Protecting online data

School district officials say they’re prepared for network attacks

Posted

Local school officials are waging an unending battle to protect sensitive data stored on network computers, becoming overprotective — and in many cases downright secretive — in discussing their efforts to ward off cybercrime.

“This isn’t something we can discuss over the phone,” Lynbrook School District Superintendent Dr. Melissa Burak said.

“We don’t want to print where the data is stored,” Malverne School District Superintendent Dr. Lorna Lewis said.

Vincent Fleck, director of technology for the West Hempstead School District, said, “Maybe that should be off-the-record.”

School officials aren’t trying to be being deceptive about their stored online data, but they said they did not want to bring attention to their methods or provide any information that could be used to hack their data.

“It’s not stored in a shoebox under your bed,” Craig Vella, director of technology for the Malverne School District, said. “We want to be as well protected as possible. We have multiple systems, multiple layers of protection.”

Officials said it isn’t a question of if they will be hacked, but when. As a result, school districts secure data through fragmentation or compartmentalizing, meaning data is stored in several different locations to minimize breaches.

“Let’s say you did get something that could spread,” Fleck said. “It would potentially hit a department as opposed to the entire location. Backups are a huge piece of what we do.”

Because hackers operate from any location with internet access, the threat exists everywhere, forcing school districts to maintain constant vigilance. The stakes are high because a data breach could cost millions and knock operations offline for weeks or months.

“We obviously take this incredibly serious,” East Rockaway School District Superintendent James DeTommaso said. “We are constantly adapting, because the people trying to hack in are constantly adapting.”

Even though East Rockaway, West Hempstead and Malverne school district officials said they are insured for ransomware — which holds victims’ devices and data hostage until a ransom is paid — it’s not a simple process of paying the extortionist’s price and being back online immediately. Computer systems would have to be checked and possibly rebuilt.

The threat is real, and the danger can be significant, authorities said. Suffolk County government officials were hacked on Sept. 8, and the county is still experiencing delays, they said. Suffolk was forced to prioritize which systems, such as 911 services, to rebuild first.

“You need technicians to rebuild systems, get services back online safely and conduct forensics,” Fleck said. “It all takes time and money.”

Malverne school officials said they hold frequent training sessions to teach employees to be diligent.

“The biggest part of our protection now is to educate and train staff,” Vella said. “Staff is trained that if something doesn’t look right — if it doesn’t originate from within the district — not to trust it.”

Many districts frequently test their computers by sending fake attacks to see if staff members are being cautious. In Malverne, those attacks even target the superintendent.

“They really try to get me, but they haven’t,” Lewis said. 

Vella added that eight years ago, 40 percent of staff failed an internal test. Most recently, only two individuals failed the scam test.

“Every person is a point-person for security,” Lewis said.

School district officials further guard their computer systems through a concept called “zero-day,” meaning a municipality isn’t aware yet of a security flaw and has no time to fix that flaw in the event of a cyber attack. That fear has led districts to improve their fragmentation to mitigate the damage. Officials said they know they will be hacked at some point, so they plan for it.

“We make sure all our servers and computers are up-to-date,” Fleck said. “We have firewalls, web gateways and domain name system filters. We filter millions and millions of sites. If we don’t know where the site is, we block it.”

A final measure of protection comes from simply being vague about cybersecurity and previous breaches. District officials didn’t disclose any previous attacks and were reluctant to provide even cursory details about protecting their networks.

“To protect our assets, we don’t share information about possible previous breaches,” Lewis said.