IT Infrastructure & Management

Q&A: How to Bolster Cybersecurity in Your Schools

District tech chief says internal controls are essential
By Sean Cavanagh — April 30, 2019 6 min read
  • Save to favorites
  • Print

As Melissa Tebbenkamp sees it, promoting strong cybersecurity is as much about changing district behavior as it is about guarding against the damage any bad actor tries to inflict.

Tebbenkamp, the director of instructional technology for the Raytown Quality Schools, a 9,000-student school system outside Kansas City, Mo. is expected to run point in guarding against phishing scams, malware, and other forms of cyberattack.

But she’s also counting on her colleagues, from top administrators to the district’s teachers, to make the right decisions when a suspicious e-mail lands in their basket and something doesn’t seem quite right.

To that end, Tebbenkamp has put an emphasis on training district staff about cybersecurity—and restricting employees’ access to tech systems to reduce vulnerability.

Tebbenkamp has served in her tech role in the Missouri district since 2006. She’s also sought to help other district officials through her involvement in a number of cybersecurity and data-privacy committees and working groups through the Consortium for School Networking.

She spoke with Education Week Associate Editor Sean Cavanagh about the lessons she’s learned about cybersecurity and the steps for districts trying to protect themselves.

What is the biggest cybersecurity risk school districts face?

Your staff and students. Our biggest risk is ourselves. You do have some students who are really smart and intentionally try to hack or gain access when they’re not supposed to. But with your staff, it’s more about the inadvertent disclosure of information or clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.

What kinds of intrusions are you most worried about?

Not in my district, but W-2 phishing scams were big a few years ago, and I still see those phishing e-mails directly targeting our finance and payroll departments, saying, “I’m the superintendent, and I need you to give me this information.” Those are our most frequent, and they’re hitting our business offices, mostly.

On the staff side, if teachers have administrative access to machines—and many districts still do allow it—their biggest threat is malware: A teacher clicking on a link, or inadvertently clicking on a link that’s going to install malware on their machine.

What’s the information that bad actors in the cyber arena covet the most?

Number one is the computing power within a school system. [They want] to leverage the computing power in your servers to start running the other schemes that they run. It’s not necessarily about the information. But they do want student records. The latest from the Department of Education is that a student record on the black market can be between $250 and $350. You compare that to a social security number, which is like 10 bucks. Student records can be incredibly valuable. Depending on what kind of information they’re going over, most of their targeted attempts for student information are happening at the big company level, rather than at the school level. It’s really the resource-utilization they’re interested in.

Why do cyberattackers want ‘resource utilization?’

It’s running processes on our servers to use them to do denial-of-service attacks. Or they want to try to hack someplace—they don’t want to hack the FBI from their headquarters. It would be great for them to tunnel in here and use our resources to initiate the hack. Even at home, a lot of those viruses are after resource utilization. A lot of the hacks are going after people’s processing power. And those are the ones that go really unnoticed.

So if hackers are getting access to your processing power, how would you know that?

If you’re tracking the traffic on your network—we do that—you know what looks off. You know how much [traffic] a server should have, in terms of download and upload. That will help you identify when you have resources being used maliciously.

See Also: 6 Steps for Preventing and Cleaning Up Cyberattacks

What’s your biggest worry about student records getting accessed?

Social security numbers aren’t worth much anymore. But that information that is tied to the individual ... the really scary part is some of our student information is valuable to people who want to prey on students. That’s one of the pieces I used in my training with teachers: We wouldn’t let someone come in off the street and talk to our kids. We need to protect all of their online information, as if we’re protecting them physically. Because that information could give someone the ability to approach a student, have a conversation with them, and then target them.

So what are the most fundamental strategies to protect school districts from cyberattacks?

You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection—the majority of schools do that pretty well.

The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it’s important to share student information, and where it’s not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can’t be once a year. You have to keep it front of mind.

What other steps do you recommend to encourage staff to manage cybersecurity?

