Cybersecurity

Audits Reveal Cybersecurity Weaknesses in New York School Districts

• By Matt Jones
• 02/25/21

The Office of the New York State Comptroller has completed audits on three school districts in the state. The audits uncovered that the districts have neglected to follow some crucial cybersecurity policies, leaving them potentially vulnerable to cyberattacks.

The state performed audits on the Clyde-Savannah Central School District, the Honeoye Falls-Lima Central School District, and the Naples Central School District.

The report for the Clyde-Savannah Central School District found that “Officials did not regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled.” It found more than 350 unneeded network user accounts, more than 50 unneeded shared or generic user accounts, and five unneeded administrative user accounts. The report defined unneeded accounts as those that have not been used in at least six months. Additionally, the audit uncovered 224 user accounts belonging to graduated seniors that should have already been disabled or deleted.

The report recommended that the district “regularly review network user accounts and disable those that are unnecessary.”

The Honeoye Falls-Lima Central School District report revealed that the district failed to “adopt key information technology (IT) security policies, resulting in increased risk that data, hardware and software may be lost or damaged by inappropriate use or access.” Most notably, it uncovered that many school computers were being used for non-academic activities like online banking, shopping, and gambling, according to New York ABC affiliate WHAM.

It further speculated that users may not have known that visiting these types of websites could have an impact on cybersecurity. According to Jonathan S. Weissman, senior lecturer at the Rochester Institute of Technology, “Humans are the weakest link in any cybersecurity implementation. All it takes is one user to open a link or open an attachment to undermine everything as far as cybersecurity is concerned.”

Finally, the audit for the Naples Central School District similarly found 89 accounts that had not been used for at least six months. Of these, seven had never been used, and 63 more of them were “unneeded,” according to the report. The report explains, “Unneeded network user accounts can be potential entry points for attackers because they are not monitored or used and, if accessed by an attacker, possibly could be used to inappropriately access and view PPSI [personal, private and sensitive information].”

As most K-12 schools around the country continue to operate using virtual and remote learning, proper cybersecurity measures have gained an extra degree of importance.

The state office requested that all three districts adopt and maintain comprehensive IT security procedures, conduct regular reviews of all network user accounts, and delete or disable unnecessary items. The districts agreed and have begun putting measures in place to address the issues.