Tech Tactics 2023 Spotlight

Making Information Security Everyone's Responsibility

Intrusions into education networks have never been more rampant. And at this point, information security is the top concern among IT leaders and administration in K–12 districts. What's more, there is the distinct possibility that AI will compound the problem, while also being used to help deal with threats.

According to Eileen Belastock, CEO of Belastock Consulting and former CTO in K–12 education, schools face a number of obstacles in dealing with network and data threats, from budgets and training and governance policies to increasing sophistication in the attacks perpetrated against school infrastructure. But there are steps every district can take to help minimize risks — and to deal with the consequences more effectively when breaches happen.

Belastock, an ed tech strategist and an author focused on education technology, educational leadership, data privacy, and information security, will be leading a session "Cybersecurity: It's Everyone's Responsibility" at the upcoming Tech Tactics in Education conference, being held Nov. 7–9 in Orlando, FL.

THE Journal had a chance to sit down with Belastock in advance of the conference and discuss the complex (and sometimes not so complex) threats faced by IT pros in K–12 education.

Making Information Security Everyone's Responsibility

THE Journal: What do you see as the major trends in threats to education information security heading into the new school year?

Eileen Belastock: A lot of the same things are that have been going on in the last few years are just escalating. Ransomware, where they're encrypting critical data; … phishing and social engineering. We can't do enough phishing exercises, and the social engineering, [like] emails from from the superintendent that people are opening and payroll sending account numbers — so that's basically human vulnerabilities. And I don't see that changing either. People love to click, and people trust that something from the internet or something from an email is true. So I think that's still going to be a major issue.

You're also seeing, and maybe not so much in education, but you're seeing a lot of disgruntled employees, who have access to data and information and systems that they shouldn't have, and then they just decide to disrupt learning because of it. You also have those inside threats that are unintentional, with our passwords of teachers on their computer towers or in a basket next to the desk or the administrative assistant in the office has her password to this the SIS. So we have all those issues.

And then the other big thing is Internet of Things. We're seeing more and more devices coming into schools and not necessarily school devices, depending on the school. Districts are letting students bring in their own devices that are not [getting] software patches.… And I still think that's going to increase because I don't think the demand for 1-to-1 in schools is going to change.

I don't know if you saw, but the FCC chairwoman put a proposal out about the Cyber Trust Mark [this summer], which I think is interesting. So you get a device, and it's gonna be guaranteed that it has some kind of cybersecurity components to it. And I think the ed tech world will follow suit [so that] any devices that are coming into a school will need to have this U.S. Cyber Trust Mark.

And of course, the last thing is the lack of awareness. And sometimes I feel like as a CTO, we all knew that this was happening. But our superintendents and our school boards, and our teachers and parents didn't understand why we needed to lock all these things down. And many times they really don't put any thought into how it's affecting the school district.

THE Journal: The Internet of Things really has a lot of potential to increase as a vector for malware.

Belastock: Well, it's interesting, because the FCC Chairwoman, she actually talked about a vending machine that had its own IP address, but it was not attached to the network security. I've heard of HVAC systems being attacked. One of the things that I did as a CTO was, I didn't let remote printing happen, because [users] are doing it from home. They're accessing our network. And there's so many things could go wrong once you're in there.

THE Journal: Where do you see the biggest weaknesses in districts' data and network security?

Belastock: Okay, so to list a few things, outdated patches and software is a big deal deal. Make sure your patches are automatic. I know when when teachers are told to update their laptops, they don't always do that. And then they bring them home and they get them on their network.

Lack of training and awareness. Again, I'm going to keep talking about that.

Another piece for me is data governance. We don't have adequate controls. There was just a school district that changed everybody's student password to "change me." So that's a problem. Having weak password protocols, who you are allowing to have access…. I mean, I know of teachers who had access to the scheduling system to make their own changes, but that also leads them to have access to other things. So we have to make sure that — I see it a lot in schools — data governance creating that tree of who has access. And the same thing with network passwords. Students get them from teachers.

And I think that the other thing is multi-factor authentication isn't happening in a lot of districts for a lot of reasons. And that that's definitely a weakness.

And the big thing I'm finding talking to districts is they're they don't have an incident response plan. They don't have that data privacy policies, so it turns into that they're actually being reactive instead of being proactive.

THE Journal: What are the mistakes you see districts making when it comes to approaches to dealing with information security?

