "significant" or "very significant" problems.
n Very Significant
Unauthorized disclosure of student data
Distributed Denial of Service (DDoS) attacks
Unauthorized disclosure of teacher data
Tucson, Ariz., loses control of its website
"We don't mess around when it comes to security!"
That's the promise that Jupiter, Fla.-based company
SchoolDesk, which creates and maintains websites for school
districts, made in its $64,500-per-year contract with the
47,000-student Tucson, Ariz., schools.
Despite such assurances, though, hackers breached one of
SchoolDesk's servers earlier this month, temporarily redirecting
roughly 800 school district websites around the country to Arabiclanguage messages in support of the militant Islamist group ISIS,
as well as an image of former Iraqi dictator Saddam Hussein.
Tucson was one of the districts affected, leading to a spate
of concerned news stories and social-media messages. A
spokeswoman for the Tucson district said the site "was restored to
normal in a matter of hours." A statement from SchoolDesk said
the company was cooperating with law enforcement to find the
hackers responsible and "user data is secure and unaltered."
Outside experts say the incident highlights a couple of the big
cybersecurity challenges facing schools.
Sometimes, hackers mostly want to create mayhem, said
Douglas A. Levin of EdTech Strategies. That's what happened
when outsiders recently took control of the official Twitter
accounts of Florida's Fort Lucie school district and Nevada's
Foothill High School, in Henderson.
And ensuring that vendors provide strong informationtechnology safeguards has proved particularly difficult for K-12
schools, said Missouri State Auditor Nicole Galloway, who has
been examining school cybersecurity practices in her state.
Technology contracts should outline who is responsible for
preventing and detecting breaches, and what steps will be taken
if a problem occurs, Galloway said. But that's not typically what
happens, leaving schools open to considerable risk.
"If a school district is financially responsible for monitoring
credit scores or hiring attorneys or forensic specialists, that's
money that doesn't go into the classroom," Galloway said. "And if
a breach does happen, it can hurt parents' perception of how their
district is handling technology."
A LIMITED RESPONSE
K-12 information-technology leaders have been slow to adopt many key cybersecurity practices.
IT staff training
Encouraging staff to upgrade passwords
Backing up all information and storing it off site in case of an attack
Real-time monitoring for network intrusions
Increasing use of encryption
Purchasing specific cybersecurity products and services
Adding security safeguards to vendor negotiations
Having cybersecurity practices audited by an outside group
Implementing a cybersecurity plan
Requiring two-factor authentication for district accounts
My district has not undertaken steps to improve cybersecurity
I do not know if my district has taken steps to improve cybersecurity
SOURCE: Consortium for School Networking/Education Week Research Center survey of about 450 school technology leaders.
EDUCATION WEEK | November 29, 2017 | www.edweek.org | 11