Getting Serious About Security in Schools

Americans do a whole lot of fretting about cyber security, and with good reason. We all read about the breaches that have become daily occurrences; we receive constant reminders to protect one’s online identity when using computers and mobile devices, and we’re warned more and more about bad guys coming at us through our televisions, security cameras and personal assistants.

So we lock down our home networks, protect our phones with cryptic passwords (well, some of us, anyway) and constantly check our accounts to monitory for suspicious activity.

But what we don’t seem to worry much about is the cyber security of our schools. Maybe it’s because we don’t believe our children have developed cyber identities. Maybe it’s because we blindly trust our schools to protect our most precious assets. Maybe it’s because we just take too many things for granted.

I’m the father of three boys, two of whom are under the age of 10, and I write about security a good chunk of the time I’m trying to make a living. And yet I’ve never had a single interaction with any of the schools my children have attended about cyber security.

Perhaps it’s time we all started paying more attention to this, because there are plenty of signs that the world of cyber crime is moving closer and closer to our children.

Take the recent case in Detroit of two middle school students who installed software on their school district’s network that enabled them to access security cameras, student data and teacher files. Granted, this is hardly the same as having an organized crime syndicate hacking into a school’s computers, but the fact that it’s happening at all should be setting off alarms. And as we’ve learned all to well, insider threats are to be feared just as much as external attackers.

Elsewhere, a completely different kind of attack blocked parents in the Oklahoma City Public School District from accessing their children’s student information. The denial of service attack didn’t pose any threat to the data in question; it simply crippled the parent portal hosted by Infinite Campus, one of the largest providers of student information systems in the country. But despite the lack of a nefarious objective, the attack was ominous in that a district spokeswoman said it was 50 times more voluminous and 100 times longer than any attack the district had experienced previously.

Events such as these have become commonplace enough that the FBI recently issued a warning that the growing collection of student data combined with the unsecured state of many educational computer networks presents serious privacy and safety risks that should be addressed.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said in its warning.

Given this backdrop, it’s hardly surprising that officials of the Hoover City School District in Hoover, Ala., have taken the proactive step of having experts provide some much-needed coaching.

ThreatAdvice, a cyber security training firm based in Birmingham, Ala., is providing online threat-detection training for all 3,000 employees of the district. Teachers and administrators will be taught how to spot scams and other types of intrusions and will also learn about recommended cyber security policies for schools.

Those policies could help to ensure schools keep up on the latest threats. And believe it or not, truly ominous threats are increasingly finding their way to schools. If they weren’t, the U.S. Department of Education wouldn’t have found it necessary last year to issue a strongly worded alert about an emerging threat in which schools were being extorted for money by hackers threatening to release student information.

The wide range of increasingly aggressive attacks schools face is why Bryan Phillips, the Hoover School District CTO, implied in a press release announcing the ThreatAdvice training that school districts can no longer sit back and hope cyber attackers leave them alone.

“In the face of increasing and ever-changing cyber-attacks proactive education on how to protect our school system’s data and the personal information of our students is imperative,” said Phillips.

Other schools would be wise to follow suit. Let’s face it: There’s not a lot of cyber security experience or expertise on most school staffs, which is one reason they’ve become a more attractive target. It’s a weakness that threatens to chip away at the trustworthiness schools have traditionally enjoyed among parents.

In other words, by engaging in a little cyber security education, school districts may not only be protecting the privacy and safety of their students; they very well may be preserving their own reputations, and thus their continued ability to attract the best students.

If that doesn’t get school district boards interested in shoring up security, nothing will.

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Tony Kontzer. Read the original post at: