Cyberattack threat has school districts focused on improved security
Earlier this month, JBS, one of the world’s largest meat processors, paid millions in bitcoin to cybercriminals in a highly publicized ransomware attack.
In May, hackers shut down the Colonial Pipeline, which supplies fuel to about half of the east coast, causing shortages and spikes in costs.
When Glenwood Community School District Superintendent Devin Embray saw those cyberattacks, he felt a sense of relief.
Glenwood’s own brush with a cyberattack in 2019 could have been much, much worse, he said.
The GCSD ransomware incident in July 2019 was initiated by what was believed to be Ukrainian-based hackers. They entered the district’s network through an open portal, took control of a server and sent the district’s IT department an email: pay $10,000 and we will return control of the data to you.
Glenwood immediately contacted its insurance company – the district carries a $1 million cybersecurity rider – and the FBI. The district’s insurer, EMC Insurance, did eventually pay the ransom and access to the data was restored. The server did not contain financial or personal data, but the hack was precisely the kind of invasive incursion that has cost companies with overwhelmed IT departments man hours and millions in ransoms.
When Embray says he’s relieved that incident two years ago wasn’t worse, he means it. He also knows improved security steps undertaken by the district’s technology department since that attack are the best defense to a repeat attack.
Glenwood isn’t alone.
Cybersecurity for schools and other non-financial institutions has become increasingly critical as the dependence on technology increases. Securing networks and data is a process that requires careful planning and vigilance. The FBI reported in May that since the COVID-19 pandemic began last spring, the reports of cybercrimes are up 300 percent.
Schools are an increasingly popular soft targets of hackers. They have large networks, with thousands of emails coming and going daily and they don’t typically have the technological acumen to plug every hole.
“Schools and churches don’t have the tech staffing,” Embray said. “Compared to a financial institution, it’s night and day different. They don’t have the type of support. Ransomware people target them because they know they can get some money and it’s an easy score. They can come in and mess with us and get $10,000 from us then they can do it to 80 other school districts and then they’re making some pretty good money.”
In June the Union Community School District was the victim of a ransomware attack. In recent years school districts in Fort Dodge and Johnston faced similar attacks.
Both the East Mills and the Fremont-Mills Community School Districts carry similar cyberattack insurance to Glenwood’s policy and have for several years. Glenwood paid a $5,000 deductible as part of its ransomware incident. Embray isn’t sure what became of the FBI’s investigation, and he isn’t sure what actual ransom amount was paid, only that the hackers were asking for $10,000.
When the incursion was revealed, Glenwood’s technology department was able to make a “physical break” between those infected servers and others to isolate the hack. No classified information or payroll data was compromised. Embray thinks that’s why the ransom ask was relatively low – the hackers didn’t get sensitive data.
“I feel very fortunate we got hit for a relatively light amount in comparison to what a lot of others have been hit for,” Embray said.
“So, I feel very fortunate in that regard, however it did give us a wake-up call that people are attacking schools now and schools have to start thinking about things differently than what they were.”
As a result of the attack, Embray said the district didn’t make a lot of network security upgrades – “We shut down that open portal, obviously,” he said – and declined to go into the specifics of what changes were made. But he did say anti-virus software was reviewed and server monitoring increased. The district also added an off-site “air gap” data backup.
Jedd Taylor came on as Glenwood’s Technology Directory in February of 2020 but he did work in the district during the 2019 ransomware incident. He said that incursion may have been worse had it occurred during the school year and not in the summer.
One of his first tasks in his position was beefing up the district’s security platform on the software side and pushing for more off-site data storage. He also continually preaces vigilance to staff about responsible use of email – the hacker’s No. 1 mode of entry into most networks.
“Not opening emails from people you don’t know and not opening attachments are something we talk a lot about,” he said. And resetting passwords may seem like a pain but doing that does a lot to maintain security.”
Staff are advised to forward to not open and forward emails that “don’t’ look right” to Taylor’s department so “they can isolate it, open it and determine if it’s an outside attack or a virus or a ransomware thing,” according to Embray.
Cybersecurity experts have recommended business firm up network security with multi-factor authentication, improved detection, and e-mail vigilance. Off-site data backups and file integrity monitoring also can help protect sensitive data.
Last October, Glenwood’s data was part of a data breach at Timberline Billing Service, LLC, a Des Moines-based company that assists Iowa school districts in accessing Medicaid reimbursements. No sensitive Glenwood data was a part of that breach, but the district did retain a law firm to assist with that investigation.
Since the 2019 incident, Glenwood has had no cyber incursions, according to Embray. Which isn’t to say hackers haven’t tried.
“I think we do get phishing emails from time to time, and that’s the lowest level of entry of cyberattack you can get,” he said. “But it can be costly if it’s not caught. So, we continue to educate on that as much as we can.”
There’s been movement recently at both the state and federal level on ransomware and cybersecurity. Several laws in the U.S. Congress are targeting help for business and schools and one could make paying ransoms for data a crime. Embray thinks the intent of criminalizing paying digital extortion money is clear: to educate victims on not to be victims.
“It pushes them to get better at cleaning up their own yards,” he said. “If they pass a law that you can’t pay a ransom and you want your data to not be stolen, you’re going to step up and do the things you need to do to protect your data and not be blind about it.
And there’s the insurance companies paying out and premiums start going up and there’s no stop to it.”
Taylor agrees encouraging data security is the goal but hardening it enough to prevent any data leakage is easier said than done.
“It’s sort of a ‘we don’t negotiate with terrorists’ sort of thing but when you’re the one with your data locked down and impossible for you to get work done, you might have a little bit different motivation.”