Listen to this blog (8 mins)
Hear from industry experts Michele Gay of Safe and Sound Schools and Chris Noell, Raptor SVP of Product and Engineering, about the many cybersecurity challenges schools face today.
Sophisticated cyber hackers may now have access to over 800,000 students’ personal information—like names and birthdays—from what is the largest cyberattack on a district in our nation’s history. The victim was New York City public school district, and hackers accessed the information by breaching one of the district’s software vendors that helped track grades and attendance. The reality is, all schools are at risk of such attacks. They must be well equipped to ward off cybersecurity threats.
Recently Safe and Sound Schools Co-Founder, Michele Gay, sat down with Chris Noell, Senior Vice President of Product and Engineering for Raptor, in a Q&A about the many cybersecurity challenges schools face today.
The following is an abridged version of the conversation.
Michele Gay (MG): Thanks for joining me today, Chris. I’m eager to hear your expert perspective on this often-overlooked aspect of school safety. Now that we find ourselves working, teaching, and learning in the cyber world, schools are dealing with significant challenges in cyber-safety and cybersecurity. Some schools are sounding the alarm bells, others watching and waiting, and some are thinking, “Do I even need to worry about this?” What are your thoughts, Chris?
Chris Noell (CN): That’s a great question. I usually start with, “Are schools being attacked?” Unfortunately, the truth is that they are. In December 2020, the FBI, CISA–and a host of other leading organizations that monitor cybersecurity threats–published a statement warning K-12 schools of three major threats:
- targeted ransomware attacks
- theft of data, and
- disruption of distance learning services.
To your point, schools are more online–and more reliant on technology than ever. Hackers are aware of that and now taking advantage of this new vulnerability. Experts have warned that incidents could increase 86% over this academic year. Even by standards in cybersecurity, that’s pretty astonishing and potentially devastating. So, whether your community has been hit or not, it’s time to take action to protect your school.
MG: Unfortunately, for a lot of our school communities, it doesn’t become a pressing issue until it is already upon them. Of course, then they’re in a reactionary position. What resources are out there to help schools prepare for and prevent these kinds of threats and attacks?
CN: The K-12 Cybersecurity Act of 2021 instructed CISA to study the risks that will impact K-12 school districts and develop cybersecurity guidelines and online training. You can visit CISA.gov to explore these resources. As part of the security industry, we [Raptor Technologies] continually monitor the federal guidance, and then anchor the solutions and resources that we develop on those. While these guidelines are not mandatory—at the moment– it’s almost certain that they will become a standard of care.
MG: What are some of the practical things that schools can be doing to protect themselves? School leaders? Students, teachers, and staff members and so on?
CN: We all have a role to play in securing our organizations. For the IT folks in the audience, I would say it starts with just understanding what you have in your district. What hardware do you have? What software do you have? What vendors have access to your network/do you rely on? Who do you share data with? It sounds really basic, but if you can’t answer those questions, you really can’t protect your environment. So start with that inventory.
Any organization, especially an organization that may not have a lot of IT resources, should look to make this someone else’s problem as much as possible. What I mean by this is simply, wherever possible use software from reputable vendors whose products and services come with the highest levels of security.
MG: That’s really important for our school communities. IT resources are limited if present at all. And this kind of expertise is not readily available in house. I mean, our schools are run by educators!
CN: You’re absolutely right. Another important thing for school leaders to consider about cybersecurity (as opposed to physical security) is that technology and related threats evolve at a much more rapid rate, meaning we have to update our tools and measures at a more rapid pace. With cybersecurity, there are tens of thousands of new vulnerabilities discovered every year. So just because it was secure yesterday doesn’t mean it’s going to be secure tomorrow. That really is the biggest headache and concern.
MG: Truly. But our schools house some of the most precious data, about the most precious people that we have in our communities–in our country–so these issues are not to be ignored.
CN: For sure. I think at the end of the day, you’re never going to have 100% security. The NSA, the CIA, even they don’t have 100% security. The reality is, once you have a computer, you have a risk. So, it’s really about how you manage that risk, just like all the other risks in life.
MG: Not being afraid to face–and talk about–those risks and vulnerabilities is important too. I think some of our school communities tend to want to keep those things quiet, but we really need to shine a light on these issues if we are to be proactive. Right?
CN: Absolutely. And although it can seem a bit overwhelming, I’ll refer back to something I’ve heard you say many times before, “It’s not rocket science.” I think a lot of people look at security like it’s some kind of dark art. As though it involves some kind of mystical expertise. But it’s just basic blocking and tackling, an operational IT discipline, just like managing availability and performance is an operational IT discipline. So I would encourage people to be open about where they’re at and make steady progress over time.
MG: Good advice. We’re not going to be perfect. When I talk about school safety, I emphasize that practice makes progress—not perfection. And how about our kids–our students? They’re now major users of technology, of online education, of social media, all those things. So how about education for our students? I see that as a valuable way to help protect our schools and our children.
CN: That’s a fantastic point because there are multiple values there. Educating students in cybersafety not only protects the institution, but certainly extends protection over our students when they leave the campus, go to their home networks, and interact online. They’re exposed to all the same sorts of attacks off campus as they are on campus.
MG: So just like we talk about life skills of safety in the broader context of school safety, it’s the same thing here, right? We want our students, we want our staff and community members to have those life skills, not just for safety within the building and on campus, but as they go out into the world, as they go home, as they go into the workplace.
CN: Yes, these are the new realities of keeping our schools and communities safe in a digital world.
Commitment to Cybersecurity
It’s important to partner with vendors who have the expertise and resources to ensure your student, staff, visitor, and volunteer data is protected. Raptor has a comprehensive security program and follows industry best practices to protect your data behind multiple safeguards, like ensuring two-way data encryption both at rest and in transit; conducting annual system security audits; and continuously monitoring log-ins.