As Melissa Tebbenkamp sees it, promoting strong cybersecurity is as much about changing district behavior as it is about guarding against the damage any bad actor tries to inflict.
Tebbenkamp, the director of instructional technology for the Raytown Quality Schools, a 9,000-student school system outside Kansas City, Mo. is expected to run point in guarding against phishing scams, malware, and other forms of cyberattack.
But she’s also counting on her colleagues, from top administrators to the district’s teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn’t seem quite right.
To that end, Tebbenkamp has put an emphasis on training district staff about cybersecurity—and restricting employees’ access to tech systems to reduce vulnerability.
Tebbenkamp has served in her tech role in the Missouri district since 2006. She’s also sought to help other district officials through her involvement in a number of cybersecurity and data-privacy committees and working groups through the Consortium for School Networking.
She spoke with Education Week Associate Editor Sean Cavanagh about the lessons she’s learned about cybersecurity and the steps for districts trying to protect themselves.
What is the biggest cybersecurity risk school districts face?
Your staff and students. Our biggest risk is ourselves. You do have some students who are really smart and intentionally try to hack or gain access when they’re not supposed to. But with your staff, it’s more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.
What kinds of intrusions are you most worried about?
Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, “I’m the superintendent, and I need you to give me this information.” Those are our most frequent, and they’re hitting our business offices, mostly.
On the staff side, if teachers have administrative access to machines—and many districts still do allow it—their biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that’s going to install malware on their machine.
What’s the information that bad actors in the cyber arena covet the most?
Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It’s not necessarily about the information. But they do want student records. The latest from the Department of Education is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they’re going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It’s really the resource-utilization they’re interested in.
Why do cyberattackers want ‘resource utilization?’
It’s running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace—they don’t want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people’s processing power. And those are the ones that go really unnoticed.
So if hackers are getting access to your processing power, how would you know that?
If you’re tracking the traffic on your network—we do that—you know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.
What’s your biggest worry about student records getting accessed?
Social security numbers aren’t worth much anymore. But that information that is tied to the individual ... the really scary part is some of our student information is valuable to people who want to prey on students. That’s one of the pieces I used in my training with teachers: We wouldn’t let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we’re protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.
So what are the most fundamental strategies to protect school districts from cyberattacks?
You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection—the majority of schools do that pretty well.
The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it’s important to share student information, and where it’s not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can’t be once a year. You have to keep it front of mind.
What other steps do you recommend to encourage staff to manage cybersecurity?
The other thing is restricting access. My teachers don’t need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It’s a little more load on my department, but we stay safe. We don’t have the threats of someone having all their documents encrypted, and then having ransomware.
And then making sure you have all your data backed up. And there’s a layer of protection between what’s being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren’t infected and you have a restore point. If you accomplish those big pieces, you’re so far ahead of the game.
How are you defining “administrative access”?
Some people refer to it as a power user. It’s what allows you to install software on your computer. If I click on “install now,” and it doesn’t prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.
That stops most of those malicious attacks that come through that user interface—from someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn’t have the rights to run what it needs to run.
How easy is it for districts to restrict administrative access?
It’s a big culture change. I implemented it about 12 years ago. Even I, as CTO, don’t have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. That culture change goes all the way through to your superintendent, your CTO, your CFO. There’s no reason for any of us to have that level of access.
What makes for an effective backup of your district data?
If your permissions aren’t set right on your backup server, and you’re backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It’s things like] making sure your directories don’t have the ability to write between each other.
