As Melissa Tebbenkamp sees it, promoting strong cybersecurity is as much about changing district behavior as it is about guarding against the damage any bad actor tries to inflict.
Tebbenkamp, the director of instructional technology for the Raytown Quality 69传媒, a 9,000-student school system outside Kansas City, Mo. is expected to run point in guarding against phishing scams, malware, and other forms of cyberattack.
But she鈥檚 also counting on her colleagues, from top administrators to the district鈥檚 teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn鈥檛 seem quite right.
To that end, Tebbenkamp has put an emphasis on training district staff about cybersecurity鈥攁nd restricting employees鈥 access to tech systems to reduce vulnerability.
Tebbenkamp has served in her tech role in the Missouri district since 2006. She鈥檚 also sought to help other district officials through her involvement in a number of cybersecurity and data-privacy committees and working groups through the Consortium for School Networking.
She spoke with Education Week Associate Editor Sean Cavanagh about the lessons she鈥檚 learned about cybersecurity and the steps for districts trying to protect themselves.
What is the biggest cybersecurity risk school districts face?
Your staff and students. Our biggest risk is ourselves. You do have some students who are really smart and intentionally try to hack or gain access when they鈥檙e not supposed to. But with your staff, it鈥檚 more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.
What kinds of intrusions are you most worried about?
Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, 鈥淚鈥檓 the superintendent, and I need you to give me this information.鈥 Those are our most frequent, and they鈥檙e hitting our business offices, mostly.
On the staff side, if teachers have administrative access to machines鈥攁nd many districts still do allow it鈥攖heir biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that鈥檚 going to install malware on their machine.
What鈥檚 the information that bad actors in the cyber arena covet the most?
Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It鈥檚 not necessarily about the information. But they do want student records. The latest from the Department of Education is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they鈥檙e going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It鈥檚 really the resource-utilization they鈥檙e interested in.
Why do cyberattackers want 鈥榬esource utilization?鈥
It鈥檚 running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace鈥攖hey don鈥檛 want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people鈥檚 processing power. And those are the ones that go really unnoticed.
So if hackers are getting access to your processing power, how would you know that?
If you鈥檙e tracking the traffic on your network鈥攚e do that鈥攜ou know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.
What鈥檚 your biggest worry about student records getting accessed?
Social security numbers aren鈥檛 worth much anymore. But that information that is tied to the individual ... the really scary part is some of our student information is valuable to people who want to prey on students. That鈥檚 one of the pieces I used in my training with teachers: We wouldn鈥檛 let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we鈥檙e protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.
So what are the most fundamental strategies to protect school districts from cyberattacks?
You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection鈥攖he majority of schools do that pretty well.
The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it鈥檚 important to share student information, and where it鈥檚 not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can鈥檛 be once a year. You have to keep it front of mind.
What other steps do you recommend to encourage staff to manage cybersecurity?
The other thing is restricting access. My teachers don鈥檛 need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It鈥檚 a little more load on my department, but we stay safe. We don鈥檛 have the threats of someone having all their documents encrypted, and then having ransomware.
And then making sure you have all your data backed up. And there鈥檚 a layer of protection between what鈥檚 being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren鈥檛 infected and you have a restore point. If you accomplish those big pieces, you鈥檙e so far ahead of the game.
How are you defining 鈥渁dministrative access鈥?
Some people refer to it as a power user. It鈥檚 what allows you to install software on your computer. If I click on 鈥渋nstall now,鈥 and it doesn鈥檛 prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.
That stops most of those malicious attacks that come through that user interface鈥攆rom someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn鈥檛 have the rights to run what it needs to run.
How easy is it for districts to restrict administrative access?
It鈥檚 a big culture change. I implemented it about 12 years ago. Even I, as CTO, don鈥檛 have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. That culture change goes all the way through to your superintendent, your CTO, your CFO. There鈥檚 no reason for any of us to have that level of access.
What makes for an effective backup of your district data?
If your permissions aren鈥檛 set right on your backup server, and you鈥檙e backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It鈥檚 things like] making sure your directories don鈥檛 have the ability to write between each other.