State education officials explain cybersecurity efforts

Jason O'Day, The Creston News Advertiser, Iowa
·5 min read

Jun. 30—Nationwide, institutions with large databases such as hospitals, energy companies and schools are falling victim to cyber attacks by hackers who hold hostage critical data to extract large sums of money.

At the beginning of June a ransomware attack on the internet servers of Des Moines Area Community Colleges prompted summer in person classes to be shut down for about a week, and online classes were down for two weeks.

Iowa's education officials say there are many steps that can be taken to prevent such attacks from happening, and alleviate potential damage when they do.

Lisa Bartusek, executive director of the Iowa Association of School Boards, said K-12 schools are especially lucrative targets for cybercriminals.

"Experts say that schools have something that hackers very much value and that's the Social Security numbers of students who are young and don't have credit history," she said.

She recommended insurance to reduce liability in these types of hacks.

"In the bad event you do get hacked, you have insurance coverage, much as school districts insure against other losses. Cybersecurity insurance would be a reasonable mitigation strategy," Bartusek said.

Such coverage proved useful for DMACC recently.

"As we've seen in the DMACC example, the insurance company really engaged during the incident to mitigate damage, and that was very helpful," said Emily Shields, executive director of the Iowa Association of Community College Trustees.

She said most of the state's community colleges have been proactive regarding cybersecurity.

"Even before those things, it was something really on the radar for all of our colleges," Shields said. "Most of our campuses have also engaged cybersecurity experts at other times to help them put in place preventative measures and provide training to staff, faculty and students. So we've really taken a lot of preventative steps. We will also be working to learn from DMACC's experience about what further steps we could take to prevent something like what happened to them happening in other places."

David Fringer is the executive director of information technology for the Green Hills Area Education Association, which supports 45 school districts in Southwest Iowa.

"There's some things that we recommend folks do and one of them is to do a security audit," he said, adding that the AEA and state government offer resources to perform security audits. "We audited 24 of the 45 districts this year and all 24 were compliant with insurance coverage."

Fringer said schools should outsource server hosting of nutrition management, library, financial and other databases to their vendors whenever possible.

"If the vendor offers hosting, they run the servers, they do the backup. They're responsible for data breaches, data security, that kind of thing. We encourage school districts to do that. And the vast majority of Southwest Iowa schools now have a hosted model for all other applications. And that really helps shift the liability away from a local school district and puts it onto an organization that has more resources to provide a better cybersecurity fence," Fringer said.

He also said that extensive password protection measures are essential.

"Then at the local level the thing we recommend is that anything that's password protected whether it's the student information system, email or whatever, that they enforce something called multi-factor authentication," Fringer said.

Multi-factor authentication is a protection commonly used by mobile banking institutions and social media platforms. They send users an email or text message with a security code to verify their identities before allowing them to login.

"That little extra piece seems like a hassle but it's really protecting you from others who may need access to your password because they won't have access to both your password and your phone, or both your password and whatever device you're using to authenticate," Fringer said. "That's probably the most basic and most important thing we ask folks to do."

He said firewalls are important too.

"Network firewalls, that's the actual physical appliance that's in place to deter against or prevent intrusions, making sure that the software and firmware are up to date on those and that whoever's managing that firewall is trained and skilled in doing so," he said.

He said some smaller districts have difficulty sufficiently staffing technology professionals.

"Sometimes small school districts have to be creative in either sharing someone, or employing a third party service to do the more sophisticated work. Between having a person on staff, which many school districts do, having a qualified third party provider or working with the AEA, that helps to add some expertise. So I'm not sure if it's a shortage of resources, but it's more or less where the resources are located," Fringer said. "I think in rural Iowa it's harder to recruit and retain highly skilled people like that, who typically work in urban areas."

One simple way to avoid hacks is avoiding suspicious content. Roger Vicker, owner of Vicker Programming Services in Creston, said it's important for users to be cautious about what links they click on in emails and search results.

"For example, GoDaddy.com is a popular domain hosting site. Hackers have a site called GpDaddy.com to fake people out," Vicker said.

He said backing up documents and data in case of a hack is crucial.