Cybersecurity is increasingly being vaulted to the fore of operations in independent schools. To protect their students, teachers, and administrations, technology leaders have been forced to take charge against malicious attacks, from phishing to ransomware and everything in between. ATLIS Director of Professional Development Susan Davis sat down (virtually) with four of those tech leaders to discuss their experiences and gain insight into how they are championing cybersecurity in their schools.
Join the discussion in the comments below!
Susan Davis: How did you first become aware that cybersecurity was a need, and has that translated to other administrators at your school?
Ally Wenzel: It’s really been a concern of mine for about the past 15 years. And the reason I say that is because we got hit really hard by the Blaster worm of 2003. We had to actually shut down our whole infrastructure for two days and disinfect all of the computers on campus. And we had to do it twice, because we didn’t catch some. It was that episode in 2003 when we started requiring antivirus on all systems, and we actually ended up purchasing Perfigo, which was a precursor to what Cisco now calls ISE. But it basically kind of sat between the switches and the wireless so that people, when they logged in, it would do a verification if they had antivirus installed. If not, it would make them remedy that situation before they could actually get on our network. So, we were pretty early stage in that.
Allie Sarahan: Ours wasn’t as serious as what Ally went through, but we had teachers who would regularly fall victim to phishing emails. It was more staff, but also some faculty, who would use their override credentials to get over the content filter to click a link to something like a bucket that looked great for their classroom, but it was a malicious link, and they didn’t realize it, and then we ended up getting ransomware through the system. So, we’ve made upgrades like what Ally mentioned: We upgraded our firewall. We upgraded our practices. We did some training. We changed the way the credentials were set up, and at the end of that year I got us moving into Google Drive as opposed to saving every single thing on our local server, so that if someone got ransomware there wasn’t as much of an issue. And now we also have off-site backups. We use Datto to handle our off-site backups and on-site backups, which helps with the things that can’t go into Google Drive.
Mary Beth Hertz: This is my first position in an independent school, first of all. I spent 15 years in public education before I came to this school. I was doing this plus teaching full time for the last seven years, so my perspective is actually I taught a boot camp for all of our students, because we were one of the few 1-to-1 laptop high schools in Philadelphia. Every single kid had to go through my class, where we went through not only how to work a computer, but digital citizenship and all sorts of stuff. Teaching them about tracking, and what companies do on the back end, and also phishing. I taught my students about phishing; we looked at what was an example of phishing emails. When they made their passwords, I did a whole lesson where they had to plug their passwords into one of those tools, like, “How fast will it take a computer to guess your password?” So, my perspective has always been on the user end. Also, I had a book come out in November 2019 where I delved into a lot of what I taught—the Internet of Things and how dangerous they are, and how they’re used for these big DDoS attacks, and really just privacy around what’s happening on the back end of everything that we use. When I stepped into this role, that was like old hat to me. We’re in the process of actually planning a KnowBe4 phishing campaign with our business office. We’re going to pilot it with the people who handle the most sensitive data and implement a more complex password requirement on our AD, and then sync AD with Google, so that people only have that one password and you know that it’s secure because they’re synced. Before I was hired, the school contracted an outside company to run our network. We do have a contractor that we pay monthly as a managed service, but they came in, and we had apparently 20 servers—20 local servers—and some of them were just like wide open on the internet. Luckily, we had somebody come in and close all those holes and set up our VPN properly, and just get everything all sorted.
Sarahan: I’m really glad you brought up the digital citizenship part. That was a soapbox for me when I started, and getting our kids and our parents to be a united front with the teachers has been amazing. We’re still getting there. One of the goals that we’ve been working on with the educational technologist and through technology integration is to get digital citizenship built into every part of the content and curriculum. Because we figure if you’re modeling it for your kids, you’re upgrading your practices, and then the kids point things out when they see something that isn’t up to code. So, it’s a really good point. That partnership is big.
Bill Freitas: It sort of snuck up on me. I worked in the computer center in college, and the older guys, they were always trying to scare us, but also remind us, “Hey, you can’t just let anybody walk in here and pick up this set of printouts,” type of things. I saw War Games in 1983, read Cuckoo’s Egg in 1989 by Cliff Stoll, and then I was in the education business myself in a peer school, in one of the first independent schools to wire the entire campus. They had 1-to-1 laptops really, really early. One of their students had a dad who worked in networking, managed to borrow dad’s Fluke network meter, bring it in, plug it in somebody’s dorm room, and just let it run overnight or over the weekend. This was so early, it was able to grab unencrypted passwords and usernames, and then those kids proceeded to breach a few different systems before they
were actually caught. At that point, it sort of became a little bit more real, but when it really became real was when we got our first PCI DSS to do credit cards. That checklist is really good and really valuable, but that’s when all of a sudden it really got us to think a little bit more deeply about what our practices were, and not just what we thought we were doing. It actually pointed out some really good things that we weren’t doing.
