The Grinch is looking better every day. He only stole Christmas! Soon before the new year, hackers stole from the San Diego Unified School District ten years’ worth of records containing personal identifying information on 500,000 students and staff. Board members need expert training to comply with a sufficiently defensive technology policy.
The incident marks one of the all-time largest data breaches of a school district.
According to ZDNet, the hacker gained access to the district’s network over the 10-month period commencing November 1, 2018. In that time period, he grabbed data on students and staff going back ten years to the 2008-2009 academic year.
The extent of the damage is almost unfathomable.The Washington Post reports that “[t]he data file contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals. … Additionally, some 50 district employees had their log-in credentials compromised…” ( ) . The stolen data included all of the following:
How on earth?
What could possibly account for the theft of so much critical data? According to ZDNet, “[t]he breach occurred because the attacker gained access to staff credentials via a tactic known as phishing -- sending authentic-looking emails that redirect users to fake login pages where attackers collect login credentials.” Phishers thereby gain access to the entire contents of a data network via a single e-mail.
Alert employees finally brought the heist to a close. Some of them did not click on the compromised emails, reporting to IT that they looked suspicious. That prompted IT to investigate further. In October, they discovered the breach and brought it to an end. If nobody had reported suspicious emails, the hackers could still be digging deeper in the databank for yet more confidential information. If more of the email recipients could recognize a spurious source, IT might have shut down the operation long before the cybercriminals collected half a million confidential data points.
The moral of the story is that trained personnel are essential to system-wide protection. The leverage of proper training is multiplied significantly for board members. After all, their email addresses are often posted on the district website, and they often handle the very most sensitive information in the district. Nonetheless, a 2017 nationwide NSBA survey of 482 school board members revealed that 67% of them sit on boards that require no cybersecurity-related training whatsoever, 26% of them have no idea if their board requires such training (which means they probably do not), and only 12% of them receive mandatory cybersecurity training. To batten down the hatches, board members need frequent training by trained experts to comply with a firm technology policy.
Consulting the right people is key, as many districts rely on lower-level IT staff to handle computer questions on a one-off basis, in the absence of a deliberate policy or board training. Best practice includes having an IT/IS officer: (1) establish a technology policy; (2) oversee board communications accordingly; and (3) train the board how to comply as they go about their everyday board business.
Some board members think email from an address issued by the district on its network “feels safe.”They are tragically mistaken. Such an address entices phishers the most, as it promises a cornucopia of sensitive district information if the hacker can gain entry.
Despite the urgent need for such professional oversight, only 37% of NSBA survey respondents have an IT officer, IS officer, data security team or Audit or Risk Committee monitoring board communication; 27% of respondents have such a professional monitoring the board’s compliance with district communication guidelines per se; and 17% know that they do not have such professionals monitoring those communications. A full 47% don’t know if such experts monitor that compliance.
An executive-level IT expert (ideally the same on overseeing board communications) should routinely train the board, whether or not she actually sits on the board. (A growing number of districts have deemed information technology an essential skill set to have consistently represented on one seat on the board.) The recognition that school boards need this level of professional in the game parallels the private-sector realization that technology must be considered an enterprise-wide C-suite concern.
Extensive training must be built into the board’s routine. The NSBA survey revealed that 40% receive of school board members get such training only once in their tenure, while 60% get training once a year. Even an annual schedule is not enough. The best practice is toold training four times a year – or twice, at a minimum. “Tabletop” exercises can reinforce the lessons.
The San Diego heist serves as a wake-up call. School boards need technological communication training by experts to comply with a district-wide technology policy.