Cybersecurity – Risk Management Best Practices for Montana Public Schools

By Matt Komac, MSGIA Assistant Director for Property & Liability Pool Operations

As I am sure you have seen in the news, cyberattacks are becoming increasingly prevalent in all sectors of society, and, not surprisingly, public school districts are not immune to this unwelcome trend.  In fact, the FBI recently reported that schools are now the most popular targets of ransomware attacks.  As a case in point, the Colonial Pipeline ransomware attack that occurred this spring underscores not only how vulnerable an entity can be when access to an IT system is compromised but how costly these incidences are.  This particular attack resulted in a $4.4 million payday to the responsible criminal gang known as Darkside.  Due to the lack of funding and cyber security training, schools like ours in Montana are vulnerable to ransomware attacks because they hold sensitive data that entities like Darkside deem to be valuable.   

I know many of you have already spent considerable time and effort analyzing the sensitive data that you have on your systems, and I likewise appreciate that you have sought to determine the best methods to protect that information from unauthorized disclosure. But, as you would expect in such a dynamic and potentially dangerous environment, there is frequent change and thus always room for further adaptation and ongoing improvement. 

I have outlined below relevant approaches and field-tested techniques that school districts can employ to evaluate data-gathering strategies and to aid them to determine if that data is, in fact, safely stored in their system. 

  • Know where you keep PII (Personally Identifiable Information) and PHI (Private Health Information) on your computers and network servers. Personal information is defined in MCA 30-14-1704.
    • Only keep data required in these two areas, and be certain to delete the rest, as it quickly can become a liability for your district if there is a loss of that data through unauthorized access in a data breach.
    • Segment your computer network if possible to keep IEP, health, and PII records in a part of the network not connected to the internet.
  • Apply all software patches when they come out. Patches come out to fix problems in software that can be exploited by bad actors.  Having an automated distribution system for patches can help increase the speed and compliance with this recommendation.
  • Require strong passwords that can be changed on a periodic basis – remember, longer passwords are stronger passwords.
  • Have your internal IT director or contract vendor maintain good network logs; and, as part of this effort, instruct them to be attentive for unusual activity on your network, such as log-in attempts at unusual times of day or days of the week. The district’s surveillance system should identify multiple unsuccessful login attempts resulting in access being denied when a certain number has occurred.
  • Because phishing is the number one cause of data breaches, staff should be trained on phishing scams followed by a live test to gauge understanding and compliance. The goal of these trainings is to help ensure staff resists that urge to “click” on that shiny penny link in an email. 
  • Conduct periodic penetration testing for your district’s computer network. Although hiring a “white hacker” group to test your system for vulnerabilities can cost a couple of thousand dollars, it can also provide very valuable information and thus help your team address improvements in your district’s digital security platform.
  • If your district utilizes cloud-based services that track student information and/or the school finance systems, then consider contract language that does the following:
  • Asks for indemnification from the cloud provider if the cloud suffers a data breach resulting in litigation due to an individual’s loss of information; and,
  • Includes additional language stipulating that the cloud service provider’s cyber security policy covers those actions.
  • Though the service provider may not agree to such clauses, remember that negotiating these important points in a contract is in the district’s best interest.
  • Because network backups need to be maintained and tested regularly, you should determine the benefits of having a backup system not permanently connected to the network. Having built-in breakpoints allows the district to restore to backups if data or devices are corrupted from unauthorized access.
  • Block known malicious IP addresses/countries unless whitelisted for specific school district needs.
  • To assist in preparing for and responding to events that can occur in this critical area, be sure to review your cyber-insurance coverage with your insurance provider and utilize any risk management resources that may be available.

Cybersecurity has been a continued risk management focus of MSGIA’s, and the ideas presented above are just a few key areas of focus. Please be aware that if you are a member of MSGIA’s Property & Liability program, you have access to additional cyber risk management resources, including a 28-question network security survey developed by the Center for Internet Security.  We are here to help, so please reach out to us with any questions you may have.  

Return to newsletter