Fear seems to be the rule in 2019 when it comes to school district network security. But one district in the metro is fighting fear as a part of its larger defense.
There have been plenty of reasons for fear in the metro.
Oklahoma City Public Schools just spent seven days, including a weekend, paying a contractor to help their own IT staff recover from a malware intrusion to the district network. Coming right at the end of classes when grades were being processed, it was a severe blow to Oklahoma’s largest school district of 40,000 students.
And, officials are so afraid of the loss of face and making the district a bigger target, they won’t talk to the press or broadcast media about the damage done or the financial cost to the taxpayers.
The fear is palpable in spite of their dismissive nothing-to-see-here statement to the contrary once the network was declared recovered.
And even though Putnam City Schools has not had any intrusions that are known, their spokesperson said they would not agree to an interview with Free Press for fear of posing a challenge to a hacker and being the next big district network to fall.
Disaster sows fear
Fear is king in the world of school digital networks.
Yukon Public Schools suffered a disastrous attack in 2017 when W-2 information for district employees was sent as a spreadsheet into the wilds of the Internet instead of to the superintendent as one employee thought they were doing.
We found one district IT director that was willing to talk with us even though his superintendent was understandably nervous about the publicity.
Wesley Fryer is the Director of Technology for Casady School, a private school in north Oklahoma City.
With the permission of his superintendent, he agreed to talk with us recently on the heels of OKCPS recovering their network.
For him, the biggest hurdle is dealing with the fear of the Internet and intrusion so that students, faculty, and staff can think through how to defend against attack.
“In all seriousness, I tell people that I’m a technology fear therapist,” said Fryer.
He said one of his main tasks is helping everyone at the school address their fears and begin to understand the nature of attacks. He acknowledged that attacks come to every network now as a matter of course.
But, fear does nothing to guard against those attacks.
Walk a line
“I want to walk a line because I do want people to change their behavior if they’re using one password and it’s really simple and it’s on all websites,” said Fryer. “You know, we need that to change.”
But, Fryer considers his job to be addressing fears because he doesn’t want those at Casady School to “be so petrified with fear” where “they don’t know what to do and they feel overwhelmed.”
Training and orientation is an ongoing thing in creating the confidence and clear understanding for how everyone can defend the school’s network.
Email is big
There is no way to stop attempts to intrude a network.
An organization can harden defenses as much as possible by moving data to the cloud and keeping all network systems up-to-date.
But, Fryer sees moving Casady School beyond fear as one large defense against attack.
Clear thinking is one defense where “complex relationships [are] going on and technology is in the middle of it,” said Fryer.
He said “email is big. I would say it’s the primary vector today for bad actors to try to get inside the network.”
“Now that doesn’t mean it’s the only vector, but it is, I think, the most significant vector.”
The type of attack on Yukon Public Schools is called “spear phishing” because it is so targeted.
Any more, it doesn’t take much sophistication to recognize a general phishing email from a “Nigerian prince” who says he needs your help.
Instead, the spear phishing email the YPS employee received asking for the W-2 information looked just like an email from their superintendent.
Policies can defend
Fryer said Casady School is putting more emphasis on developing policies where information flow is more carefully controlled by clearer policies.
“We ought to think about our procedures and think about how we sort of harden them,” said Fryer.
He said especially when it comes to information their Human Resources department passes on to other employees, they are far more restricted now than they used to be.
When an organization develops careful policies that clearly define who needs to know what, that contributes to a more secure network.
Disasters are averted when a district segments their network according to who needs to have access and at what levels.
He gave an example: “I don’t want a student to just be able to plug in from the library or plugging in from a classroom and suddenly they have access to our security cameras or access to our door locks or all that kind of stuff.”
“What I really want them to do is be in a sandbox. They have access to the Internet and the printer maybe, but that’s all they need.”
Passwords are key
Fryer said one of their big efforts to empower their staff, faculty and students away from fear and toward assertive action is to train everyone to use a password manager like LastPass.
Teaching people to use a password manager allows them to memorize one good password and use a unique strong one for each site and device instead of using the one memorized password on all sites and devices.
He said another step in securing staff and faculty accounts is two-step authentication where once a password is entered, a code is then sent to a unique device like a cell phone.
Fryer said the bigger picture is teaching digital citizenship.
“We need to be in touch with how we’re responsible for our words,” said Fryer. “How we are responsible for what we say and what we share and how we write it. It can happen literally with the touch of a finger, you know? And that stuff is out there.”
It’s about teaching responsibility, but also offering resources.
In addition to training sessions, the district has developed their own website that helps teach digital citizenship.
The site gives resources for students, teachers, and parents to develop a larger concept of how we are responsible for being a good digital citizen.