Q: Kentucky seems to have done a good job thwarting these attempts.
DC: We were the first state to have high-speed internet access in every district; we did that back in the 1990s. Internet security has been on our radar for a long time. We’ve been at this longer than any other state.
BH: As we have implemented our state network over the past couple of decades, we’ve been forward thinking, looking at different vulnerabilities that were coming along. And we’ve put in place protections, such as antiviruses and firewalls. We’re doing what we can from a technical perspective, but we have to focus on people to make sure they are able to tell when someone’s trying to take advantage of them, because there’s an adage in cybersecurity: “Amateurs hack technology and professionals hack people.”
DC: We spend equal, if not more time, educating people. Where are the biggest vulnerabilities? It’s on the people side. It is like you can have all the locks you want on your front door but then you do things inside the home that make it easy for people to get to your things. The increase is not technological attacks. Instead, cybercriminals are sending something to try to get you to open documents and enter your credentials. The more targeted ones are mainly done through email.
Q: You say these attacks have become more targeted. How so?
BH: We first started seeing the old, “I’m a Nigerian prince with $10 million and if you send me $1,000 I’ll give you some of that.” We’ve migrated from that to crooks who examine the district’s makeup, learn things about the superintendent and finance officer, then send the finance officer, right around tax time, emails that look like they have come from the superintendent. The email might say, "Hey, I’m out on the golf course. I don’t have time to talk. Send me all the W-2 information while I’m out here." The IRS has seen that kind of phishing grow exponentially. In 2016-17, it was a 65 percent growth and 80 percent growth again over the past year. Fortunately, we haven’t had any districts fall for that. Kentucky State University did fall for it, and while I’m not trying to throw them under the bus, it is an example that it can happen anywhere. That’s why we push information out to the districts so much.
Q: What kinds of information?
BH: For example, when tax time rolls around, David and I send emails to superintendents, chief information officers (CIOs) and finance officers, making them aware that this threat is out there. We have the technical infrastructure to communicate quickly and tell them about phishing where specific people are targeted. We can usually react within the day to let all our contacts in the districts know that this is happening.
Q: Are there other ways you are educating your audience?
BH: We have an interactive, monthly webcast for CIOs and anyone else who wants to participate. We put up questions and they can respond and ask questions. Webcasts are recorded and can be referenced anytime.
Q: There’s also a team of engineers who work with the districts?
BH: Yes, since 1994, we have had our Kentucky Educational Technology Systems staff – engineers who each have a group of districts they communicate with. They can be at every district in their region within a couple hours. They bring the district issues to us, and then we do the same thing back through them. It’s a position that I don’t think exists in other states.
Q: What are some other tools that have been created for districts?
DC: We have a document called “It Can Happen to You, But Don’t Let It” that describes real cyber security problems that have happened. I’ve found that if you go from theory to real examples it is much more likely to get their attention.
BH: It is a living document so we constantly update it with new examples. We present it to our contacts. We talk from it whenever we meet with groups, such as at our annual meeting with CIOs. We have used it with superintendents and other groups.
Q: The digital driver’s license, an online course that teaches students and staff responsible and appropriate use of technology, is one way your office is educating the 700,000 people who use district internet systems. Are there others?
DC: Yes, Kentucky created the digital driver’s license. Another tool is a one pager we call “A Kentucky Educator’s Guide to Personal Information and Data Breach Awareness.” Teachers and staff can keep it handy in paper form by their desk or in electronic form.
BH: This year I’ve been collecting all the documents we provide and my goal is to put them in booklet form so it can be updated and available to anyone who wants it.
Q: How many security breaches are we seeing each year?
DC: By law, school districts must report any breaches, so we’re aware of those. We have an average of three to five breaches per year. Considering there are 4 billion attempted attacks, that is an incredibly low number. But any breach is a problem.
Q: Not all of these breaches are the result of cybercriminals breaking into our system, correct?
DC: Right. Breaches fall into two categories: targeted ones and self-inflicted. Self-inflicted are mistakes by someone within the organization – they accidentally send something to someone who shouldn’t see it or leave their laptop where someone can steal it. The person stealing it wasn’t after the data, but if the laptop has a lot of social security numbers stored on it, then that has to be reported as a breach.
Q: You make the point, too, that no one in Kentucky schools should have such data stored on a computer or device in the first place.
DC: Kentucky is the national leader in cloud-based computing, which means data is stored in the cloud in secure locations. So it doesn’t require you to have the data loaded on your laptop or thumb drive.
Q: Talk about the required cybersecurity update that school boards get from their CIOs each year.
DC: By law, no later than every August, each district’s CIO must educate their superintendent and board on the district’s cyber health. It is the opportunity to say, “Here are the things we’re doing well. Here are some of the vulnerabilities we have.”
Q: What do you hear most from district CIOs and tech leaders?
DC: “How can I get my superintendent to take this more seriously before something goes bad?” That’s one of the reasons I am traveling the state this year to talk about the heroic things that districts’ technology staff do on a daily basis, about the annual cyber health check and about the documents available to help educate users. We know that to build awareness, you have to approach cyber security from six or seven different angles.
Q: You’ve said that working on cybersecurity is a collaborative effort in Kentucky. How so?
DC: There’s team effort between the state education department and the districts that is not happening in other states. We have built a relationship with the districts over the last 25 or 26 years. So the solutions we offer are not ivory tower, but are developed with input from districts about what they need.
Q: KDE has implemented a healthy data diet, which means, in part, that the department evaluates what information it actually needs and avoids collecting data that isn’t necessary. What other problems do you see in data collection and storage?
DC: One of the biggest vulnerabilities is when people leave a district. You need to have a good process in your district for dealing with the information that the people who leave have on laptops, thumb drives or paper files. If you’re an organization that stores stuff for long periods of time, your probability of having stuff you no longer need is high. Take a look at all your paper files and thumb drives and anything else and say, “Someone prove to me that we really have to keep this.”
BH: There are retention schedules for most data, but what we find is those recommendations often aren’t followed because hard drive space is so cheap. You should look at your entire work area – your laptop, email, hard drive space and decide, do I really need to keep this data? The smaller amount of data you collect and keep, the smaller your attack surface. We want people to get rid of data they don’t need for their jobs. That will go a long way toward improving security.