Cybersecurity is a topic of keen interest for school district officials these days. Lines for cybersecurity sessions snaked down the hallways at the recent Texas Computer Education Association conference in San Antonio. In one room, about 50 educators and administrators crowded around a tabletop exercise discussing phishing, ransomware, and other cyber issues. At the conclusion, Lucas Anderson, of TASB Risk Management Services, asked for a show of hands if the activity had been helpful. Every person raised a hand.
The unanimous response showed Anderson, TASB’s privacy and cyber risk consultant serving members of the TASB Risk Management Fund, that people are looking for guidance with this increasingly complex topic.
As the largest provider of risk management services to educational entities in Texas, the Fund is working to increase awareness among its members about the importance of protecting against cyber threats with cybersecurity action plans. The goal is to guide district personnel through real-world scenarios to identify needs in their systems and processes.
Such training is an integral part of the Fund’s cybersecurity program available to participating members. Regardless of how districts opt to protect against cyber threats, however, it’s essential to plan, prepare, and practice.
“The Fund underwrites and supports cybersecurity resources for its members in this critical area of district operations,” said Mary Barrett, associate executive director of TASB Risk Management Services. “Innovative solutions and training help mitigate the risks associated with storing sensitive district data.”
Increasing Cyber Threats
The stakes for school districts have never been higher. According to a November 2022 report by the Center for Internet Security, “schools are data-rich and can be resource-poor, making them particularly lucrative targets for cyber threat actors.” The report cites the challenges school districts face due to deficient funding in the face of ever-increasing threats, staffing challenges, and a general lack of strategy and documented processes related to district cybersecurity.
“We recognize that public schools continue to be a target for cyber criminals Photo by TASB Media Services TASB Risk Management Consultant Lucas Anderson presents at a conference. and other bad actors who want to steal data, disrupt operations, or extort money,” Barrett said. “That’s why the Fund in December awarded $500,000 in grants to 178 members to help them improve their cybersecurity resilience and protect against threats and attacks.”
According to the FBI Internet Complaint Center, school districts saw a 62% increase in ransomware attacks from 2020 to 2021. Ransomware, when a malicious actor holds a system or critical data for ransom, has targeted the education sector more than any other single industry since 2016.
“Ransomware has been a well-documented mode of exploitation of school districts over the last several years,” Anderson said. “Districts should be concerned about malicious actors targeting data in a variety of ways.”
Texas school districts are required by law to have a cybersecurity plan. Districts can meet the legal requirements by developing a plan that is consistent with the Texas Department of Information Resource’s Texas Cybersecurity Framework. The TCF includes identifying which district assets need to be protected, how to protect those assets, how to detect and respond to threats, and the steps to recover after a cybersecurity incident.
Every school district must also designate a cybersecurity coordinator who serves as a liaison between the district and the Texas Education Agency. This coordinator is required to complete annual training from a program approved by the Texas Department of Information Resources. Districts are also responsible for reporting system or data breaches that meet requirements set forth by the Texas Education Code and Business and Commerce Code. These legal requirements underscore the seriousness of cybersecurity threats to school districts.
“We’re one click away from disaster,” said Mark Gabehart, Round Rock ISD chief technology officer. As cybersecurity breaches became more prevalent in the K-12 sector in recent years, Gabehart began restructuring positions in his IT department to focus on cybersecurity and increasing training districtwide. His department regularly does exercises to test its cybersecurity controls.
Anderson stresses that all districts, regardless of size, have valuable data. While it can be overwhelming to know where to begin, starting with a tabletop exercise that works through various threats can help develop a cybersecurity response plan and pinpoint knowledge gaps within a district.
“You don’t eat the elephant in one bite,” said Karen Fuller, Cypress-Fairbanks ISD director of infrastructure and communications. “That’s what cybersecurity does to us, making us feel like we have to tackle the whole problem at once.”
Anderson has a deep background in cybersecurity training that he taps to help school districts with coverage in the Fund.
“I worked at the Department of Defense in Washington, D.C., and primarily what I did was simulate foreign cyberattacks for NATO military forces,” Anderson said, explaining that they were largescale exercises conducted in a locked room with teams testing the cybersecurity capabilities of military entities around the world.
He wanted to use the idea of these drills to help districts test their own cybersecurity responses. Although school districts are required by law to hold a variety of safety drills throughout the school year, cybersecurity drills are not on the list. But Anderson thinks they’re a good idea. “A district is far more likely to experience a cyber threat than a fire.”
That’s where tabletop exercises, facilitated by someone with expertise in cybersecurity, can help.
