Hello, You’re listening to the K-12 tech podcast, bringing you insights into the world of education technology. Stay tuned as we discuss the past, the present, and most importantly, the future of technology in our schools.
Don, Now cybersecurity.
Here we go.
Yeah, the second one. So this is everywhere. Everyone’s talking about it. I know there’s a ton of stuff, funding hopefully coming from the federal government for this stuff, So I don’t even know where to start. Why don’t you? Can you just walk through a little bit? This is one thing I’ve learned, especially in technical areas. I think a lot of times people are afraid of what they like. I kind of understand, but it’s like. It’s like that question is like, Well, my friend might not understand. Can you just say he does understand technology?
Explain it, help me explain it.
Yeah, yeah, yeah. It’s kind of like in the office where I was just like, explaining. It’s like, explain. It’s like a middle schooler is like, he starts, explains, like, explain to, like, a six-year-old, like, keeps going down. Can you just break down What is cybersecurity? As everyone knows, we’re not. We’re not trying to hurt anybody’s intelligence. And then why the rise? Maybe how A.I. plays into that. And then just kind of where it started, maybe transition over the last 15 years or the digital age.
Right. So it used to be even back then. Well, the cybersecurity essentially for me, there’s a lot of boxes you can buy with blinking lights and all that kind of stuff. There’s some basic things you have to do, kind of there’s table stakes, which is having ETR, you know, something that will respond and detect anomalous, you know, activity on your devices. But beyond the table stakes, you really, really, really have to know what you have and what you want to protect. And that isn’t the decision solely of a tech leader. That’s, you know, those risk decisions essentially have to be carried out by the cabinet. So I can’t I can’t, you know, in my Crystal Palace in the corner say, okay, this, this, this, this and this is what we need to protect. And I want to spend this amount of money on it. I really have to identify the risks that we’ve got. And this is the foundation of cybersecurity, really what our risks are, how we’re exposed and what we want to do about it. Yeah.
So I can either treat the risk, you know, do something to mitigate it. I can transfer it by, you know, using an insurance company which, you know, isn’t going to be viable for much longer. I can change the business practices or what we do to eliminate the risk. Or I can just say I’m going to accept it, You know, like, well, Google’s a perfect example. And, you know, you know, people can share things everywhere and really you just have to work with people not to do that, but you accept the risk because how are you not going to, you know?
Yeah. So for you, I think what’s hard is like, in a perfect world, you have an unlimited budget, and there’s a perfect tool out there that you can buy that is curtailed perfectly to K-12. But obviously, that’s not the case. So what are conversations like for you with a superintendent of like, these are areas where we’re at risk. You’re talking about protection? And then essentially, too, because I. I’ll be honest, I’ve had a few conversations with tech directors who were like, they’re like, it’s not if it’s going to happen, it’s when. And, you know, and I know a lot of them are fearful of, like, I’m going to get blamed for this. You know, if things go, go, go south, you know. So what kind of encouragement do you have for conversations that should be had, that should be had with superintendents, The cabinets? Yeah, at the cabinet level with that. And what do you suggest? And, like for me, I think of like a risk first reward, like, okay, like if we don’t do this, this is likely what could happen.
Right? Right. I think the worst practices are to really lead with threats like saying, okay, we’re exposed to this. So right now, for example, in this what I did my last district two is I’m doing a penetration test. So that’s that’s the first team or that’s the first thing is you get a good team at Penn testing, and then yeah I like to do gray box tests where you know you give them some information but not all. You give them an account and see if they can elevate privileges or something like that. But so you do that. And then the second thing, obvi, you find where your technical vulnerabilities are, but you’ve also got other vulnerabilities. We were talking about incident response and how we need to have a playbook for incident response, not only for technology but for essentially anything a bus breaks down, a bus gets in an accident. What? Boom, boom, boom, boom. How do you respond to that? And, you know, have a playbook for those sorts of things. Similarly to have, you know, us having an incident response plan for technology. So it’s really identifying what your risks are. I’m having the company that’s doing our penetration test also do a risk assessment, and that involves, you know, talking to everybody. So I want to hear from teachers. I want to hear from building-level administrators. I want to hear from the central office. People want to hear from the Cabinet. I want to hear from all the stakeholders that I can so I can identify them.
