Day one on the job and we have a data breach!
Stacia McFadden, chief information officer at The Lovett School in Atlanta shares her unexpected on- the-job training in cyber security.
Well not quite day one, it may have been day three. In late September of 2020, I was appointed chief information officer at The Lovett School in Atlanta, GA. The email announcement was shared on a Friday. Early the next week, our director of information services informed me that the Blackbaud breach we were made aware of during the summer was more serious than initially reported. Personal data such as bank accounts, social security numbers, and birthdays were exposed from records created years before I even considered becoming an educational technology professional.
We had to quickly create an incident response plan. If your school does not have one, I suggest creating one as soon as possible. Gathering colleagues from our business, human resources, development, alumni, and of course, information technology offices, we weighed all options and developed a communication plan to notify those affected by the breach. While Blackbaud was helpful in sharing sample template responses to explain the breach, they were adamant that communications come from the school as we had a relationship with the victims.
In about a month’s time, we contacted over 5,000 people via snail mail and email informing them of the breach. I can never thank everyone enough who contributed to the process. I am hesitant to call it a success, but we did our due diligence to ensure people were notified and could reach a human being if questions remained.
This was my initiation into the importance of cyber security. Greg Hamrick, Lovett’s director of information technology, has worked tirelessly for many years to ensure our students, faculty, staff, and networks are secure. However, this is not an easy task for schools, particularly in the era of COVID when educators have relied on technology more than ever before.
Our small IT department of four (we are actively seeking to fill a full-time help desk position) currently supports around 1,700 laptop computers. Approximately 1,380 are in the hands of students while 320 are in the hands of adults. Additionally, we have around 130 desktops on campus in labs or offices. We are primarily a Mac-based institution.
Even pre-COVID, we were sensitive to the challenge some teachers experience when it comes to technology, yet we had to make a few tough decisions. Based on poor password practices and vulnerability of employees failing phishing tests, the school choose to remove administrative laptop privileges for employees in 2018. This did not land well, particularly for power users and early adopters who were accustomed to the ability to install software at will on their school-issued devices. However, on an already over-taxed team, it was imperative that we did as much as possible to diminish threat and risk. Teachers must now be organized and proactive to have software installed. They first submit an IT work request via email (Solarwinds Service Desk). Then our team deploys software to faculty, staff, and students remotely using JAMF, an enterprise management solution for apple devices.
Greg and I continue to develop our cyber security plans and employ additional security measures, keeping our school, employees, and students safe. We recently purchased KnowBe4 (simulated phishing tests and security awareness training) to assist us in this endeavor. During October, National Cyber Security Month, our continuing challenges were affirmed after initiating a phishing campaign. 17.9% of our colleagues clicked on a link to change their passwords, and 4.9% continued to enter personal data. While these numbers may seem small, they are a huge security risk. Later this year, we will work with our human resources department to develop a plan for implementing required cyber security training for faculty and staff.
Additionally, like many schools, we are moving forward to implement the following policies and procedures:
Finally, I am truly grateful for our cyber insurance provider, Aon. Their partnership has been instrumental as I navigate these waters as a new CIO. We began working on our cyber strategy in April 2021, about seven months after our second Blackbaud incident. Had we been Aon clients during the data breach, my stress level would have been drastically reduced; however, I do not take for granted the learning opportunity the breach afforded me.
Cyber security awareness is necessary and important for all schools. Our forthcoming policies and relationship with Aon not only protect our infrastructure – but they also protect our most valuable asset – our community.