Cybersecurity  –  Schools Continue to be a Primary Target of Cyber Criminals

By Matt Komac, MSGIA Assistant Director for Property & Liability Pool Operations


Cyberattacks against schools in the United States continue to be a common headline in the news.  One such story involved the recent report that when the Minneapolis Public Schools refused to pay a $1,000,000 ransom, over 300,000 files were dumped online, including medical records, discrimination complaints, social security numbers, and other personal student and staff information.  Due to the sensitive data stored and the lack of funding directed towards cybersecurity, the FBI reports that schools are now the most popular target of ransomware attacks. 

Not only are cyberattacks potentially catastrophic, but they are also dynamic due to the constantly evolving tactics used to target network systems. Thus, it is more important than ever to have district IT experts constantly working to strengthen network security and to have all staff trained for cybersecurity-related problems so that they are equipped to assist in this effort. Below are some timely approaches and field-tested techniques that school districts can employ to help keep data secure.

  • Know where PII (Personally Identifiable Information) and PHI (Private Health Information) are kept on computers and network servers.  Personal information is defined in MCA 30-14-1704.
    •   Keep only data required in these two areas and be certain to delete the rest, as it can quickly become a liability for your district if there is a data loss through unauthorized access in a data breach.
    •  Segment your computer network, if possible, to keep IEP, PII, and PHI records in a part of the network not connected to the internet.
  •  Require Multi-Factor Authentication (MFA) for those employees accessing your network and email server remotely. 
  • Apply all software patches as soon as they are available.  Patches come out to fix problems in software that can be exploited by bad actors.  Using an automated distribution system for patches helps speed up compliance. Require strong passwords that can be changed on a periodic basis – remember, longer passwords are stronger passwords.
  • Have your IT director or contract vendor maintain good network logs. Also, instruct them to watch for unusual activity on your network, such as log-in attempts at unusual times of day or days of the week.  The district’s surveillance system should identify multiple unsuccessful login attempts resulting in access being denied.
  • Because phishing is the number one cause of data breaches, staff should be trained on phishing scams, which should be followed by live tests to gauge understanding and compliance.  These trainings help ensure that staff resist that urge to “click” on that shiny penny link in an email. 
  • Conduct periodic penetration testing for your district’s computer network.  Although hiring a “white hacker” group to test your system for vulnerabilities can cost a couple of thousand dollars, it can also provide very valuable information that helps your team identify and address weaknesses in your district’s digital security platform and, in the process, minimize the potential for a much larger cost with a cyberattack.
  • If your district utilizes cloud-based services that track student information and/or the school finance systems, consider contract language that asks for indemnification from the cloud provider if the cloud suffers a data breach resulting in litigation due to an individual’s loss of information—that includes additional language stipulating that the cloud service provider’s cybersecurity policy covers those actions. Although the service provider may push back against agreeing to such clauses, it is in your best interest—and thus the district’s—to insist on them.
  • Network backups need to be maintained and tested regularly. It is important to determine the benefits of having a backup system that is not permanently connected to the network.  This is because having built-in breakpoints allows the district to restore to backups if data or devices are corrupted from unauthorized access.
  • Block known malicious IP addresses/countries, unless whitelisted for specific school district needs.
  • To assist in preparing for and responding to events that can occur in this critical area, be sure to review your cyber insurance coverage with your insurance provider and utilize any available risk management resources.

Cybersecurity continues to be a risk-management focus of the MSGIA, and we are excited to announce our partnership with Lodestone, a global cybersecurity firm committed to helping clients prevent and investigate security incidents.  If you are a member of MSGIA’s Property & Liability program, you will be hearing more from us about enhanced services, including a statewide Phishing Campaign Assessment, Attack Surface Monitoring, and Security Awareness Training.  Also, check out the IT security trainings available to all our members on the Safe Schools training platform.  As always, we are here to assist you! Back to newsletter