Superintendents Webcast graphic

Kentucky Department of Education (KDE) officials spoke about cybersecurity for school districts during the KDE Superintendents Webcast on March 12.

Associate Commissioner David Couch and Robert Hackworth, chief information security officer from KDE’s Office of Education Technology, presented information about security threats and tips on how to deal with them.

“While we’re not 100% perfect, KETS (Kentucky Education Technology Systems) has been the pioneer and national leader in most aspects of education technology, including cybersecurity,” said Couch.

He said districts should look at cybersecurity the way people should view the security of their cars: most break-ins occur when the vehicle is unlocked. If school officials are careful and thorough about the data they share, Couch said it’s far less likely there will be any security breaches.

Education also happens to be the most affected industry for cyberattacks, Couch said, far outpacing other industries like retail and healthcare.

Couch said there are three main reasons criminals try to break into a school’s system:

  1. To create chaos, like when criminals hijack a district-managed website or social media account to post inappropriate material;
  2. To make money, like through the use of ransomware, where criminals lock you out of your data and tell you to pay them to regain access or they will sell the obtained data; or
  3. To cause a lack of confidence and trust in organizations, making them inoperable.

Couch said an easy way to avoid moneymaking scams is to avoid anything with gift cards or cryptocurrencies like Bitcoin because they’re harder – if not impossible – to track and they can instantly deliver the money to the criminal.

Disruptive attacks can be trickier, as criminals will sometimes use a distributed denial-of-service (DDoS) attack to overload a district’s system and prevent anyone from accessing information located within that system. Hackworth says DDoS attacks have increased rapidly in both number and ferocity, but KDE has measures in place through KETS to help districts that are dealing with such an attack.

But criminals are constantly looking for security vulnerabilities, and Hackworth said many of them treat hacking as their job.

“The unfortunate truth is that they have a lot of time,” said Hackworth. “This is their day job, and they are researching us and a lot of times – most of the time – in order to be helpful, we put all of our roles and job responsibilities on our websites so that our customers, the public, can reach us when they need to.”

Data presented by Couch shows that KDE itself faces thousands of attempted logins from outside organizations on any given day from many foreign countries. However, Kentucky is among the states with the fewest number of data breaches in K-12 schools.

“The main focus of our services at the (KDE) Office of Education Technology over the past 32 years, along with our Kentucky Education Technology System partners … has been toward the prevention of a successful attack,” said Couch, “and we all do that together extremely well.”

Couch said preventive training is one of the most helpful measures against cybersecurity threats because no matter how secure a system is, the people who have the keys to that system are the most frequently targeted. Training should include information about phishing attacks so staff members can identify when a criminal is trying to trick them into giving up login information or other critical data.

Other helpful tips involve how to deal with data, including how frequently old records with sensitive information on them should be cleared out and how often data should be backed up onto secondary servers, including cloud services. Couch recommended storing the most-sensitive data on cloud systems instead of onsite servers. He said having data in one centralized place without any backups could make people more vulnerable to criminals if they gain access to that data.

Couch also said districts should seek out cybersecurity system health checks regularly from independent companies, many of which can be done for free.

Legislative Update
Brian Perry, KDE’s director of government relations, provided an update on the 2024 legislative session.

Lawmakers have filed more than 1,200 bills and Perry said the Kentucky Senate will unveil their budget proposal on March 13 during a meeting of the Senate Appropriations and Revenue Committee. Lawmakers have until April 15 to pass a budget and any other legislation before the 2024 regular session ends.

In other business:

Visit the KDE Media Portal archive to watch the full webcast. The next Superintendents Webcast is scheduled for April 11.