Estimated read time: 4-5 minutes
- Granite School District's data breach and others affected hundreds of thousands of students, prompting legislative attention.
- The Utah School Security Task Force is sharpening its focus on enhancing cybersecurity in schools.
- Experts suggest multifactor authentication and risk assessments to improve school data security, among a host of other tactics.
SALT LAKE CITY — When Granite School District announced in December it was the victim of a data breach that impacted "all current and former Granite School District students" — about 450,000 — the Utah Legislature took notice.
Specifically, the state's School Security Task Force took notice. This group championed the sweeping HB84 last year, which strengthens armed security in Utah's schools, directs school buildings to install emergency communication systems and panic buttons, requires threat reporting if employees are aware of a particular safety concern, and links the state's SafeUT Crisis Line to Utah's intelligence database.
"The value of the data of our children, at least on the illicit web, is quite a bit higher. It's four to six times higher than it is for yours or mine when it comes to private information because they're children," said Rep. Ryan Wilcox, R-Ogden and chairman of the task force. "If we're talking about safety and security, certainly we need to address each of the aspects of that."
Just last week, student data from the Salt Lake City, Weber, Cache, Duchesne County, Iron County and Washington County school districts was compromised following a cyberattack on the popular PowerSchool online education platform.
With all of this in mind, Wilcox added that cybersecurity is an area that the task force and Legislature aim to focus on "a lot this year."
On Friday, the task force heard from Fortinet, a California-based cybersecurity company, to learn about some of the best practices when it comes to protecting valuable, sensitive data.
Kevin Lopez, major account manager at Fortinet and former IT director of network infrastructure for the state of Utah, said cybersecurity isn't just doing one thing or having a single wall of defense. Instead, Lopez said it's "a mindset and it must be considered in all digital environments."
With that said, there are minimum considerations that can be taken to start building the foundation for a secure network.
Some of these things are obvious, like securing systems with multifactor authentication — a simple step Lopez said significantly increases security and reduces risk by up to 99%.
But when discussing best practices on a systemwide level, Lopez said there are four elements to consider:
- Individual users (students, staff members and parents), including their identity and the devices they're using.
- Systems that are built and controlled by schools, generally tools and systems managed by the school district's IT team.
- A supply chain that consists of vendors who are providing services to schools with cloud and Software as a Service (cloud computing model that allows users to access software applications over the internet) technology.
- Network connection that provides the pathway between an individual user and applications, whether they're on a districtwide system or in the cloud.
{#related}
For school districts that, in some instances, are managing data for hundreds of thousands of individuals, Lopez said most systems are protected by firewalls — a network security device that monitors and controls incoming and outgoing network traffic — acting as a barrier between a trusted internal network and untrusted external networks.
He also brought up "zero trust frameworks."
"Network segmentation and zero trust, basically, what it does, is it says that this person can access only these limited applications, so they're only getting access to what they really need to use," Lopez said. "It gives that framework to be able to decide and control that, from the IT management teams."
Lopez said all districts should consider conducting risk assessments of their IT systems to understand their security status and identify gaps that could be exploited by bad actors to steal data. If the worst-case scenario unfolds, he said there are tools available to help districts track compromised data, thus enabling districts to assess risk.
"There are tools out there that can give organizations insights to seeing what that risk exposure is across the public internet and dark web data. So, you can actually do recognizance in a way to find out, like, 'Is my data being utilized or sold or whatever?'" Lopez said.
While these were just a handful of suggestions presented to the task force on Friday, it wouldn't be a surprise to see lawmakers put more emphasis on virtual security when it comes to schools during the upcoming legislative session.
"We have to do a better job of intentionally structuring what our cybersecurity is going to look like here ... what those basic, minimum standards need to be, and making sure that we're not, for convenience or lack of planning or resources, putting ourselves in a situation where this is a virtual certainty that we're compromising (data)," Wilcox said.