You know, they can tell me their primary systems that they need. And, you know, I know them for the most part. But, you know, I want to get their perspective too. But then B, really kind of bring that together and say, okay, here’s our risks, and here’s how we can respond to them. And that’s, you know, that goes anywhere from, you know, phishing testing to, you know, extended, you know, detection response systems to social engineering. I mean, that’s that, you know, that’s really what according to Verizon’s threat report, I haven’t seen this year’s. But that was like 60% of the breaches or attacks were successful based on social engineering.
Yeah. I mean, we even had a you know, we’ve not had any schools, but we had an issue with reverse social engineering, that kind of exact thing. And, you know, it was caught. But it’s like if you, if you don’t know, ask for that kind of insurance, the insurance companies are going to be like, yeah, you should protect yourself from this. It’s kind of like the kind of keep it hidden and be like, we have to offer this to you because we assure you in other ways.
Now, you just mentioned something earlier. You’re like, you don’t think insurance companies are going to insure the stuff? You think it’s possible it might go away?
It’s like it’s getting tricky. I mean, insurance companies are asking more and more in-depth questions now. You know, it’s not okay. Do you have a cybersecurity policy they want to know about? You know, do you have EDR? Do you have offline, you know, air-gapped backups, that sort of thing? They’re asking these really detailed questions to even qualify you to have cybersecurity insurance. And, you know, from an insurance company’s perspective, there’s a lot of risks they have to cover, especially K-12 schools, because we’re you know, frankly, we’re not all that good with this. We don’t have the resources that some others have. And even those that have resources still get attacked and essentially breached. So insurance companies get kind of wary about that because, you know, again, they’re paying out more than they’re taking in.
So it’s going to be interesting to get cyber insurance in the future to get it wrapped into an overall policy. You’re going to have to demonstrate that you’ve got pretty good capability as well.
You said you’re not in the business of technology or in the business of education. I think that the concern I hear is the balance of that, because you could lock down the system pretty tight, right? But then you make it where it’s teaching, it gets much harder. Yeah, really, All your data, you’re spending an extra, each person spending extra 5 minutes being more careful. But it’s like you look at a district, why you don’t have the resources.
Right. Right, right.
So it’s a balancing act.
Yeah. And for me, that’s what that risk assessment piece is. Because if we want to say we’ve got a really important tool that our teachers use, there’s some vulnerabilities with it. But if we choose to accept that risk, like you said, you know, from a technical standpoint, yeah, let’s lock everything down. But that’s not serving the organization. We have to really find out what the organization’s appetite for risk is, the school district’s appetite, and then respond, you know, and that way we do it collaboratively. So, you know, as you mentioned before, you know, tech directors are worried this is going to come back on them. Everybody in the district is responsible for cybersecurity, and that risk assessment has to be signed off on and approved at the cabinet level. And then I’d also say, you know, you have to have the board approve or at least have the board be aware of it.
So similar to the IRS, right? They always say, like, I’m never going to contact you over the phone for this information. Are you seeing schools or your schools doing training like that with teachers and staff members of like, hey, I’m never going to ask you for personal information. Right?
If you see an email that is mine, but I’m asking for this, don’t give it like, yeah, what’s the preventative action that district should be doing in educating all the way from, you know, your superintendent all the way down to, you know, your maintenance staff and everything else.
