OSWEGO — As incidents of cyber attacks on city and municipal computer systems become more common nationwide, the Oswego City School District is looking at ways to defend itself against such breaches.
In summer 2019, New York officials began implementation of the Stop Hacks and Improve Electronic Security (SHIELD) Act, which set a March 21 deadline for employers to protect employees’ private information when stored on computer systems. For a school system, this applies to student information as well. Oswego City School District Superintendent Dean Goewey told The Palladium-Times recently he believes the school district is already in compliance.
“We’re always looking at ways to enhance the security of our data,” Goewey said.
Goewey said the district has taken steps to limit staff member contact information to those who need it, including taking staff names and emails off the district website, replaced with a link that will send a message to the staff member without giving away any contact information. A paper staff directory with names, phone numbers and emails is now sent directly to parents, rather than being posted online.
Goewey also said the district is looking to add staff to its information technology department with a focus on cyber security and potential attacks.
Over the summer, school districts in both Syracuse and Watertown were hit by computer hacks. The attack on Syracuse schools was a ransomware attack — ransomware is malicious software (“malware”) which blocks access to files unless the user pays a ransom to the hacker.
Often a user inadvertently downloads the virus onto the system. The Syracuse School District resolved the matter through cyber insurance.
Goewey said he looked closely at both of those cases and has discussed them with the eight other district superintendents in Oswego County.
“We talk about that regularly,” Goewey said. “We review our insurance coverage relative to cybersecurity and we’re making some changes in the way we do business in the day-to-day instructional operations.”
One idea for those changes include potentially limiting teacher’s access to certain websites at certain times, such as weekends. This will reduce the chance that a teacher will accidentally download ransomware.
“These ransomware attackers know when your district is vulnerable,” Goewey said. “We’re trying to defuse our vulnerability by taking our stuff offline or locking it up during certain hours when it’s not of critical use.”
Goewey confirmed that a recovery plan does exist in the event that the school district is hit with a ransomware attack, but declined to discuss strategy and tactics citing procedural integrity.