Schools can reduce the fallout of hackers’ cyberattacks by developing a two-prong plan that prevents their assaults and outlines what to do when information is stolen, concluded the main speaker at a recent IT cybersecurity workshop at the Kent Career Tech Center.
“In recent years, school districts have been the target of sophisticated cyberattacks,” said Barb Hiemstra, Kent County’s information security director. “The attempts by hackers are criminal. They’re often looking for information they can sell.”
Hiemstra, who also serves on the West Michigan Cyber Security Consortium, spoke to about 40 information technology staff members from public and private schools.
For example, she said, hackers who can get access to someone’s health insurance information could sell that information to someone else to use for their own medical services. “(So) I can have services done which will disrupt your health record,” she said.
Other times hackers simply want to demonstrate to school administrators that their computer networks are vulnerable, or want to vandalize schools’ websites and post bogus information on them, Hiemstra said.
Whatever the reasons, nationwide education represented 10.7 percent of hacker targets in September of this year, according to hackmageddon.com, ranking third in 21 categories, behind only industry and government sites.
Resources to thwart cyberattacks include:
- Center for Internet Security Inc. is provided free to schools and identifies, develops and sustains best practices for cybersecurity, as well as provides security solutions to prevent and respond to cyberattacks.
- Merit Network is not free, but it offers services in cybersecurity education, helps manage unauthorized access to computer systems (firewalls) and measures security risks.
- National Institute of Standards and Technology detects computer system anomalies that in turn determine hackers’ attempts to break in. Its five “framework core” includes assessing the risks for being hacked; procedures for protecting information; detecting anomalies and continuous monitoring; knowing to how respond if a cyberattack happens; and developing a recovery plan.
- School administrators must make risk based decisions. This involves prioritizing data that’s important or regulated; confirming it’s protected on a regular basis; staying current for new risks; and regularly reviewing a checklist of tasks.
On the Horizon
“You need to either protect it or accept the risk,” Hiemstra said.
When it comes to cybersecurity, schools can never afford to be at rest, said Tim Peraino, Kent ISD’s director of facilities and purchasing.
He anticipates hosting another session in January during which participants will work their way through a fake cyberattack and its aftermath.
“This was the first step,” he said.