The other thing is restricting access. My teachers don’t need to have administrative access to their computers to do their jobs. We find a way to make sure they have the resources they need. It’s a little more load on my department, but we stay safe. We don’t have the threats of someone having all their documents encrypted, and then having ransomware.

And then making sure you have all your data backed up. And there’s a layer of protection between what’s being backed up, and your live environment. If you get an attack on your network, and you have a virus infect everything or encrypt everything, that your backups aren’t infected and you have a restore point. If you accomplish those big pieces, you’re so far ahead of the game.

How are you defining “administrative access”?

Some people refer to it as a power user. It’s what allows you to install software on your computer. If I click on “install now,” and it doesn’t prompt me for an administrative password, then I have access on your computer to install that software. But if you have access, that means so does anything that comes down through the internet. We have that safeguard, so our users cannot install any software on their computers.

That stops most of those malicious attacks that come through that user interface—from someone either clicking on a bad website, or an attachment in an e-mail. Because whatever is downloaded doesn’t have the rights to run what it needs to run.

How easy is it for districts to restrict administrative access?

It’s a big culture change. I implemented it about 12 years ago. Even I, as CTO, don’t have administrative access to my computer now, and neither do any of my local techs. We have a separate account, that has elevated access, which you use only in the instance when you need elevated access. That culture change goes all the way through to your superintendent, your CTO, your CFO. There’s no reason for any of us to have that level of access.

What makes for an effective backup of your district data?

If your permissions aren’t set right on your backup server, and you’re backing it up at the file level, that ransomware will propagate and infect everything. And so if it still has permission to do that on your backups, then all of your backups become encrypted. You have to make sure your backups are configured properly. [It’s things like] making sure your directories don’t have the ability to write between each other.

A version of this article appeared in the May 01, 2019 edition of Education Week as Q&A: How to Bolster Cybersecurity in Your Schools

Events

School & District Management Webinar Crafting Outcomes-Based Contracts That Work for Everyone
Discover the power of outcomes-based contracts and how they can drive student achievement.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
Harnessing AI to Address Chronic Absenteeism in Schools
Learn how AI can help your district improve student attendance and boost academic outcomes.
Content provided by Panorama Education
School & District Management Webinar EdMarketer Quick Hit: What’s Trending among K-12 Leaders?
What issues are keeping K-12 leaders up at night? Join us for EdMarketer Quick Hit: What’s Trending among K-12 Leaders?

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

IT Infrastructure & Management Cybersecurity Demands Are Growing. Funding Isn't Keeping Pace
State education leaders worry funding for cybersecurity isn’t enough to cope with the worsening problem of attacks on schools.
2 min read
Dollar Sign Made of Circuit Board on Motherboard and CPU.
iStock/Getty
IT Infrastructure & Management Sizing Up the Risks of Schools' Reliance on the 'Internet of Things'
Technology is now critical to both the learning and business operations of schools.
1 min read
Vector image of an open laptop with octopus tentacles reaching out of the monitor around a triangle icon with an exclamation point in the middle of it.
DigitalVision Vectors
IT Infrastructure & Management How Schools Can Survive a Global Tech Meltdown
The CrowdStrike incident this summer is a cautionary tale for schools.
8 min read
Image of students taking a test.
smolaw11/iStock/Getty
IT Infrastructure & Management What Districts Can Do With All Those Old Chromebooks
The Chromebooks and tablets districts bought en masse early in the pandemic are approaching the end of their useful lives.
3 min read
Art and technology teacher Jenny O'Sullivan, right, shows students a video they made, April 15, 2024, at A.D. Henderson School in Boca Raton, Fla. While many teachers nationally complain their districts dictate textbooks and course work, the South Florida school's administrators allow their staff high levels of classroom creativity...and it works.
Art and technology teacher Jenny O'Sullivan, right, shows students a video they made on April 15, 2024, at A.D. Henderson School in Boca Raton, Fla. After districts equipped every student with a device early in the pandemic, they now face the challenge of recycling or disposing of the technology responsibly.
Wilfredo Lee/AP