IT Management

Q&A: How to Bolster Cybersecurity in Your Schools

District tech chief says internal controls are essential
By Sean Cavanagh — April 30, 2019 6 min read
  • Save to favorites
  • Print

As Melissa Tebbenkamp sees it, promoting strong cybersecurity is as much about changing district behavior as it is about guarding against the damage any bad actor tries to inflict.

Tebbenkamp, the director of instructional technology for the Raytown Quality Schools, a 9,000-student school system outside Kansas City, Mo. is expected to run point in guarding against phishing scams, malware, and other forms of cyberattack.

But she’s also counting on her colleagues, from top administrators to the district’s teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn’t seem quite right.

To that end, Tebbenkamp has put an emphasis on training district staff about cybersecurity—and restricting employees’ access to tech systems to reduce vulnerability.

Tebbenkamp has served in her tech role in the Missouri district since 2006. She’s also sought to help other district officials through her involvement in a number of cybersecurity and data-privacy committees and working groups through the Consortium for School Networking.

She spoke with Education Week Associate Editor Sean Cavanagh about the lessons she’s learned about cybersecurity and the steps for districts trying to protect themselves.

What is the biggest cybersecurity risk school districts face?

Your staff and students. Our biggest risk is ourselves. You do have some students who are really smart and intentionally try to hack or gain access when they’re not supposed to. But with your staff, it’s more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.

What kinds of intrusions are you most worried about?

Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, “I’m the superintendent, and I need you to give me this information.” Those are our most frequent, and they’re hitting our business offices, mostly.

On the staff side, if teachers have administrative access to machines—and many districts still do allow it—their biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that’s going to install malware on their machine.

What’s the information that bad actors in the cyber arena covet the most?

Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It’s not necessarily about the information. But they do want student records. The latest from the Department of Education is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they’re going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It’s really the resource-utilization they’re interested in.

Why do cyberattackers want ‘resource utilization?’

It’s running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace—they don’t want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people’s processing power. And those are the ones that go really unnoticed.

So if hackers are getting access to your processing power, how would you know that?

If you’re tracking the traffic on your network—we do that—you know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.

See Also: 6 Steps for Preventing and Cleaning Up Cyberattacks

What’s your biggest worry about student records getting accessed?

Social security numbers aren’t worth much anymore. But that information that is tied to the individual ... the really scary part is some of our student information is valuable to people who want to prey on students. That’s one of the pieces I used in my training with teachers: We wouldn’t let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we’re protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.

So what are the most fundamental strategies to protect school districts from cyberattacks?

You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection—the majority of schools do that pretty well.

The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it’s important to share student information, and where it’s not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can’t be once a year. You have to keep it front of mind.

What other steps do you recommend to encourage staff to manage cybersecurity?

The other thing is restricting access. My teachers don’t need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It’s a little more load on my department, but we stay safe. We don’t have the threats of someone having all their documents encrypted, and then having ransomware.

And then making sure you have all your data backed up. And there’s a layer of protection between what’s being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren’t infected and you have a restore point. If you accomplish those big pieces, you’re so far ahead of the game.

How are you defining “administrative access”?

Some people refer to it as a power user. It’s what allows you to install software on your computer. If I click on “install now,” and it doesn’t prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.

That stops most of those malicious attacks that come through that user interface—from someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn’t have the rights to run what it needs to run.

How easy is it for districts to restrict administrative access?

It’s a big culture change. I implemented it about 12 years ago. Even I, as CTO, don’t have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. That culture change goes all the way through to your superintendent, your CTO, your CFO. There’s no reason for any of us to have that level of access.

What makes for an effective backup of your district data?

If your permissions aren’t set right on your backup server, and you’re backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It’s things like] making sure your directories don’t have the ability to write between each other.

A version of this article appeared in the May 01, 2019 edition of Education Week as Q&A: How to Bolster Cybersecurity in Your Schools


Commenting has been disabled on edweek.org effective Sept. 8. Please visit our FAQ section for more details. To get in touch with us visit our contact page, follow us on social media, or submit a Letter to the Editor.


Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Teaching Webinar
6 Key Trends in Teaching and Learning
As we enter the third school year affected by the pandemic—and a return to the classroom for many—we come better prepared, but questions remain. How will the last year impact teaching and learning this school
Content provided by Instructure
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Equity & Diversity Webinar
Leadership for Racial Equity in Schools and Beyond
While the COVID-19 pandemic continues to reveal systemic racial disparities in educational opportunity, there are revelations to which we can and must respond. Through conscientious efforts, using an intentional focus on race, school leaders can
Content provided by Corwin
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Equity & Diversity Webinar
Evaluating Equity to Drive District-Wide Action this School Year
Educational leaders are charged with ensuring all students receive equitable access to a high-quality education. Yet equity is more than an action. It is a lens through which we continuously review instructional practices and student
Content provided by BetterLesson

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

IT Management From Our Research Center 'Is This Going to Piss People Off?' How to Make Tough Tech Decisions
The reopening of schools carries with it a host of technology decisions that could have an outsized impact on students' and teachers' lives.
9 min read
In this file photo from September 2020, Kristen Giuliano, a seventh-grade social studies teacher at Dodd Middle School in Cheshire, Conn., assists Jane Wood, 11, during a hybrid class session.
Kristen Giuliano, a 7th grade social studies teacher at Dodd Middle School in Cheshire, Conn., assists Jane Wood, 11, during a hybrid class session in September 2020.
Dave Zajac/Record-Journal via AP
IT Management From Our Research Center Don't Buy 'Stupid Stuff:' Essential Advice for Technology Purchasing
School districts have more digital devices on their hands than ever before. Here's what they can do to get the biggest bang for their buck.
8 min read
RESET 4 TechFunding lead Image 1156179329
Alan Yrok/iStock
IT Management Download How to Make the Best Tech Decisions for Schools: A Downloadable Guide
Identify gaps, assess available solutions, solicit input from end users, and test drive new products, services, or approaches.
1 min read
IT Management Schools Are Flush With Stimulus Money. Will They Waste It on Unproven Technology?
Districts are throwing billions of dollars at ed tech that could be ineffective, underutilized, and come with hidden long-term costs.
8 min read
Conceptual finance image of large group of flying money of American one hundred dollar bills in binary coded tunnel
iStock/Getty Images Plus