Right. And that’s interesting that so you’ve got really high value targets and, you know, obviously cabinet members, that sort of thing. So what I do for the entire staff is do social engineering training, you know, use a system that will send phishing emails. But it also does phishing. It does not, you know, leave you can put USB keys laying around and see if anybody plugs them in or anything like that. But the idea behind that is not an It’s really about helping staff understand and know what to look for. But not just in there, you know, working for me. And schools are working with us, but it’s also at home, you know, so they know how to detect and really get a good idea of what social engineering looks like. So that way, you know A, they can protect themselves, but A but B and also protect sites. And you’ll notice I say A is protecting themselves because that’s where it really starts with the individual, so.
You know, with my staff. So I’m going to tell a story. So we constantly, you know, get contacted by school, say, hey, you know, I got to I got to buy some teacher devices or something. So we got contacted by a school in West Virginia and to one of our sales staff that emailed us, Hey, I need 34 of these computers, send them a quote, it looks good. Set us a purchase order. And you know, I was walking in one day because we were about to place the order and direct, you know, and ship it to the customer. And I said, you know what? I go, I’m sure it’s fine, but I go, Can you just get them on the phone? He’s like, Well, I verified the website and the email and I’m like, Yeah, just get them on the phone before we ship it. It was a scammer. They had created a full website like they had put themselves like a tech director and everything on it.
So what we did is fortunate we caught it. Yeah, we called the police there. We actually took one of our laptop surplus laptops. We took the battery out, put an airtag and shipped it to them, and the police followed up on it and found out that it was going to a storage warehouse where they were told they would be forwarding whatever they received to another address
Yeah, yeah.
That would be sent overseas. So nothing. We haven’t had any movement on it since, but it’s just incredible how good they’re getting.
Yeah, well, and really at the cost of entry for stuff, especially for social engineering, it’s next to nothing. I mean, you know, you can create an email address, you can blast out, you know, millions of emails from it all. If you get 1% that you get that you have fallen for whatever you’re doing, you get paid. I mean, that’s easy enough to do when you can set it and forget it.
You know, having, you know, essentially to do it’s, you know, send out all the emails, you know, if you’ve got a website or even, you know, like a you’ve got a botnet controller out there, you know, command and control system, you know, you can plant that everywhere, you know, and then, you know, be able to do why do things that make us crazy.
Yeah, that’s crazy. So, from your experience, like over the last from 2007 when you started to know what are, what are the most common, what are the most common cybersecurity threats that you’re seeing? So social engineering, social engineering And then who are they typically targeting?
So for social engineering, social engineering is the number one. And really, if you can, you know, you’re always going to have that 1% that’ll fail. I got it down to about 1% at the district I was at, at the district I was at before the last one. But still, you know, if you get those failures then then you’ve got a problem. So the second thing is just going after non-patch systems. You know, if you don’t have the latest security updates or anything like that, you know, you’re going to get breached. The third is not having adequate protection on your computers. But I’ll tell you this, the entire reason that those are important is people are going to try to get in through social engineering. If I’m, I’m doing an ethical hacking course right now, and I can sit there and bang away at your public IP addresses.
But if you’ve got those close down pretty well in your firewall, I’m not going to spend a lot of time on that unless I see something interesting. So if I’m scanning your public IP addresses and I happen to see an RTP session open, yeah, you can bet I’m going to go after that. But it’s easier, more cost effective for me as a hacker to to really go after your staff and try to get somebody to do something. They shouldn’t get their credentials and they try to elevate privileges.
So I know you have a lot of just reading through your profile, you have a lot of experience with cloud computing. Is the cloud helping? So let’s say your school is moving to the Google Cloud or Azure or whatever. Is that helpful in a security sense, for locking things down easier, not having as much as that, or do you feel like it’s just opening up a new flood?
So there are a couple of different ways to look at it. First of all, I think that those organizations are going to do a much better job of being secure than I can. Yeah, because I just don’t have the resources to do that. So yeah, moving those things out into the cloud is a good thing. Also, from a disaster recovery standpoint, you know, if you’ve got an instance, so you run a theme, and you can spin up an instance in, you know, last year and then be able to have that again as long as you can get to the Internet, you know, have you know, have your essentially your environment running up there.
