North Carolina’s public schools are facing serious, ongoing cybersecurity threats from professional hackers that are costing time and money and putting personal information at risk, a consultant warned state lawmakers on Tuesday.
Most North Carolina school districts and charter schools aren’t prepared to deal with massive breaches and intrusions into their computer systems, according to Phil Emer, director of technology planning and policy at N.C. State’s Friday Institute For Educational Innovation. Emer told lawmakers that schools are facing threats such as software attacks designed to shut down systems unless a ransom is paid, malicious software trying to steal information off databases and email phishing scams designed to get sensitive information.
“No matter how much money we spend or what we do, we’ll never be able to protect everybody 100 percent,” Emer told members of the Joint Legislative Education Oversight Committee. “The attacks are changing everyday. The phishing schemes are getting more directed. But we can do as good a job as possible to mitigate.”
Cybercriminals have initiated a number of highly publicized security breaches on multiple commercial sites. But in October, the U.S. Department of Education issued a warning about a new threat in which criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records.
Digital Access for only $0.99
For the most comprehensive local coverage, subscribe today.
In last year’s state budget, lawmakers included $200,000 a year to help deal with the issue of school cybersecurity. The Friday institute was tasked with working with the State Board of Education and the state Department of Public Instruction on the issue.
Emer said steps have been taken to help school districts and charter schools improve their cybersecurity. But he said that in recent months four North Carolina school districts suffered attacks in which malicious software entered their computer systems.
It’s not cheap addressing the problems, according to Emer. He said the Rockingham County school system paid $314,000 to fix its computer systems after they became infected.
Emer said most attacks that have led to school data breaches are caused by professional syndicates. He said some school districts’ chief financial officers have been getting emails claiming to be from their superintendents asking for information such as W2 records for all the school employees. Emer said at least one district fell for that scam.
“This is pretty sophisticated,” Emer said. “Somebody needs to have known who the superintendent is, who are the folks that have control of accounting or CFOs, so they have a good bit of detail. This is not a random email.”
Just this week, Emer said, some school employees have been getting phishing emails purportedly from their principal.
Emer said the most common threats come from phishing schemes in which school employees open what they presume to be legitimate emails that actually contain malicious software or links.
Some threats come from students, according to Emer.
“There have been students in North Carolina who have gone on websites and bought as a service denial of service attacks to attack their own school during the test day,” he said.
In a denial of service attack, a school’s computer system is bombarded by so many fake online requests for information that it can’t operate properly. But Emer said that MCNC, a technology nonprofit that works with the state’s education institutions, have largely mitigated that issue.
Moving forward, Emer said more and continuous training is needed for school staff and students. He said school districts need to continually monitor security and react quickly to attacks to mitigate the damage.
“No matter how good we are, there are going to be breaches,” Emer said. “We have to have a framework for recovery.”
With schools under threat, Sen. Ronald Rabin, a Republican from Harnett County, said someone needs to determine who has responsibility for addressing cybersecurity.
“We have to decide if it’s serious enough to attack,” he said. “If it is, someone has to be responsible.”