- To protect sensitive data during cyberattacks, district leaders could adopt stricter approaches to verifying vendor and employee identities for payment transactions, school business officers were told at their annual conference last week.
- School systems are a "virtual buffet of data" given all the personal records and financial information they store, Karen Smith, CFO of Cypress-Fairbanks Independent School District near Houston, said during an Oct. 19 session at the Association of School Business Officials annual conference just outside Washington, D.C.
- While it may be impossible to stop all data breaches due to the sophistication of bad actors, Smith said, there are important steps districts can take in handling digital information to make it much more difficult for data to be compromised.
Over the last five years, global ransomware attacks against K-12 and higher education institutions — breaching more than 6.7 million personal records — were estimated to cost over $53 billion in downtime, according to Comparitech, a cybersecurity and online privacy product review website. Comparitech researched 561 attacks between 2018 and mid-September 2023.
And per a July report by U.K.-based cybersecurity firm Sophos, 47% of surveyed public and private K-12 institutions worldwide hit by a ransomware attack ultimately paid to recover their stolen data.
In one scam Smith shared, a district received what looked like an official letter from a vendor construction company requesting a change in how to wire payment. In another fraudulent attempt to steal information, an email to a district finance office from the supposed "superintendent" asked for employees' W2 information.
"Our fraudsters are getting smarter and smarter," Smith said. "You put procedures in place. You think you've corrected something, and then you really need to start changing that technology."
Smith said districts should be on high alert for bogus requests — through email or other means — to change payment wiring instructions or for information about employee direct deposits. There should also be multiple steps to verify that requests are legitimate, Smith added
A district should ask several questions of anyone requesting a change in payment process, Smith said.
If the request comes from a teacher, for instance, the finance or IT office can ask the teacher where and what they teach, as well as other verification questions that only the district would know. Districts could also require that requests for payment changes be made in person and with one or more forms of identification.
Smith further recommended that district leaders pay attention to any technology that links to a district's network. Even copiers and security cameras can be used as gateways into sensitive district data if not properly password protected, Smith said.
Another helpful in-house data security approach Smith recommended is to add tags to emails alerting that the message originated from outside the school district and advising caution in opening links.
People who work in education "tend to be helpful and sometimes don't realize that that person on the other end of a phone call or that person on an email maybe is not a good person," Smith said.