I mean, it makes having a hot site a lot easier, even having a cold site that you have to spin up. So that helps and then see it’s not technically an air-gapped backup, but if you can have an immutable copy of your data, you know, daily on a cloud provider, that way, you know, if you have a fire in your data center and you don’t have another one, at least that data safe.
Yeah, I think that’s like a really good insight into that change. And I mean, are you seeing like almost every district having like a cloud backup really now at this point?
I’d say that’s an interesting question because I’d say the better-resourced districts are probably more likely to have that as opposed to I mean, we’ve got a member of our organization downstate who the superintendent is, the tech guy.And so those sorts of organizations, they’re going to have a little bit tougher time doing that just because they don’t have the resources necessary to do that. So, yeah, I mean, it really comes down to having the resources
So any time that there’s a flood of funds or a bigger problem that’s being solved, cybersecurity, there are companies that are flooding the market, right. And mines. This man can do this, Mine can do that. We’re better this way, better that way. How do you, as a tech director, vet those and make decisions That’s That’s going to be best for the district. And maybe that’s based on there’s obviously a price wait but like how because you said you read into the details of these things. Yeah. So how do you make your decisions on those?
So first of all, you know, you look at where they rank in the industry, you know, and not just K-12, but how they, you know, things like Gartner, that sort of thing, where you kind of look where this product falls in there. And then for me, being a professional organization, that’s one reason why I say it’s really important to have a group of peers because we can gain a lot of knowledge from each other.So if I’ve got a question like, Hey, you know what? I’m looking at this system, who else is using it? Tell me what you think about it. And you know, especially in Illinois, we’ve got, and I’m sure of the states like this, but we’ve got a really, really strong group of tech leaders who, you know, we’re on this list service, and we can throw our questions to each other and get like ten answers within like an hour.
So I just I’m doing an access control system. So I threw it out to the group and said, Hey, is anybody doing this? You know, what are you doing? And I got, you know, probably ten responses by the end of the day. And it really helps me validate what I’m doing. So if I’m doing this and I find that, you know, a lot of other people are doing it too well, that gives me some confidence.
Yeah. Yeah. Like in Indiana, we had the hack list, and yeah, yeah, a lot of like you, like people were monitoring. It’s very quick, and people want to be involved. That is one thing. I’ve seen a massive change since COVID as there’s so much more interaction between the different sector. You know, there is no way you can have enough knowledge at your district level.
Agreed.
And you’re right that that ocean of knowledge that you can get. And when I was at this Kentucky regional meeting, they were talking about like, they just made this update and now we’re moving to this app and this is what we like about the app and what we don’t like about the app. And this is where it’s got security issues, just like you couldn’t read enough forms, forums online, right? The knowledge that they were passing back and forth. And it was just that I agree. That’s very, very valuable. Right. Last question for schools that might not have a dedicated tech director or someone that has a lot of tech knowledge or a level of expertise, what is a basic cybersecurity best practices you can recommend that prioritize and protect the school district? So like starting small and then maybe work your way up to the big stuff.
So first of all, social engineering training is really important. You know, you have to help your staff recognize and be able to not respond to social engineering attacks. The other thing is making sure everything’s patched. I mean, really, if you can, if you can really limit social engineering and if you can make sure that your patching is current, it’s going to help you out quite a bit.