Davis: Has it been difficult to get the attention of administrators who need to be a part of this discussion?
Freitas: Our head came from a school that got hit by a massive ransomware attack, and he’s well aware about where we should be with cybersecurity. At my previous school, we had a number of board members who were in finance in New York City and things like that, and they were well aware of it. Their IT people were telling them things before we were even starting to really think about it.
Sarahan: I’ve had a hard time getting people to understand just how important it is at the administrative level from a training and ongoing professional development practice. Talking about KnowBe4 or even Schneider Electric, which is an engineering company in sales. They have a free cybersecurity platform that’s accessible for anyone, and they have training that’s applicable to our schools. It doesn’t have a cost attached, and it’s still a struggle to get that to be something that is important to focus on, spend time on, and roll out in an appropriate, ongoing manner to all of our faculty and staff members. I make strides, but it takes a lot longer than I would like for it to.
Wenzel: I liken it to a house—as long as the plumbing and the electricity work, you don’t really think about them, but you do need to maintain them and keep an eye on them. People don’t understand that, and it’s hard to get.
From my perspective, two things that are really relatively simple but have huge impact. One is two-factor authentication (multifactor authentication) being required, because 90-plus percent of all phishing and ransomware attacks are started through email. Just by turning on two-factor authentication, you can eliminate a lot of that. And then the mandatory security awareness training—make it a requirement for all new employees. We’re now having a monthly security awareness training by doing mock phishing exercises, and I can’t tell you how much that has improved our posture in terms of security. Now everybody is trigger-happy in my school, meaning they don’t even trust anything that comes from me. They’re like, “Is this really you?” I would rather have them be like that than to just click everything, because there’s so much email name spoofing, there’s a lot of “HR@yourdomain” things that come in, and by having that security awareness training, you just make people really, really conscious and it’s on the top of their mind all the time.
Hertz: We had an email go out that was one of those “meeting request” emails, like, “I’d like you to meet with me,” and it’s from your “boss.” We had one go out that was spoofing the head of school; we had one that went out that was spoofing the guy directly under him, and luckily, Gmail put up the big red “This looks like it’s not actually the thing it’s supposed to be.” We were lucky where people saw that and contacted the help desk and said, “What’s this?” We pay for the Amplified IT Google tools that they have, so we were able to go in to run the audit report in Admin console, see who received it, and go and pull it back. Because it affected the head of school, and because it affected my boss, it put it on their radar as like, “Oh, this is a thing. This is a problem.” My boss has been super, super supportive. We just had our cybersecurity planning meeting this week. We’re working in tandem with that networking consultant team. I’ve been really lucky in that way, but … we do have a varied level of comfort with tech in general, especially in our business office. Teachers tend to be a little bit easier to work with because they’re used to just figuring it out, especially now with the pandemic, whereas our business office is not quite there yet. With rolling this out, we’re actually waiting on two-factor because we’re going to start with password complexity first, forcing people to not have their daughter’s name and birthday as their password or reusing the same password over and over. We’re going to force them to change it every six months.
Davis: I want to get to the pandemic, but I also want to connect what you said back to what Allie said about the conflicting needs and the conflicting priorities. Often times, at least when I talk to people, I hear that—“It’s the business office,” right?—that getting those people trained is not a priority, or it’s not built into the schedule, or it’s not part of the culture. Understanding how schools work, it’s hard to go in and find time to make that happen or to get the significance of the need in front of somebody’s eyes when they’re like, “Uh, no—we don’t have time. We don’t have time.” And they don’t.
Wenzel: Susan, that’s why, just like a lot of things now, technology offices are getting more visibility, if you will, and more on to senior leadership. Because one of the hardest issues is what you were just saying—noncompliance and support from the top, where security awareness and a security posture for the school can’t just be coming out of the IT office. It needs to be coming from the top down. This is everybody’s responsibility; it’s not just on the tech department. It really is everybody taking their own personal responsibility for cybersecurity.
Sarahan: One of the things we did is have an established practice for if somebody sees something that seems off, send it to the help desk, and we’ll come check it out, and we’ll let you know. We have tried to say over and over again, and to show through our actions, that nothing is stupid. You should feel safe sending something in, because that’s what we’re here to do is to help you. Reiterating that has seemed to catch on, and I noticed that this year because we got hit with those phishing emails pretending to be the head of school. I would rather have to delete a hundred tickets out of the help desk because everybody forwarded their email than have someone respond. We’ve also hidden our emails on our website. We went from having them listed to having just the email icon. That seems to be helping; it makes it a little harder, at least, for the ransomware softwares to find and bulldoze.
