An email account belonging to an admission office staff member was accessed by hackers. Within the account the hackers identified applicants on the school’s wait list. The hackers then emailed those families a fake acceptance letter along with a phony link to pay a “deposit.”
A head of school was tricked into giving out his account username and password. Once in the account, the hackers watched the ebb and flow of emails for several weeks before acting. Impersonating the head and sending emails from his actual account, the thieves emailed the school’s bank and set up a fictitious account and then started to transfer money from the school to this new account.
A spreadsheet with students’ sensitive medical information was mistakenly sent to parents. The spreadsheet initially was sent to teachers by the school nurse. One faculty member, however, then forwarded it to families asking them to update their students’ information. Within hours of the email being sent to families, the school was sued by an anonymous parent. As the school year started, the email accident and lawsuit made the local newspaper.
Over the past two years, the Association of Technology Leaders of Independent Schools (ATLIS) has conducted four surveys of independent schools and its annual member survey, and found that more than half of respondents had suffered some sort of damage from a cyberattack. The most recent data reveals that 60 percent of schools said they had suffered an email attack, 40 percent had their email systems wrongfully accessed, 27 percent fell prey to a ransomware attack, and 7 percent reported that their networks had been breached. “What concerns me even more than the number of incidents,” says Sarah Hanawald, executive director of ATLIS, “is the schools that tell me they have no problem. Too often, this means that they have no way of detecting attacks until the ransom note appears.”
Schools and Leaders as Targets
One of the things that surprises school leaders most often when I talk about this topic is that scam artists around the world know who you are and what you do at your school. They research your leadership teams by looking at your website and scouring social media sites to learn about your friends and the way you communicate. According to Bob Olsen, director of information security at Navigant, a global consulting firm based in Chicago, “Social media accounts provide a wealth of information that can be used to draft compelling and highly successful phishing emails.”Once scammers have a dossier on you, they typically try to exploit it through email. The most common attack is to send you and your school leaders a phishing email that tries to trick you into giving them your account name and password. If they’re successful in getting into your account, they will observe the flow of information and figure out a way to use it to steal from you—and they can be extremely patient and resourceful in doing so. “This type of attack is common and one that hackers use to target organizations that they believe are likely to have only minimal security controls in place,” Olsen says.
If they can’t get into your email, they may try to create a fake email account disguised to look like you and then send messages from it. These attacks are most commonly referred to as a “business compromise email.” Hackers are very adept at pulling psychological levers to create a sense of urgency and pressure.
Immediate Action
According to the 2017 Verizon Data Breach Investigation report, more than 80 percent of cyberattacks involve the use of email. Fortunately, there is a simple and straightforward way to stop many of these email attacks: two-factor authentication. Two factor authentication frequently takes the form of receiving a special code via text message when someone logs into an account with a username and password. “Two-factor authentication is one of the most effective security controls that an organization can implement,” Olsen says. “We helped clients address more than 600 cybersecurity incidents last year, more than half of which would have likely been prevented with two-factor authentication.”Independent schools need to use this control more widely. Anyone at a school who sends, receives, or stores sensitive or protected information in their Google or Microsoft 365 email account (which includes most faculty and staff members) should be required to use two-factor authentication. Unfortunately, only 20 percent of schools meet that standard, according to ATLIS survey data. The data also suggest that an additional 30 percent have enabled it only for some users, and an alarming 50 percent of schools don’t use this safeguard at all. If you are among those not using it, you should call your tech director to configure it right now.
Assemble the Right Players
Once you’ve taken action, at least initially, by protecting your school with two-factor authentication, the next step is to form a standing committee for cybersecurity. Its core members should include three to five people, depending on the size of your school, with representatives from risk management, from the group of people who regularly access and use sensitive data, and of course, from the tech department.While cybersecurity measures require a great deal of technical configuration and expertise, actually setting and guiding a strategy has more to do with risk management activities than it does with technology. That’s why it’s crucial to have someone on the core team who is knowledgeable about and has experience with insurance, liability around school travel, and human resource policies and procedures, as well as with determining policies and procedures for the physical security on campus.
It’s also critical to have representation from those who handle sensitive information regularly so they can share insights into how that data is being used and stored. (See “Five Types of Protected Data,” below, for guidelines about what constitutes sensitive data.) These representatives—usually people who work in the development, admission, health, and human resources offices—can represent the views of those who may be impacted by new policies and training programs.
It might be natural to assume that tech department heads are the best people to lead this type of core group, but depending on the role and previous experience, they may not be the best choice. If their background includes working as part of a school leadership team, if they’re knowledgeable about cybersecurity and/or risk management, and if they have experience leading projects across different offices and divisions, they are probably well-suited for the role. However, if a tech leader has a narrow focus on technical operations, isn’t part of the leadership team, or is new to working in schools, it may be better to choose someone with a broader school perspective and more experience with risk management.
Once this core team has been established, create a secondary group that includes someone from the head’s office or school leadership team, the school’s legal counsel, and a representative from the board or a relevant board subcommittee to join this core group periodically and for important decisions.
Mitigation Strategies
The core team’s first order of business should be to assess the school’s threat level. Start by consulting the ATLIS Cyber Threat Assessment, a biannual list of the top threats currently facing independent schools, compiled by the ATLIS Cybersecurity Advisory Panel, which includes representatives from members schools, staff, and cybersecurity professionals. The threats on the most recent list, updated in February 2018, include email inboxes, employee mistakes, out-of-date software, and unencrypted drives, to name a few.The core group should also review ATLIS Cyber Security Recommendations and ensure that all members have at least a basic understanding of the terms and concepts. Similarly, the core team should understand the school’s previous history with cybersecurity incidents and determine whether the school’s current cyber-risk is high, medium, or low. You can do this by assessing the school’s current practice against ATLIS’s recommendations. A quick way to develop this baseline assessment is to score each recommendation on a scale from 0–3, with 0 meaning no work has been done on the recommendation, 1 meaning some initial work has been completed, 2 meaning solid work has been done but the item is not yet completed, and 3 meaning the recommendation has been thoroughly addressed.
Once the core team has developed a baseline understanding and assessment of cybersecurity at your school, have the secondary group join for a discussion that explores these questions:
- Given our school’s general risk tolerance and specific exposure to cyberthreats, what is the right level of cybersecurity for us?
- Where are the biggest gaps right now between our desired level and our current state of cybersecurity readiness?
- What is involved with closing those gaps? Who, how, and when will we close these gaps?