Cyber Attack at Springland City Schools

It was a day like any other in the district technology office, until…

Having stopped by my usual coffee shop on my way to work, Thursday is off to a promising start. Then, just as I pull into my parking space, my phone buzzes with some kind of alert. Out of habit, I check it immediately. It’s an email from our local technology director listserv, subject line: Cyber-attack at Springland City Schools.

My stomach turns. Springland is a neighboring district. I know the IT director from that district personally. In fact, I just talked with Neil at the regional tech director conference last month. Now I'm staring at a video of him being interviewed by a Channel 7 reporter.

I immediately ping our local IT directors group to see if we can provide Springland with any assistance or resources.

What happened?

With a lump in my throat, I click on the link to the article and scroll through. Apparently, someone, maybe a staff member or maybe a student, clicked on a link, causing a data breach that inadvertently disclosed the personal data of over 10,000 students and 3,200 educators — in some cases going back about 10 years. Phone numbers, mailing addresses, social security numbers, health information and parent information – all compromised.

I shiver and immediately think of our district. How likely is it that this could happen here? Well… it’s not unlikely.

Now what?

The same questions keep getting stuck in my brain:

• What if this had happened in my district?
• What can I do to stop it from happening in my district?
• If it happened, what would we need to do?

Obviously, these aren’t new questions for me, but now it feels real and somehow more personal. It just happened to Neil!

My phone buzzes again. The assistant superintendent needs help reconfiguring his email. I’m sure this is just one of about a dozen help requests our technology team has already gotten today, so I grab my backpack and head inside.

How can we reduce our risk?

“Did you hear about the breach at Springland?” one of my IT specialists, Doug, asks me as I walk past his desk on the way to my office.

We talk about the news for a few minutes and I mention that I’ll be scheduling a meeting for the technology team this morning to review our current cybersecurity incident response plan.

Another buzz. Time to dig in to those help requests.

The meeting.

The morning flies by as usual, but I’m so relieved we made time to get together and talk about what's going on. The three people on our team – Doug, Kelly and me – are responsible for all things technology in the district.

I begin by listing what we’ve done so far to manage cybersecurity:

• We send out an acceptable-use policy at the beginning of each school year
• We only work with technology vendors who are as invested in our security as we are and sign our Data Sharing and Privacy Agreement
• We identify everyone on our Security Operations team to ensure readiness and responsibilities when an event occurs

There’s so much more we would like to do if we had the time and resources, but we don’t have the luxury of waiting for those. We go around the room listing the things we would like to be doing on top of what we’re already doing to protect our district.

• Conduct semi-regular cyber-response drills, so we’re all on the same page in terms of what needs to happen if we are attacked — so everyone knows what to expect
• Related to that last one, have in-depth conversations with current and future vendors about what they are doing on their end to keep us secure, and what they are responsible for if we have a breach
• Review our Cyber Awareness training initiative to ensure all stakeholders are informed
• Also review our standard operating procedures for patching of servers, work stations and applications, like ERP, SIS, etc…
• Ensure an updated inventory of all hardware, software and data
• Review password policies for employees and students
• Consider enabling multi-factor authentication for all users that have higher level access to systems or access to sensitive data
• Perform an annual Security Vulnerability Assessment with an outside certified Security professional

Next steps.

Given what’s going on at Springland, it seems even more urgent that we get our highest priority initiatives in the works.

I set up another meeting for us tomorrow and plan to start working on a cybersecurity playbook we can walk through with our Security Operations team. Kelly offers to review our Cyber Awareness training materials and see if we can make it into something more interactive for staff and students. Doug says he’ll reach out to some of the local technology teams at other districts to see how they approach cyber-response drills.

Breathing life into our Cyber Awareness training.

A few weeks later, we’ve created an interactive resource staff and students need to engage with after reading our acceptable-use policy. Now we have a better idea of who actually understands it! Based on the results, we can work with individuals to do some cybersecurity awareness coaching.

The district that cyber-drills together doesn't panic together.

Doug and I asked about a dozen colleagues from other districts how they approach cyber-response drills. Do they even do cyber-response drills? From our conversations with those that do, Doug and I created a drill protocol of our own that we plan to roll out twice a year. The district leadership team signed off on it yesterday.

Note to self: On cyber-response drill days, bring in a box of coffee… or three.

Calls with technology partners.

We start getting in touch with the technology vendors we currently work with to revalidate what they are responsible for and what we in the district are responsible for, both now and if we experience a data breach.

These aren’t easy conversations, but I already feel better after talking with other technology teams. And moving forward, it’ll be easier to evaluate the security practices of potential new vendors.

The superintendent is thrilled we had these check-ins. It’s a relief to know we have full buy-in from the leadership team.

We're ready for whatever comes our way.

It’s been about six months since Springland’s data breach and I think our district has come a long way on the cybersecurity front.

The first acceptable-use quiz and cyber-response drill provided a ton of data about where we have gaps in our cybersecurity model.

Obviously, the steps we took don’t come with a 100% guarantee ― hackers are creative, and tomorrow may bring new risks. But I have to admit, I’m sleeping a little better at night, even with the extra coffee on cyber-response drill days.

I feel much more prepared for whatever comes our way.