One of the gaps that people could address potentially easily are data mapping. That was part of the professional development with ATLIS. It’s never going to be complete, right? But we’re constantly working on it at St. Mark’s—making sure that people, like the development office or the business office, understand where their data lives and where it goes and why we don’t want personal devices connected to the network or to allow people to store spreadsheets of data about fundraising and amounts raised and who our major constituents are. Showing them how the data flows gets through to them more than just a training since it’s applicable to them directly.
Freitas: I hope we can get back to Mary Beth’s password change thing, because that’s something I was just really thinking about. In terms of the irony of the business office not having the time to do the training, hit ’em with the old joke: “Why do people rob banks? That’s where the money is.” Why are people trying to phish the business office? That’s where the money is, right? They’ve got the biggest target on them that’s out there. I had a couple of gaping holes. No. 1 is relying on our perimeter-based security. Those of us who came up through the tech world think, like, “Oh, our firewall—we’ll just buy a bigger firewall, a better firewall.” Firewall is not how things are happening nowadays. It’s all about stolen and compromised credentials. Along those lines, the Center for Internet Security, CIS, they have these 20 controls for the best way to lock down pretty much everything you can. No. 1 is inventory of hardware; No. 2 is inventory of software. I think firewall’s around No. 12. Everyone else is still particularly coming at it through our tech lenses, looking at it as a tech problem. It’s a lot more of a people problem, or people opportunity, in some cases, but those are the two big gaping holes. I think, first of all, we’re relying on old technology and old thinking, believing that is going to protect us.
Sarahan: That’s such a good point. That’s come up through the pandemic. One of the things that hasn’t been a priority for the school overall is how we handle substitutes. And the fact that there were teachers that were sharing their credentials with their substitutes because that was the easiest thing for them to do is something that I have finally been able to completely squash. I know there were people that were still doing the less-than-positive practice of sharing their credentials up until we went into the pandemic. Then this school year, we
have an entire process in place for how we handle substitutes and how we have them set up to access the different digital products, because they have to proctor in a blended learning environment. And it doesn’t involve sharing teacher credentials.
Davis: What are some of the other things that have been highlighted by the pandemic or have made you aware of certain other aspects of cyber safety or concerns?
Freitas: We started out talking about the importance of MFA, multifactor authentication, and how cheap it is. How many of our administrative systems actually support MFA? Almost all of them are just username and password anymore. They need to really get up to speed on that. That’s one of the things that concerns me, systems that have probably some very valuable data into them that aren’t doing MFA. Our business office still has tokens that are generating numbers—I’m all for that, but if you try to get into our medical system, all you need is your username and password. That’s not a good idea.
Wenzel: There’s also been, over the course of the pandemic, this really meteoric rise in ransomware and phishing attacks. With people working from home, while Bill’s point is well taken, there is also a certain level of protection when people are working on campus, at least in our scenario. We’re a full-stack Meraki network, and we have a whole intrusion detection and prevention system set up so that cyberattacks that are coming in to the network are being blocked before they even reach people’s devices. But when people are at home, they don’t have that same level of security. So, they have to be even more diligent about things that are hitting their system, and also that they’re keeping their own endpoint protection—their Sophos or whatever they’re using—they have to keep that updated, and we’ve had some issues with that.
Davis: Are there any other things that popped up during the pandemic?
Sarahan: With video conferencing. We’re not using Microsoft Teams, but I know that there are certain issues around how videos and forms and whatnot
can be accessed through the way Teams and Groups have been set up, not necessarily because of tech department user error, but because of how Microsoft had those configured. We’ve used Zoom and Google Meets, and the concern that came up for us was safeguarding God’s children. We have to comply with this diocese. It’s not a law, but it’s basically a law for us as an Episcopalian school, of how we protect children. And there’s also safeguarding God’s people and how you protect the faculty and staff—the adults—that work with the kids. One of the things is that if you’re on campus and in person, you would not be in a room alone with a student. To help with that in a virtual setting, we have the teachers, or faculty and staff—it doesn’t matter if you’re a teacher with kids or a supervisor working with a staff member—you record your Zoom sessions. Those Zoom sessions are saved to a folder in Drive so that if something happens, or if you’re ever accused of something, you have protection in place. I know that’s not necessarily a cybersecurity piece—it’s more focused on the user, and I would think more of a human resources-type situation—but it’s been really important for us to keep our kids and our staff safe.
