Not if, but when.
That was the message presented to the Joplin Board of Education last week regarding the possibility of a cyberattack on the school district.
The board approved unanimously spending almost $200,000 with Pondurance MDR for managed detection and response to possible computer and digital threats.
As evidence of the need for improvements in the district’s computer security, Kerry Sachetta, assistant superintendent for operations, cited the cyberattacks in May on Continental Pipeline, which shut down fuel deliveries to the eastern U.S. for a few days, and on JBS, the world’s largest meat processing company. He also cited cyberattacks on Crowder College and Missouri Southern State University.
“Unfortunately we live in a world now where cyberattacks are something we can’t get away from,” Sachetta said. “We believe it’s not about if, it’s when it’s going to happen. Data security practices commonly used in academia have become completely obsolete during the past five years.
“The recent revolution of malware and hacking technology has left Joplin Schools vulnerable to ransomware, student data theft, staff and student identity theft, denial-of-service attacks, remote learning video conference disruptions, expensive litigation and the possible situation of prolonged data outages during which classes cannot be held safely on campus at all and during which the finance department could be unable to pay bills or make payroll.”
Vince Crossley, network administrator for the Joplin School District, and Eric Pitcher, district director of technology, spoke to the board about the proposal and the threats the district faces.
“The threat environment we’re dealing with now has been increasing with a lot of influence of money, even from foreign governments financing entire criminal organizations to try and extort money one way or another out of all sorts of businesses and even academia,” Crossley said. “Because of the nature of the technologies we use in the classroom, they have found academic institutions like the K-12 environment and colleges to be easy pickings for their criminal activities. During the past year, we’ve seen about 57% of all ransomware attacks hitting academic institutions. You have nearly a quarter of institutions that have been hit by ransomware forced to close either permanently or for short periods of time in order to try and recover and get their environment up.”
Crossley said the money spent on cybersecurity doesn’t really contribute to the educational experience, but it will help the district keep the school doors open in the event of a cyberattack.
He cited a March cyberattack on the Park Hill School District in Kansas City that forced that district to close for two days while it restored its systems.
“We cannot conduct classes if some of the critical information like contact information should become unavailable during a ransomware attack,” Crossley said. “So we would have to close as Park Hill School District had to do just two months ago. Right now, the criminal organizations that are performing these types of attacks are generating more revenue than the entire global narcotics trade.”
Crossley said hackers could not only install software bugs that can lock employees out of the district’s computers, they could sell the data in the computers to a third party and/or blackmail the district by threatening to sell that data to other criminals.
He said that could affect staff as well as student information, making all individuals in the district targets.
Eric Pitcher, the director of technology, told the board the district sent requests for proposals to different companies and decided the proposal from Pondurance MDR, based in Indianapolis, “locks the most doors” to the district’s computers.
He said cost would be $199,731 for the first year with the option to renew for two more years at a cost of $153,728 per year.
The cost for the first year would come out of the district’s capital outlay fund, although administrators would see if it could be paid with federal pandemic relief funds.
The board also decided to continue with its current employee health insurance program for three more years.
The district is self-insured with a third-party administrator running the district’s self-insurance fund.
Jamie Brummet, with the insurance brokerage firm of Barker Phillips Jackson, told the board that the district’s self-insurance fund has a balance of $5.6 million, about 100% of a year’s worth of claims.
She said United Medical Resources will continue to manage the plan with no increase in administration fees for the first two years of the extension. In the third year, the administration feel goes up 27 cents per employee, or about $3,000.
She recommended no change in plan design or premiums, which would mark the fourth year in a row with no increase in premiums for employees.
She said maintaining the premiums despite the fact that the fund is well funded and may see some savings in prescription and other costs in the coming year will prevent the district from having to make big changes in premiums in the future.