Belastock: Definitely not investing in in cybersecurity, whether it's strengthening your infrastructure, training your staff, or actually increasing your IT staff — maybe getting a chief [information] security officer, making sure that your patches are all automatic. I think that many times we're talking about the soda machine or the HVAC system, and we don't always think of those as as putting them on automatic updates and patches, but they need that. We can't ignore them, absolutely can't ignore them. And again, being reactive rather than proactive. We should be focusing on putting a plan in place. We have one if there's a school shooting; we have one if there's a fire; so we should have a cybersecurity plan just for the same reason.

THE Journal: What are the most important things for district IT leaders to do to address security challenges in the coming years? You touched on governance. What are some of the most important things that IT leaders can do as far as governance goes?

Belastock: They really should be regularly doing risk assessments, whether it's a tabletop exercise that they do, or working with CISA on having them come in and evaluate your systems. That needs to be done. It shouldn't be a one-and-done type of thing. It should be maybe a yearly or twice-yearly event. In my last district, the school board was very focused on safety and data privacy of our students. So having clear policies in place, having those data governance policies and [determining] who can access what.

I also think, and this probably goes to another thought I have. Where is your payroll going to be run if your system goes down? Payroll's the most important thing in the entire system. And so if your HR and your payroll systems are hacked, and you need to go off site, where is that off-site location? You have to have a plan to be able to run payroll to be able to make phone calls to be able to have students continue to learn…. Those policies and procedures that come out of that are really important.

There's always going to be that, "What happens if it happens?" Let's go back and reflect where we have our loopholes. Who was our communication person? What do we communicate to the community? How long was the disruption service to our students? How many hours did our IT team have to work to get something up? So you have to really look at those things, too. So it's a really big, holistic approach to it.

And I'm going to go back to it again, cybersecurity training. It can't be [just a part] of your back to school training, in my opinion. I think it needs to be done at a different time and do it once or twice a year, but it needs to continually happen. It can't be a checkbox to districts anymore.

THE Journal: What are the major barriers to effective information security strategies in school districts? Is there is there something preventing districts from doing this or just not thinking about it?

Belastock: I think the biggest thing for us as IT directors is just the resources and budgets. School districts only have so much money to allocate, and we are in the business of of teaching students. And so I think a lot of times we're overtaxing our IT staff. I also think we don't necessarily have the most educated professionals working for us because we're not providing training on cybersecurity, and you [need to be] constantly growing your team to be able to take on these things. So when your technician in a building notices something weird because they've they've gone through cybersecurity training, that could be your first line of defense instead of waiting for a bigger failure down the road. That's important.

I think the complexity of these threats, they're constantly changing, and they're finding new ways to get into systems. District leaders have to constantly be up on what's going on. I think also finding that balance between security and accessibility. Teachers don't want to have to use their phone for multi-factor authentication. The superintendent doesn't want to have to change a password every three months. You know, students and teachers don't want to take their laptops over the summer. Yet we need to do updates and patches on them, so we can can't let them take their their school devices home. So I think it becomes a challenge. That's a big barrier. And having been on both sides of that, I could, I could see both sides. But we're not doing this. We're not saying no to apps. We're not saying no to third-party vendors. We're not just saying yes, but we need to make sure it's safe. So I think that's a culture change for a lot of districts, especially ones that are used to operating where the principal has IT admin access to the entire process. In the old days, that may have been OK, but it's not anymore.

THE Journal: What do you see as the role of AI in school security? Threat? Defender? Both?

Belastock: Well, that's an interesting topic. I've been doing a lot of research. I think everybody's been doing a lot of research on this, but I've been trying to focus around cybersecurity. I think it can be seen as both a threat and an asset to districts.

My new word I learned was deep fakes. Where they actually use AI-generated voices so that they can spread misinformation, they can pretend they're someone else. I think that's a big thing. I think AI has potential because it takes so much data. And it is a learning system, and it can quickly learn where the holes are in someone's network security and be able to access data that they probably wouldn't have been able to access. I think AI, because it's such a quick-learning program, will find those ways to actually manipulate the fact that we're humans.

I also think there's a lot of great things with it. AI can actually see things that we as humans cannot always register as quickly. We can't always register [multiple] complex things happening at the same time. So I think that AI has the potential to be able to do security checks and to look at logins and look at activity and look at where we're at, look at the IP addresses and all those things and be able to put them in a report that districts can really look at. And it's all in real time. I mean, if we don't have it people working 24 hours a day, I think that AI could could be that that way for us to secure our systems more.

And I think it also can take the burden off our staff doing routine things and have them more focused on looking for abnormal activity or where there are holes in our systems. So I just think there's a lot of great things coming out of it. And we're already using it. There's a lot of companies who are already using AI around around cybersecurity monitoring and system monitoring. So I just I see it as I see it as a great tool. But it doesn't devalue the need for strong, certified professionals working in our districts to be able to support that.