“This is a thought exercise on the table with paper,” Anderson said. “We’re not actually moving into the realm of powering down a server and testing the actual system.”
Though there are many ways to facilitate a cybersecurity tabletop exercise, Anderson takes a four-step approach to help member districts recognize cybersecurity challenges and develop an action plan. Among key steps are establishing roles and responsibilities: a cybersecurity coordinator, a public information officer, an employee responsible for the continuity of operations plan, and an information technology representative.
Once roles for the exercise have been designated, Anderson runs two different types of scenarios, giving participants about 20 minutes to work on the problem using their roles to respond. The goal is to devise an action plan to address the threat, prioritize steps that need to be taken, and then assign those steps to the designated roles at the table.
Often, districts come to a tabletop exercise with an incident response plan, an operations continuity plan, or even the cybersecurity plan that has been submitted to TEA, Anderson said. But if those plans haven’t been practiced, the gaps soon become apparent. “The primary function of executing this exercise is to prioritize steps and adjust plans as necessary,” he said.
Here are the scenarios:
1. Fraudulent instruction. In this scenario, a phishing email, a form of social engineering through electronic communication, has been sent to district personnel related to a recent bond project. The email appears to be from a vendor who won a contract asking for a substantial payment. This type of cyber threat where an email appears to be from a trusted source far outpaces other types of incursions.
2. Ransomware. In this situation, a district’s network does not have a crucial patch and malware, a malicious software program, is able to hold sensitive data for a $500,000 ransom. Patches address common vulnerabilities and exposures, and it is critical to network security to perform updates often.
“On average, malware sits dormant for 100 days doing surveillance of your network,” Anderson said. Sophisticated hackers are very good at entering a system undetected, he noted, adding that once they are in, they will spend a lot of time looking for assets and determining weaknesses in the network.
For any tabletop exercise, the post- incident analysis is key. One participating district realized it didn’t have the tools it needed to address the threat, and as a result, the participants thought the exercise wasn’t as successful as they had anticipated. But Anderson assured them that it was an optimal outcome to have in a simulation.
“Now you know what you need to work towards,” he told the district. “You look back at the exercise and see where you failed and see where you can get stronger in that department. That after- action is the most critical component of the exercise.”
The final step in the exercise is corrective action. Participants must determine if the vulnerability that allowed the threat to occur was technical or human in nature. If it was technical, then the district may need to audit users and account access, patch and repair servers, or conduct backup checks among other steps, Anderson said.
If the vulnerability was caused by human error, Anderson stressed that it is important to see it as an opportunity to educate the district community about cybersecurity, rather than take punitive action. “These are your lessons learned,” he said.
Educating the Community
Peter Apostolakos, Round Rock ISD’s director of information security, holds phishing training four times a month that focuses on employees who have responded to a fraudulent instruction email.
“The general rule in cybersecurity is not if something will happen; it’s when something will happen,” Apostolakos said.
To help mitigate the risk, the IT department trains everyone on cybersecurity who has a Round Rock ISD email address. Gabehart said the training resources available through the Texas Department of Information Resources are in both Spanish and English, which has been helpful in reaching a variety of groups in the community.
Fuller heartily agrees that training like a tabletop exercise can be helpful. “The most important thing a district can do is educate all stakeholders on cybersecurity.”
Along with training and educating members of the community, some school districts have developed other programs to improve their cybersecurity. For example, Round Rock ISD created three positions to work in tandem, including an expert in policies and procedures for cybersecurity governance; a position with a strong hardware background to focus on the firewall and the architecture; and an analyst who monitors different tools, looking at daily network traffic to determine if there are risks.
“We use a holistic approach to cybersecurity,” said Apostolakos.
“This did not happen overnight,” added Gabehart. It was a five-year journey to create the staffing model the district currently uses. While funding has increased for the tools used to improve cybersecurity, Gabehart said he had to be resourceful when it came to staffing by shifting positions within the IT department to focus on cybersecurity.
Round Rock ISD also created a cybersecurity governance committee that meets six times a year to discuss new policies and procedures to better protect the district. Gabehart said this has created buy-in by including representatives from the different business areas of the district.
“School district culture is very open,” Gabehart said. “We don’t want to close our doors and limit innovation. It is a balancing act between innovation and security.”
Anderson agrees that districts can benefit by broadening and strengthening their cybersecurity efforts. He hopes the Fund’s efforts to raise awareness about cybersecurity threats, including its recent grant program, can help districts develop detailed efforts to protect their systems and data.
“The best thing any district can do when it comes to cybersecurity is just to do something, start somewhere,” he said.
Beth Griesmer is a senior communications specialist for TASB.