Superintendent Donna Wright recalls last year when one of her financial team members at Wilson County Schools in Tennessee opened an e-mail. It looked like yet another request for payment to a construction firm building schools in the booming school district.
But then the staff member noticed the signature.
“It looked very authentic,” said Wright during an AASA conference panel on Thursday in San Diego. “But she noticed that the person asking for this had died a year or two before.”
While cyberattacks on major retailers and financial firms grab headlines, they are not the only victims. Hackers now zero in on small publicly funded organizations, from utilities to school districts, targeting them with ransomware — attacks that enable them to steal computerized data and demand a ransom to relinquish it. Others manipulate district e-mails to “phish” and prompt the recipients — often staff or administrators — to trick them into clicking on a link that enables them access data.
Wright said of school districts, big and small: “We’re a gold mine” of data.” From financial information to private student information, including social security numbers, school districts in this day and age must maintain records and other information electronically.
Because of that, she said, “data backup is our responsibility.”
Wright was among a panel of experts who spoke to a group of 50 attendees. The panel included two other superintendents—Juan Cabrera of El Paso Independent School District in Texas and Michelle Murphy of Rim of the World Unified School District in California—and Keith Krueger, CEO of the Consortium for School Networking.
Cabrera said that even though he worked in the tech industry for years before becoming a school district administrator, cybersecurity was not even close to his top 10 concerns. But it moved up quickly on the list five years ago when several employees fell for a phishing e-mail. With a few clicks, the employees unwittingly gave the hackers access to the district’s payroll information.
“This is sort of the organized crime of the 21st Century,” Cabrera said. “It’s truly a global enterprise. I don’t ever see hacking going away. We are part of the problem as we start to get over-connected and interconnected.”
Cabrera said the security risk rises as the world becomes increasingly linked via the “internet of things” — an all-encompassing network linking devices like smartphones and computers, even cars and appliances to softwares, data storage clouds and apps.
But threats to cybersecurity do not just come from hackers. Superintendents on the panel recognized that sometimes cybersecurity matters are internal, as students may use district-issued laptops or tablets but do not recognize spam or phishing e-mails.
Murphy said that one key to preventing a cybersecurity problem is to train everyone in the district—from staff to teachers, administrators and students.
“It’s not a question of ‘if’ but when,” Cabrera said.
(Emily Gersema is assistant director of media relations at University of Southern California.)