Hertz: The new concern—and it’s actually not a new concern; it’s actually a concern I’ve had for a long time that I think was exacerbated by the pandemic—is teachers love to sign up for [insecure apps or tools]. They’re like, “This tool looks awesome. I’m going to use it with my kids!” and they never read the privacy policy. They don’t look at what’s going to happen with the data. They don’t even know that they’re not supposed to use it with kids under 13. Teachers were so desperate to teach in a different way that they’re signing up for stuff left and right, and I don’t know what they’re signing up for. I have no idea what they’re importing, what they’re adding, what they’re doing with student data. Obviously, this is me being new to the school. I think, if there’s a phishing attack on somebody’s email address, now we run into student data behind some random teacher’s email address because we don’t know what service is signed up for. I know we can put protections on the back end allowing people to not actually sign up for third parties with their Google account and things like that, and you walk a fine line of handcuffing teachers and not letting them be innovative versus the safety piece. But something I’m working on is actually a vetting process and a rubric for tools. For whatever people say about the school district of Philadelphia, they’ve had this for a couple of years now where they actually have a rubric for vetting digital tools that includes privacy, that includes all kinds of different things that teachers go through before they use a tool. I think to whoever was making a point about—I think it was you, Bill—about the firewall, right? It’s not about the firewall. This is about users and what users are doing to open up holes, no matter how much we lock it down. I don’t know in the cybersecurity conversations how much about data privacy comes into play and whether we should be talking more about that.
Sarahan: We should be. You’re right; it’s a super-fine line between making teachers feel like they’re being handcuffed and getting them to fully buy in to the understanding that they’re actually protecting themselves and their kids.
Wenzel: I just wanted to offer a last piece of advice for any schools that are trying to begin to tackle this issue. My first measure of advice would be to just get a simple assessment of your current vulnerabilities. You can either do a self-assessment using the guidelines that ATLIS provides, or you can pay a small fee for a cybersecurity audit done by somebody like Educational Collaborators, which has a really simple audit that’s very accessible financially. There are other organizations that do it, but this is really geared toward education. I think for anybody to start addressing these issues, they need to understand what their baseline is, what their baseline vulnerabilities are, and then build up from there, because very few of our institutions and schools have a CISO, a chief information security officer. That position is starting to come about, but we don’t currently have that. I think we will be seeing something like that in the years to come.
Davis: To wrap this up, what would be your advice to schools?
Freitas: I would say it seems like it’s overwhelming. It doesn’t have to be, and it certainly isn’t. The whole “perfect is the enemy of good” thing—good enough is usually good enough. If you were to use the first steps of the ATLIS guide and meet those, you’re going
to stop about 80% of the things that could happen to you and probably 90% of the things that are most commonly going to happen to you. So, go for that. Don’t be scared. It can be an area where you’ve never trod before; those guidelines are really clear and easy to read. Go through them.
Hertz: We were going with the low-hanging fruit, like we were talking about, of taking care of 17 servers that were just sitting on the network and often open to the internet. That’s easy, right? Cleaning up your firewall and getting your firewall set up properly, making sure you have endpoint like Ally [Wenzel] was talking about. We have Sophos endpoint on all of our devices. Using MDMs to make sure software is being updated. The kind of things you can control—starting with the things that you can actually control, because the other part, the part we’ve been talking about that is the most vulnerable, is the users, and that’s a bigger lift. And then, who’s going to own this project? I think that’s talking about time, talking about commitment. There has to be somebody that owns it, and if there’s nobody that owns it, it’s not going to happen. What I think is successful about what we are trying to do is that there’s ownership over it and that there’s a team working to push it forward and holding accountability there.
Sarahan: Whether you’re a school starting out on this or you’re a school revising how you do things in an effort to improve, it’s going to be incorporating the stakeholders that this affects. Pick the teachers or the staff members that seem the most resistant if you can, because if you can get them to participate and help them see that you’re actually saying, “I understand,” and that you support them and that you’re there for those exact reasons, to make their lives a little better, then they’re going to be your greatest advocates out with the rest of the teachers and the staff members. It can’t hurt to loop in, when you’re working on stuff that affects students, some of your students to help with creating processes, too, or revising, right? And to add one more thing, I would recommend that if you don’t have a student user-friendly version of your responsible-use policy for them to review with their advisors and sign, coming up with that is important, since it helps the kids respect the network and their devices and each other.
What are your thoughts? Share your reactions to this article in the comment section below and let your peers hear your ideas on how to prepare your school for the upcoming academic year.
#CybersafetyandDataSecurity