The Abbotsford School District has made strides in improving its information technology security, something that was once effectively a non-issue for organizations as small as school districts.
The Abbotsford School District stores over two million documents and has over 13,000 connected devices, and more than 18,000 emails go to and from ASD email addresses every week, according to a presentation to the school board by Karman O’Brien, director of information technology.
That means there is a lot for the school district to protect from “bad actors,” and the school district is working to reduce the risks to its technology.
In 2017/18, the school district had 85 compromised email accounts, which has been reduced to just 15 compromised accounts so far in the 2018/19 fiscal year.
“These things come in spurts. Generally what happens is somebody will view us as a target, and they’ll try penetrating our system for a week or two weeks or three weeks and then eventually they get bored and they go elsewhere,” O’Brien said, noting one particularly bad month of attempts from servers in Russia, China and Ukraine.
“They were hitting our servers thousands of times a day for about a month, so it was a lot of work for us. But thankfully they weren’t successful.”
When an email account is compromised, it only means that the bad actors can see subject lines and other basic information, but O’Brien noted one example of how that basic information can escalate.
When an employee announced a retirement party, that subject line reached a compromised account, and bad actors were able to create their own fake email using that information to attempt to dupe more employees into clicking on malware and compromising more accounts.
“So they’re not actually getting into the system; they’re just reading bits of information, and that gives them more fuel for the fire to keep trying.”
The school district has also redesigned its firewalls to protect against bad actors trying to breach the system.
O’Brien said it’s typically a game of catch-up, but he also noted that the IT department has “done an excellent job of hardening our firewalls, and in the past two years we haven’t had any kind of breach.”
But O’Brien said the most important vulnerability is under-trained staff.
“The chain is only as strong as its weakest link, and all these bad actors, they know that,” he said. “If they can’t get around the firewalls, they’ll try and do social engineering campaigns, where, like I said, they send out emails that try and trick you into giving out your password and credentials. And surprisingly, it’s sometimes successful.”
With that in mind, O’Brien said the school district is spending a lot of time training staff of the district to recognize bad emails.
“It’s hard. They’re getting better at manufacturing these emails so they look very legitimate,” O’Brien said.
O’Brien noted two particular examples of warnings that an email is illegitimate – bad spelling and mismatched emails. Instead of an @abbyschools.com domain, for instance, an email may come from an @aol.com domain.
O’Brien said the district has done training for all principals and vice-principals and staff at the school district’s main office, and among 190 people who took the training, the district scored an average of 85 per cent on testing.
In the past, school districts did not need to worry so much about attacks from bad actors, but O’Brien said it’s now becoming “so easy to send out these malware campaigns and denial of service campaigns.”