Pretty much every day, there is a news report about a company’s computer system being hacked. The hackers often request large sums of money (usually in bitcoin) in order for the company to unlock its system. For some, paying the ransomware may seem more economically viable, especially if the organization stands to lose a significant amount of revenue per day from the loss of the computer operations. Reports have indicated that paying does not guarantee that you will get your system back nor does it prevent the hackers from repeating their crime. The more funds the hackers receive, the better they become at crafting techniques for compromising systems and holding your computer system hostage. The official advice from the U.S. government, as well as cyber defense experts, is not to pay.
School districts are not exempt from cyber-attacks. Per the June 2016 publication from the Office of the State Comptroller titled “Protecting Sensitive Data and Other Local Government Assets: A Non-Technical Cybersecurity Guide for Local Leaders,” the school district superintendent has a “responsibility to protect and maintain a secure information technology (IT) system.” The publication notes that “audits conducted by OSC have shown that weaknesses are persistently prevalent in local government and school district IT systems, regardless of the complexity or size of the system.”
So, how can the likelihood of a ransomware attack be lessened? One of the primary methods to accomplish this is to ensure that antivirus software is installed, and all endpoints are up-to-date and protected. Antivirus programs with endpoint protection can check for ransomware attempts and allow the IT security staff to monitor attacks and reduce the ability of the attack from spreading throughout the system.
Another key element in reducing ransomware attacks is to ensure that all patches have been implemented and are current. A good patch management system regularly implements hardware and software security updates from manufacturers and can help reduce the risk of the most common third-party software products, such as Java and Adobe flash, being exploited.
Along with ensuring that antivirus programs and software security patches are up-to-date, districts can also scan and filter content on email servers. In doing so, they can check for known threats and block emails with attachments that may be a threat. The majority of ransomware attacks happen because users unwittingly open an infected email or click on an infected attachment. Spam filters handle many of the suspicious emails and prevent them from arriving in a user’s inbox; incoming emails and attachments will be scanned for potential known threats and those that don’t pass the test will be locked up.
Unfortunately, even with the implementation of necessary software protocols to reduce cyber threats, attacks can still occur. The best defense is educating all users, including teachers, administrators, support staff, and students, on safe internet practices; all district staff should be taught the “think before you click” mentality. Schools can provide such education through formal policies and procedures manuals, and through specific training. Both NYSSBA and NYSASBO have sample acceptable-use policies that districts can use to define the types of activities that are permitted and the repercussions for not complying with the defined usage. Districts can provide cybersecurity awareness training as part of professional development for teachers and staff and can integrate the training as part of computer technology education for students. Training can also be obtained by educators for free through the National Initiative for Cybersecurity Careers and Studies (NICCS), which is an online resource and training site managed by the Department of Homeland Security – www.niccs.us-cert.gov. In addition, the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the Department of Commerce, has instructional information and materials for teachers – www.bit.ly/2rW3khC.
The lesson here is that ransomware and cybersecurity attacks are not going away. If anything, the attacks will be more sophisticated. Being proactive by implementing preventative IT security measures, along with regular and effective training for all employees and students, can help protect the school’s data and lower the chances of getting hacked.
Shari Diamond, CIA
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.