Minnesota lawmakers consider school cybersecurity funding

School cybersecurity

School cybersecurity

Cyber-attacks are increasing in number and complexity, according to state officials. It’s a growing challenge for school districts across the country.

“We are always seeing cyber events come our way,” said Anthony Padrnos, the executive director of technology for Osseo Area Schools. “We’ve definitely seen attempts come into our system.”

The district has been able to prevent bad actors from entering its system so far, and protecting the district is an ongoing operation.

“We’ve been very fortunate we do have a cybersecurity plan in place; we have a cyber-response team that’s ready to go,” he said. “We’re continuing to grow and improve ourselves.”

He explained the district started building out its plan in 2018. They’re also part of a small cybersecurity consortium, which partners with several other metro school districts to contract with a cyber-security professional who helps the districts build plans, testing protocol, and training.

In addition, Osseo Area Schools works with families, students, and staff to build “cyber awareness.”

“It’s thinking about ‘What is the information that you’re putting out there and making accessible?’,” said Padrnos. “And how do I protect myself, whether it’s my personal accounts or my school accounts, from having that information or my identity hacked or breached and taken advantage of?”

He added, “We’ve got just under 21,000 students who have a district-issued device that’s connected to our district networks and it’s a valuable tool and vital tool for how we’re delivering instruction but at the same time, it creates a very wide footprint.”

Minnesota IT Services recommends school districts teach personnel to be cyber-aware because they’re often the first gateway into a system.

“Trying to get into their accounts, trying to trick them into giving out passwords, trying to trick them into giving access into the systems,” explained John Israel, the interim chief information security officer for Minnesota IT Services (MNIT).

He recommends implementing multifactor authentication and improving basic foundational cyber security for district networks, including patching their systems.

In its 2022 annual report, MNIT notes 78 security incidents involving schools and universities. There were 262 incidents involving schools and universities in 2021 and 414 incidents in 2020.

The state agency explained the declining numbers reflect investments in cyber security rather than a decrease in threats.

“Cyber-attacks against schools is not necessarily new but we are seeing that threat continue to evolve and target more and more organizations,” said Israel.

In February, the Cloquet Public Schools superintendent wrote in a letter to state lawmakers that cyber-attacks had “resulted in significant financial losses and disruptions to our educational programs.”

In March, Minneapolis Public Schools informed families an encryption event was the cause of technical difficulties experienced in February.

“We see these attacks go in sort of a cyclical pattern,” said Israel. “They’ll target an industry and once they find success to get into one, we see those same actors trying to get into similar organizations. I would say the risk and the threat is broad; it’s across all industries. We’re seeing this in small business, in corporate environment, we’re seeing it in government and in schools, it just happens right now there’s more of a focus because there’s been some success.”

School districts have a vast amount of digital data, including student information, medical records, and hiring and employee history documents.

“That’s the focus of all of these attacks – they’re looking for impact, they’re looking for money, looking for data,” said Israel. “How can they monetize and make money off of these events?”

Minnesota lawmakers have included in the omnibus education finance bill $35 million in grants for school districts and charter schools to improve building security and cyber security.

According to Padrnos, a small district may spend $250,000 to $500,000 just to get started. Districts may also have to hire additional staff and pay for cyber insurance.

A spokesperson for Saint Paul Public Schools told 5 EYEWITNESS NEWS its district has invested heavily in cybersecurity measures and the cost of cyber insurance alone has doubled since last year to $120,000.

“We’re continuing to see increased costs in trying to protect ourselves,” said Padrnos. “The fact that the legislature is having a conversation and highlighting the need to start to look at the cybersecurity in the K12 sector is a critical first step.”