So that’s a good place to start. Obviously, you know, look at your firewall and make sure you know, your firewalls set up properly that you’re not, you know, letting in packets that you shouldn’t, you know, a good way to attack a system with an end map is to send it back packets. And then, you know, if it’s not a stateful firewall, it won’t know that it’s sent that. So it’s going to connect to you. So it’s just doing some basic things in the firewall and maybe even having, you know, a cheap to manage service to help you with that because, you know, it’s you know, if you’ve got a brand new firewall, you know, never had training on it or anything like that. Yeah, it’s probably best to engage with somebody to help you on that. So to me, if you do those three things, that’s where we start. And it’s really simple, and it’s not really, you know, make sure you have antivirus, obviously, but signature based antivirus really isn’t doing you that much good anymore. So I think that’s a good place to start. If you want to move up the scale. I’m firmly of the opinion that none of us I mean, I’ll tell you right now, there’s no school district that can monitor their systems. 24 seven 365, and none of us have the resources for that. You know, maybe Unified’s done it after, you know, what happened with them.
But it’s really that’s where managed security providers become very important. And, you know, in Illinois, we’re making a push to do it statewide. You know, some of this federal money that’s coming down will be able to have a single provider that is funded through the state that we all can use, which honestly, I think in the long run, that’s going to be the way to do things. We have to really work together because if we don’t and we’re sitting in these little islands, you know, we’re relying upon ourselves, but B, we’re not leveraging our community. And, you know, I’m coming back to the fact that we really have to network, we really have to be part of a community. And I would extend that to resources. So like, say, for example, you don’t have a dedicated leader in technology.
Well, maybe, you know, you get two districts together, and then you have a leader that covers two districts. Yeah. You know, and each district, you know, funds half of it, you know, And that way we can work together, you know, create intergovernmental agreements and things like that. Non-disclosure agreements. But at the same time, you know, combine our buying power, and I’ve been a huge advocate of that ever since I’ve been doing this.
Yeah, I think that’s a I mean, people may agree or disagree, you know, Midwest with so many districts, Ohio, I think they think they have like 800, you know, Illinois, you guys have like 900, something like that. Wisconsin, Michigan, there’s just so many. And there’s not 900 high-level people who are not already in the private sector. Right. For education. And I think like three small districts combining together their technology budgets. Probably a smart idea. Yeah, in my opinion. I think that’s interesting what you said about the statewide when we were in Kentucky. There they have like a single cess that’s required by the state. One question I had though, is do you think that that hinders competition if it’s…
To some extent, yes. I think there’s a single system like that, people and nobody listening to this will be surprised by this. But we all like our pet stuff, you know, So like, for example, I use the CD-R and I don’t want that one.
Yeah.
So if the state comes down and says, okay, I am, I’m buying the CD-R, and it would really benefit you to use it. You know, I may be reluctant because my thing is the greatest. So I think it requires some flexibility on our part. I think the core innovation that we do really, you know, it depends on the data you can get out of a service and how you can use it to help staff and students. But I think there are creative ways to do that too. So in that way, to again, getting back to my point around, we’re not being we’re not here to run technology. We’re here to educate.
The less money that you dedicate to those resources, the more you can spend. For me on like tech support in schools or, you know, if you get your printers together in a managed, you know, a managed print service and you’ve reduced your number of printers in a building to three, you know, you can save a lot of money on printing and hire another pair of pros and hire another math specialist, you know, that sort of thing. So we really have to think about where we direct our money to provide the maximum benefit to our school district.
Yeah, I love that. Don, Thank you for coming out. This was awesome. Learning about cybersecurity stuff, your story. Anybody who has a story they want to share or some expertise they think would be good for a group of future technology leaders, please reach out to us, and we’ll have you on. Yeah, I appreciate you coming out.
My pleasure. Thank you.
Awesome.
In Episode 33, Hope Davis, MA, CHC takes us on a journey from personal challenges to leading educational innovation at Teach Tech U. Discover how her experiences fueled a passion for transformative technology in education, shaping the future with Project LEAR. An inspiring conversation for anyone intrigued by the power of tech to change lives. […]
Listen now
With guest speaker Marsha Maxwell, PhD, CETL, join us for a reflective journey on the advancements of AI through the years, focusing on how we can further develop these technologies to bridge educational divides.
Listen now
