Several school districts in the country have recently fallen victim to cyber attacks in which student data has been stolen by hackers. The hackers then threaten to make the information public unless the school districts pay up.
The director of technology for Sandwich schools wants to be proactive with network security so that the Sandwich district does not fall prey to these hackers.
Bryce Harper described the attacks against school districts as ransomware attacks. In a school, the information a hacker could steal includes private information about students. While some of that information could be fairly innocuous, such as a students’ grades, the information could also include private files from a social worker or guidance counselor.
Additionally, parents and guardians of some children may not want certain people to even know where their child goes to school, such as in the case of an estranged family member who might be a danger to the child. In those cases, even identifying which school a child goes to is a risk.
At the Sandwich School Committee’s meeting on November 7, Mr. Harper showed board members newspaper articles about two districts that have had to pay hackers in order to protect their information.
In Leominster, the school district recently had to pay $10,000 to hackers, and in Atlanta, Georgia, the district had to pay $2.6 million.
“A lot of small, public entities have been targeted,” he said. “Hackers assume that they’re underfunded and not prepared.”
He said that one of the ways that he wants to help prevent these types of attacks is to strengthen the district’s wireless Internet security by restricting the access that people have to the network.
Currently, the Internet in the schools is accessible to anyone who knows the password. The problem with this is that it makes the network vulnerable and can cause problems with too many people being connected to the network at once.
Mr. Harper said that on average, 42 percent of the devices connected to the school network are cellphones.
He said that while he knows that some teachers are using their phones as part of the teaching process, not all of those connected devices are being used for education of students.
When a device connects with a network, the network then connects the device with the Internet.
While having so many devices connected does not slow down the speed of the user’s Internet connection, it does make it difficult to maintain the ability to connect to the school’s network quickly or reliably.
If devices cannot connect reliably to the network, the network will not be able to connect those devices to the Internet.
Additionally, he said that while he does not believe that anyone in the district necessarily has the intention of attacking the network or holding student information for ransom, all it would take is for someone to bring in their own out-of-date and virus-infected device to the school and connect it to the network.
“That one machine could attack all of the machines on the network,” he said.
He said that since old versions of Windows are no longer kept up-to-date by Microsoft, a lot of known vulnerabilities are not being fixed.
“A machine like that is much more vulnerable to attack,” he said. “That is especially an issue when brought inside our network and behind our defenses, so to speak.”
Outside of training staff and students on how to protect their devices by keeping everything updated, one option that he discussed at the committee’s November 7 meeting would be to create different ways to access the network.
For example, staff members would have individual passwords to connect to their own network. The staff network would have full access to the district’s Internet access, at the highest available speeds. Students using devices provided by the district, like Chromebooks, would have similar access.
A third level of access would be provided to the general public. This would include visitors to the building who may still need access to the Internet but may not need to connect with other devices on the network.
However, Mr. Harper said that he was not sure which tier the cellphones would belong to—possibly in the public network, but doing so would put a lot of strain on that particular network. He said that he is not proposing banning those devices; he just has not decided on exactly how to handle them.
“I’m not trying to block everyone out for the sake of blocking everyone out,” he said.
Mr. Harper said that shutting off access to the Internet for cellphones is not necessarily a popular idea but—especially given that MCAS testing is now done completely online—it may be necessary. He has not made any formal decisions and welcomes input from the community.
Off the network, Mr. Harper said that the district is also facing a problem in which the devices given to students are aging and are frequently in need of replacement. He said that a Chromebook typically lasts about three to four years. Replacing them is expected to cost about half of his budget.
Using that much money out of his budget means that other technology needs can not be addressed adequately—the phone system needs updating; classrooms need updates to their audio and visual equipment; and online cloud resources need attention, too.
He suggested two options—that parents may need to purchase the devices that are used in the classrooms or that parents may need to pay a fee so that their children can use devices that are provided by the school. Mr. Harper said that he knew neither option is particularly palatable.
“I have not come up with a solution yet that would work and that would not make anyone mad,” he said. “I don’t want people to feel extra taxed, but if we’re going to keep increasing our technology, it needs to be funded.”
The board did not make any decisions about these two issues at the meeting, but Mr. Harper asked that they keep these needs in mind as they approach budget season.
Dr. Gould said that a workshop would be planned in the future so that members of the community can be involved in the discussion about these matters.