RIGBY — Jefferson School District 251 director of technology Keith Scholes said combating the ever-growing rise of computer viruses and hacking of school data is a “never-ending battle.”
“There’s always anxiety in trying to keep ahead of (technology),” said Scholes, who has worked in the Jefferson School District for close to 35 years.
School districts are easy targets for viruses and malware due to their “innocence” and the public thinking school districts have “deep pockets,” Scholes added.
Ransomware attacks, which lock and encrypt victims’ computer data and then demand a ransom to restore access, are a growing concern in the education community. Other tactics used to gather personal information include scareware, software that imitates an antivirus in order to get a user to download malware, and “lockers,” which infect your operating system and lock you out of your computer.
There have been 355 cybersecurity-related incidents involving K-12 schools since January 2016 with 60 percent of K-12 schools hit in 2016 deciding to pay attackers in order to regain control of their data, according to Ed Tech Magazine.
There were at least 1,783 ransomware attacks reported in 2017, according to Norton, a computer security company.
And while Jefferson School District 251 has not been hit by a major virus or ransomware attack, according to Scholes and superintendent Chad Martin, other area school districts have not been as lucky.
Idaho Falls School District 91 was recently hit by a Trojan virus, affecting 13 users’ accounts, Matthew Toldero, a data privacy attorney of Mullen Law representing District 91, said in an email.
The Trojan virus was designed to spread and grab usernames, according to Kroll, a third-party, cybersecurity consulting firm hired by District 91 to investigate the attack. The virus initially hit District 91 in October, around the same time Bonneville Joint School District 93 was being attacked by phishing scams — emails that pretend to be from reputable sources and trick you into sending personal and account information.
In response to October’s cyberattack, District 91 “performed password resets on all affected accounts, increased account lockout rates, and reduced privileged account usage throughout the network,” according to a public records request.
“IFSD changed passwords across the entire environment and notified the entire staff in an abundance of caution,” Toldero said in an email.
Other school districts recently hit by major virus attacks include Teton, Blackfoot and Madison school districts, though schools’ cybersecurity is challenged almost daily.
Teton School District lost $784,000 in December due to a phishing scam — linking $484,000 to a bank in Texas — before recollecting the $484,000 in January. It is considered one of the biggest fraud cases in Idaho. Idaho Counties Risk Management Program said it will cover the $300,000 lost.
Blackfoot School District was also hit by ransomware in 2017. The district paid up to $3,000, according to East Idaho News. Madison School District 321 was hit with a ransomware virus in 2018, limiting employee’s ability to email.
“You try to do your best by fixing holes, fixing holes,” Scholes said. “It’s a constant.”
Costs and regulation
Protecting and securing school technology can cost school districts thousands.
Governor Brad Little budgeted $50,000 for “statewide cybersecurity training” for the 2020 fiscal year budget and called phishing the ”largest cybersecurity threat to the state.”
Sugar-Salem School District spends about $1,000 for its firewall alone, though the Idaho State Department of Education gives schools a “minimal” amount of money toward cybersecurity, Sugar-Salem director of technology Spencer Cook said.
The Idaho Technology Authority, created by the state government in 2013, provides “good online safety habits” and data breach checklists online. The “incident reporting” tab was unavailable as of Tuesday.
With limited overhead, Cook, who is District 6’s board chairman on the Idaho Education Technological Association, said the IETA tries to provide “basic guidelines” for school districts to follow and help improve appropriate ways to use technology in schools.
“The real threat is in lack of education and using technology appropriately,” Cook said. “We try to educate everyone on every issue, we try training and sending emails to staff and students to be aware of issues when we see them ... But the more transparent you are, the more vulnerable you become.”
How to keep online data safe
Caution is the best defense for cybersecurity, multiple school directors of technology have said, as there is not enough manpower to check every computer in a school district.
Sugar-Salem has a 1-to-1 student-to-computer ratio. But its ratio of computers-to-tech-support is 500-to-1, Cook said. The district previously used contractor SolarWinds for five years to help update and protect students’ computers.
Scholes said Jefferson County School District uses two programs, Sophos and EdgeWave, to help catch malware and viruses in emails and across electronic devices tied to the district.
EdgeWave can check and scan emails for malicious intent — and can delete the email in every folder in the district if malice intent was found by the program.
Of 87 emails flagged by the program, 60 had “malicious messages.”
Sophos is used to track which devices are on and updated in the district.
“It’s ongoing and something we always have to be on top of,” Martin said of the district’s cybersecurity. “We do a pretty good job, but we can’t just rest on that.”
Most school districts have firewalls and content filtering for students connecting to their servers.
District 93 uses Fortinet (single units of which are sold at about $500). Director of safe schools and technology Gordon Howard said school resources to combat internet viruses really boils down to taxpayer funds: the more money you put into security, the better the security your school district will have.
“Your resources are based on taxpayer’s resources,” Howard said. “(Hackers) know that, as education becomes a prime target.”
Most school districts consult when attacked by a computer virus, Howard said, with District 93 following basic guidelines set by the Center For Internet Security, which includes backing up its data in case of an attack.
But Howard said hackers are usually in your system for six to eight months, on average, before being detected. Howard said hackers will use that time to learn your habits and collect intel on your network.
“You’re never going to be 100 percent protected, ever,” Howard said.