lisa疯马秀

The email itself was unremarkable. It arrived on a weekday in June, addressed to the accounts payable department of the Salem-Keizer School District. It came from a company working on school construction 鈥� let鈥檚 call them Acme Construction 鈥� with a simple request: would they mind updating the direct deposit with the following information?

This email wasn鈥檛 from Acme Construction. It was from hackers who had done their homework. They鈥檇 registered the domain of the company 鈥� as acmeconstruction.us instead of acmeconstruction.com. They replicated the company鈥檚 website, in entirety, on their new domain. They even knew, through snooping, that this employee used a shortened version of their name, and addressed them as such.

But after years of training, the employee was prepared, and promptly forwarded the email to Bob Silva 鈥� and, in doing so, saved the district from losing $1.5 million dollars.

Silva, who has served as the director of technology and information services for SKSD since 2015, credits constant staff security trainings 鈥� supplemented by a healthy dose of fear 鈥� but still stays up at night, worried that this won鈥檛 be enough.

Across the U.S., hackers are increasingly targeting educational institutions in addition to corporate and government targets. They鈥檝e found victims who are, in many cases, woefully unguarded, and in a case exactly mimicking the above scam, stole $1.9 million from a university that could not be recovered.

Attacks against schools are on the rise in both scope and severity. In late July, Louisiana Gov. John Bel Edwards declared a statewide emergency after malware attacks disabled three school districts and seemed poised to spread to other government agencies. It was a sufficient threat that the Louisiana National Guard, Louisiana State Police, the state鈥檚 Office of Technology Services and Louisiana State University, among others, joined in the fight.

While it鈥檚 not just schools that can fall victim 鈥� Facebook and Google lost a combined $500 million to similar direct-deposit scams 鈥� SecurityScorecards鈥� 2018 Education Cybersecurity Report notes that out of the 17 major industries in the U.S., education comes in last place for overall security.

The threat arrives on multiple fronts: the proliferation of software and devices in the classroom leave schools with weak points, while overtaxed IT departments don鈥檛 upgrade rapidly or regularly. Adding to the complications are questions of FERPA (Family Educational Rights and Privacy Act) compliance, which can limit options and demand even more from IT.

Then, of course, there is the biggest vulnerability of all 鈥� each and every employee (and, sometimes, parent and student) properly evaluating each and every email they receive.

鈥淭he bad guys only have to win once, but we have to win every time,鈥� said Erich Kron, a KnowBe4 cybersecurity evangelist. He entered the field in the 1990s, eventually becoming the security manager at the 2nd Regional Cyber Center for the Army.

Phishers target and scam in constantly evolving ways. But, Kron noted, like con artists and grifters since time immemorial, they succeed by playing to human psychological vulnerabilities.

鈥淚f you get an email, or a phone call, or a text message that elicits an emotional response, be very cautious with it,鈥� Kron said. 鈥淭hey use emotions to get (you) to bypass critical thinking 鈥� they use anger, they use fear, they use urgency.鈥�

A perfect example, he said, is a message that looks as though it comes from a boss demanding immediate action鈥� which people too often take. In fact, one phishing scheme targeting SKSD looked like it had come from Silva himself, asking employees to open and read a Google Doc.

That stress and urgency cause people to act fast.

鈥淥f those people who click (on an unsafe link in an email), 55 percent do it within an hour,鈥� Kron said.

On the other hand, Silva said, he uses those same emotions to reinforce the need for constant vigilance.

When asked whether he has trouble instilling the right amount of fear in employees, he laughed.

鈥淚t鈥檚 easy to give them the proper level of fear, and I鈥檓 good at that,鈥� he said. 鈥淚 tie it to their personal lives rather than the effect at work. It鈥檚 not a knock against them. They鈥檝e got a lot of other stuff to worry about. They鈥檝e got 30 kids in the classroom and 60 parents. But you start talking about their bank account and their kids? They start listening.鈥�

As part of staff awareness efforts, Silva has partnered with KnowBe4, who specializes in launching simulated phishing attacks against organizations. These simulated attacks help identify vulnerable groups or individuals then offers extensive employee trainings.

鈥淎fter we do a simulated phishing attack, we analyze the results and, based on who became a victim, we report back to all-staff in what we call a Phish Tank episode.鈥�

Still, Silva said, cybersecurity is a mountainous task for the district. He estimates they get 50 unique 鈥� which means thousands, total, as each goes out to so many 鈥� phishing attacks per day. He has a team of four to work on this, and estimated that it takes the equivalent of one full-time employee.

During each KnowBe4 campaign, he said, all student records have been compromised.

鈥淣ot just the current students 鈥� students going back ten years,鈥� he said, adding that $148 is the industry-standard cost per lost record.

鈥淪o you鈥檙e talking about 300,000 records at $148 per record 鈥� that鈥檚 $44.4 million,鈥� he said, adding that there is also the potential for legal consequences.

鈥淭here鈥檚 nothing that would prevent the federal government from investigating a school after a data breach, finding them negligent and charging a fine.鈥�

The problem is not going to get better, he said, and is instead getting actively worse. He noted that a 12-character password that might have taken a quintillion years to crack a few years ago now takes three years.

鈥淭hat changes the standard, because that鈥檚 for one password 鈥� you put a network of computers together, and you鈥檙e down to weeks and months.鈥�

This, he said, is combined with increasingly clever techniques.

鈥淭he creative ones will start impersonating parents. They鈥檙e just getting smarter,鈥� he said. 鈥淭here鈥檚 two things they鈥檙e after 鈥� our student information systems and our money. Right now, they鈥檙e generally after the money.鈥�

That may soon change, he said, especially when considering the depth of info schools now gather on their students.

鈥淭hey haven鈥檛 figured out the value of our student info yet,鈥� he said. 鈥淎s soon as hackers find out how easy it is to get a bunch of fresh, clean identities 鈥� school districts across Oregon, across the United States, who have kept their heads in the sand are hosed. There鈥檚 nothing they鈥檙e going to be able to do to prevent the breach.鈥�

鈥� Kelly Williams Brown

Education pricing for KnowBe4 is available through OETC

---

---

Past Spotlight Posts

Equity by the Numbers: Newberg schools dive deep on data 鈥� with surprising results