Audits Reveal Cybersecurity Weaknesses in New York School Districts

The Office of the New York State Comptroller has completed audits on three school districts in the state. The audits uncovered that the districts have neglected to follow some crucial cybersecurity policies, leaving them potentially vulnerable to cyberattacks.

The state performed audits on the Clyde-Savannah Central School District, the Honeoye Falls-Lima Central School District, and the Naples Central School District.

The report for the Clyde-Savannah Central School District found that “Officials did not regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled.” It found more than 350 unneeded network user accounts, more than 50 unneeded shared or generic user accounts, and five unneeded administrative user accounts. The report defined unneeded accounts as those that have not been used in at least six months. Additionally, the audit uncovered 224 user accounts belonging to graduated seniors that should have already been disabled or deleted.

The report recommended that the district “regularly review network user accounts and disable those that are unnecessary.”

Cybersecurity

The Honeoye Falls-Lima Central School District report revealed that the district failed to “adopt key information technology (IT) security policies, resulting in increased risk that data, hardware and software may be lost or damaged by inappropriate use or access.” Most notably, it uncovered that many school computers were being used for non-academic activities like online banking, shopping, and gambling, according to New York ABC affiliate WHAM.

It further speculated that users may not have known that visiting these types of websites could have an impact on cybersecurity. According to Jonathan S. Weissman, senior lecturer at the Rochester Institute of Technology, “Humans are the weakest link in any cybersecurity implementation. All it takes is one user to open a link or open an attachment to undermine everything as far as cybersecurity is concerned.”

Finally, the audit for the Naples Central School District similarly found 89 accounts that had not been used for at least six months. Of these, seven had never been used, and 63 more of them were “unneeded,” according to the report. The report explains, “Unneeded network user accounts can be potential entry points for attackers because they are not monitored or used and, if accessed by an attacker, possibly could be used to inappropriately access and view PPSI [personal, private and sensitive information].”

As most K-12 schools around the country continue to operate using virtual and remote learning, proper cybersecurity measures have gained an extra degree of importance.

The state office requested that all three districts adopt and maintain comprehensive IT security procedures, conduct regular reviews of all network user accounts, and delete or disable unnecessary items. The districts agreed and have begun putting measures in place to address the issues.

About the Author

Matt Jones is senior editor of Spaces4Learning. He can be reached at [email protected].

Featured

  • Tennant Company Launches Autonomous Floor Scrubber

    Cleaning equipment and solutions provider Tennant Company recently launched the new X6 ROVR, a mid-sized robotic scrubber designed for large commercial and light-industrial environments, according to a news release. The autonomous machine can clean up to 75,000 square feet peer cycle with minimal needs for manual assistance.

  • modern college building with circuit and brain motifs

    Anthropic Introduces Claude for Education

    Anthropic has launched a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • Spaces4Learning Launches 2025 New Product Awards

    Spaces4Learning is now accepting entries for the 2025 New Product Awards! The program’s goal is to honor the outstanding product development achievements of manufacturers and suppliers whose products and services are particularly noteworthy in helping to improve K–12 and Higher Education learning environments.

  • KnowBe4 Releases Report on Education Sector’s Preparedness for Cyberattacks

    Cybersecurity platform KnowBe4 recently released a new research report titled “From Primary Schools to Universities, The Global Education Sector is Unprepared for Escalating Cyber Attacks,” according to a news release.

Digital Edition