It’s the new reality. While our increasingly online world is brimming with the benefits of social connection and readily available information, online criminal attacks plague many companies and institutions. Cyberattacks lead to the release of personal information and insurmountable financial damage. In the last 20 years, computers have become a staple in classrooms and the education system in Oregon and across the country, posing school districts as a vulnerable cynosure in the world of cybercrime.
Schools face the difficult challenge of keeping their systems and data secure. “The business of education is sharing information, and the business of cybersecurity is to prevent unwanted sharing of information,” explains Don Wolff, the chief technology officer (CTO) for Portland Public Schools (PPS). “In any organization, cybersecurity is always a balance, but it very much is for us,” adds Hailie Roark, the information security operations manager at PPS.
Student data is especially precious in the world of data privacy. Leaked data could lead to identity theft, which is particularly hard to track amongst minors. “My biggest nightmare is that a student leaves the district of my care … and realizes that their identity has been stolen seven years ago,” says Wolff. Unlike other companies, school districts possess a bulk of sensitive data from children as young as 5 years old, from vaccination records to family income to home addresses, all of which can be stolen and exploited.
In just the last five years, districts all across the state have faced cyberattacks. In 2021, the Centennial School District closed for two days due to a breach in their systems. Earlier this year, over 4,000 fraudulent emails were sent to the students and staff of the Corvallis School District requesting passwords and bank information. The Newberg-Dundee and Beaverton school districts have suffered attacks in the last year as well.
Cyberattacks come in many forms, meaning it’s difficult to prepare for all possible situations. Ransomware is one common type of cyberattack, in which files, like student data, or even entire systems or devices are locked by hackers and held for ransom. Phishing attacks, a type of social engineering, attempt to exploit humans to gain login credentials and access systems. Due to their ever-evolving nature, cyberattacks pose a constant threat. “It’s not if, it’s when,” says Derrick Brown, the interim CTO at PPS. He will be taking over for Wolff in December.
Despite this, there are countless ways that districts and their students can better protect themselves online. In the Corvallis School District, the IT department has recently been able to update and adapt its systems. “One of the great things we’ve been able to do over the past several years is invest in network and systems monitoring tools, which provide us with alerts of any suspicious activity,” says Brian Schaffeld, the director of technology services for the Corvallis School District. They have also strengthened their education among staff to be able to identify and avoid threats.
So when those 4,000 phishing emails were sent out, Corvallis’ systems pulled them from students’ inboxes quickly. Fewer than 5% of students and 1% of staff clicked on the fake link, Schaffeld explained in a statement. There was no sensitive student or staff data lost, an effect of the quick response. Schaffeld says that their policy is always evolving to better protect the district. “We’ve been able to refine and revise the policies and procedures that we have in place in order to become more effective,” he says.
At PPS, a district with more than 44,000 students across 81 schools, IT has the almost impossible challenge of keeping Oregon’s largest school district secure. “[PPS is] larger than any business in the state of Oregon from a computer standpoint,” Wolff explains. “We are in a Fortune 100 situation, [with] about 55,000 active accounts over 100,000 devices.”
Due to their size, many school districts turn to third parties for support in keeping their systems secure. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) both monitor the dark web for potentially stolen information and cross-check it with districts. Cybersecurity, especially in schools, has been a high priority for state and federal governments, with the FBI and the CISA allocating more resources in recent years toward the issue. In the case of a breach, districts often partner with the FBI and other law enforcement agencies to respond to the problem.
PPS also uses CrowdStrike, a privately owned technology, to monitor and protect the district. CrowdStrike offers endpoint security — an approach to security that focuses on devices like laptops, smartphones, and tablets, or the endpoint of a network’s reach — as well as general threat intelligence and other cyberattack response tools. “[CrowdStrike] is watching at a pretty deep level what’s going on on computers, learning and remediating,” says Roark. Almost every district in the country just doesn’t have the human capabilities to monitor devices closely, so PPS employs CrowdStrike to monitor user accounts. The company has been involved in some of the most high-profile cybersecurity investigations of the last decade, including the hack at Sony Pictures Entertainment in 2014 and the Democratic National Committee email leaks in 2016.
A large part of defending the district is vetting third parties that work with the district, known as “vendor partners.” These vendor partners, like Canvas or MaiaLearning, must be vetted by PPS. “60% of the overall data lost to breaches is from vendor partners,” notes Wolff. By hiring third-party vendors, data is spread further and further across systems, leaving student and staff data vulnerable to breaches at these companies and within the district.
The first step to vetting a vendor is cross-checking with other vetting resources. PPS uses tools like 1EdTech, which has already vetted vendors at a larger scale. The next step is working with peers, usually other school districts within the state, to check if they have experienced any problems with the tool. Lastly, PPS confirms that the vendor keeps their own systems secure by using tools like two-factor authentication for logging in.
When working with vendors, it’s important to ensure that these companies are held to data privacy agreements. Almost every contract with a vendor partner includes some data privacy agreement that fits into state and federal regulations, as well as district policies. These agreements prevent these companies from selling or even collecting certain types of user data. “We have a saying that, ‘if the app is free, then you’re the product,’” says Wolff. Data privacy agreements aim to protect users from these products, in this case students, from becoming a product.
The final layer of cybersecurity falls on the day-to-day practices of students and staff. These practices include making long and strong passwords, using two-factor authentication, and limiting staff access to internal systems. Brown, as an IT professional, an educator, and a parent, says focusing on general digital literacy is crucial to personal online security and cybersecurity in PPS. “The question is how do we teach it, because blocking it doesn’t help anyone,” he says. “As large of an organization as we are, we have to build [a] curriculum around it. We want to build [awareness] internally, not only protecting your tools at school, but when you’re at home too.” Since students and staff are usually the ones who receive phishing emails, educating them on how to recognize a fake email is critical to protecting the whole district.
“If you remember from COVID, we had the ‘swiss cheese model’ for protecting our health. [Cybersecurity is] a similar model,” explains Wolff. “If you slice up enough layers of Swiss cheese, you get enough layers so the holes don’t go straight through.” Cybersecurity isn’t perfect or easy, and in the context of schools, an abundance of important and sensitive information is on the line. Everyone has a part to play in protecting themselves, their peers, and the organizations to which they belong. From everyday students to FBI agents, there are always steps that you can take to stay protected.
