IT Management

Q&A: How to Bolster Cybersecurity in Your Schools

District tech chief says internal controls are essential
By Sean Cavanagh — April 30, 2019 6 min read
  • Save to favorites
  • Print

As Melissa Tebbenkamp sees it, promoting strong cybersecurity is as much about changing district behavior as it is about guarding against the damage any bad actor tries to inflict.

Tebbenkamp, the director of instructional technology for the Raytown Quality Schools, a 9,000-student school system outside Kansas City, Mo. is expected to run point in guarding against phishing scams, malware, and other forms of cyberattack.

But she’s also counting on her colleagues, from top administrators to the district’s teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn’t seem quite right.

To that end, Tebbenkamp has put an emphasis on training district staff about cybersecurity—and restricting employees’ access to tech systems to reduce vulnerability.

Tebbenkamp has served in her tech role in the Missouri district since 2006. She’s also sought to help other district officials through her involvement in a number of cybersecurity and data-privacy committees and working groups through the Consortium for School Networking.

She spoke with Education Week Associate Editor Sean Cavanagh about the lessons she’s learned about cybersecurity and the steps for districts trying to protect themselves.

What is the biggest cybersecurity risk school districts face?

Your staff and students. Our biggest risk is ourselves. You do have some students who are really smart and intentionally try to hack or gain access when they’re not supposed to. But with your staff, it’s more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.

What kinds of intrusions are you most worried about?

Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, “I’m the superintendent, and I need you to give me this information.” Those are our most frequent, and they’re hitting our business offices, mostly.

On the staff side, if teachers have administrative access to machines—and many districts still do allow it—their biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that’s going to install malware on their machine.

What’s the information that bad actors in the cyber arena covet the most?

Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It’s not necessarily about the information. But they do want student records. The latest from the Department of Education is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they’re going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It’s really the resource-utilization they’re interested in.

Why do cyberattackers want ‘resource utilization?’

It’s running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace—they don’t want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people’s processing power. And those are the ones that go really unnoticed.

So if hackers are getting access to your processing power, how would you know that?

If you’re tracking the traffic on your network—we do that—you know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.

See Also: 6 Steps for Preventing and Cleaning Up Cyberattacks

What’s your biggest worry about student records getting accessed?

Social security numbers aren’t worth much anymore. But that information that is tied to the individual ... the really scary part is some of our student information is valuable to people who want to prey on students. That’s one of the pieces I used in my training with teachers: We wouldn’t let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we’re protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.

So what are the most fundamental strategies to protect school districts from cyberattacks?

You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection—the majority of schools do that pretty well.

The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it’s important to share student information, and where it’s not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can’t be once a year. You have to keep it front of mind.

What other steps do you recommend to encourage staff to manage cybersecurity?

The other thing is restricting access. My teachers don’t need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It’s a little more load on my department, but we stay safe. We don’t have the threats of someone having all their documents encrypted, and then having ransomware.

And then making sure you have all your data backed up. And there’s a layer of protection between what’s being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren’t infected and you have a restore point. If you accomplish those big pieces, you’re so far ahead of the game.

How are you defining “administrative access”?

Some people refer to it as a power user. It’s what allows you to install software on your computer. If I click on “install now,” and it doesn’t prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.

That stops most of those malicious attacks that come through that user interface—from someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn’t have the rights to run what it needs to run.

How easy is it for districts to restrict administrative access?

It’s a big culture change. I implemented it about 12 years ago. Even I, as CTO, don’t have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. That culture change goes all the way through to your superintendent, your CTO, your CFO. There’s no reason for any of us to have that level of access.

What makes for an effective backup of your district data?

If your permissions aren’t set right on your backup server, and you’re backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It’s things like] making sure your directories don’t have the ability to write between each other.

A version of this article appeared in the May 01, 2019 edition of Education Week as Q&A: How to Bolster Cybersecurity in Your Schools


Recruitment & Retention Live Online Discussion A Seat at the Table: Why Retaining Education Leaders of Color Is Key for Student Success
Today, in the United States roughly 53 percent of our public school students are young people of color, while approximately 80 percent of the educators who lead their classrooms, schools, and districts are white. Racial
Jobs January 2022 Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Reading & Literacy Webinar
Proven Strategies to Improve Reading Scores
In this webinar, education and reading expert Stacy Hurst will provide a look at some of the biggest issues facing curriculum coordinators, administrators, and teachers working in reading education today. You will: Learn how schools
Content provided by Reading Horizons

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
IT Management Sponsor
The State of Interoperability and Privacy in the K12 Sector
What could students achieve if their education data was made available in a way that empowered them to set and meet their own learning go...
Content provided by InnovateEDU
IT Management Tech Purchasing Decisions Are Super Hard. New Initiative Aims to Help
ISTE and other education technology organizations are creating a hub to give district leaders in-depth information about tech products.
2 min read
Image of person's hands using a laptop and writing in a notebook
IT Management From Our Research Center 'Is This Going to Piss People Off?' How to Make Tough Tech Decisions
The reopening of schools carries with it a host of technology decisions that could have an outsized impact on students' and teachers' lives.
9 min read
In this file photo from September 2020, Kristen Giuliano, a seventh-grade social studies teacher at Dodd Middle School in Cheshire, Conn., assists Jane Wood, 11, during a hybrid class session.
Kristen Giuliano, a 7th grade social studies teacher at Dodd Middle School in Cheshire, Conn., assists Jane Wood, 11, during a hybrid class session in September 2020.
Dave Zajac/Record-Journal via AP
IT Management From Our Research Center Don't Buy 'Stupid Stuff:' Essential Advice for Technology Purchasing
School districts have more digital devices on their hands than ever before. Here's what they can do to get the biggest bang for their buck.
8 min read
RESET 4 TechFunding lead Image 1156179329
Alan Yrok/iStock