Cybertraps Podcast

This episode is a part of a special series of interviews conducted at the INCH360 Cybersecurity Conference in Spokane, Washington. Visit their website to learn more about INCH360 and their mission.

In this episode, host Jethro Jones interviews Tracey Edou from Cascade School District. They discuss a cybersecurity breach in Tracey's school district and the lessons learned from the experience. The conversation covers steps taken to enhance security, including the use of wet signatures for direct deposit changes, the importance of staff education, and fostering a culture where it's safe to report suspicious activities. Jethro and Tracey also highlight the importance of clear communication between technical and non-technical staff and the value of proactive measures like tabletop exercises.

We’re thrilled to be sponsored by IXL. 

IXL’s comprehensive teaching and learning platform for math, language arts, science, and social studies is accelerating achievement in 95 of the top 100 U.S. school districts. Loved by teachers and backed by independent research from Johns Hopkins University, IXL can help you do the following and more:
  • Simplify and streamline technology
  • Save teachers’ time
  • Reliably meet Tier 1 standards
  • Improve student performance on state assessments
🚀 Ready to see why leading districts trust IXL for their educational needs? Visit IXL.com/BE today to learn more about how IXL can elevate your school or district.

Creators & Guests

Guest
INCH360
A regional industry group focused on connecting cybersecurity and compliance professionals of all levels. The group will promote education, collaboration, and communication about resources, regional companies, and jobs.

What is Cybertraps Podcast?

We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!

[00:00:00] Welcome to the cyber traps podcast. I am Jethro Jones. Your host. You can find me on all the social networks at Jethro Jones. The cyber chaps podcast is a proud member. Of the be podcast network. You can see all of our shows at two B podcast. dot network. And today on the show we have. A special interview from the inch 360 conference.

That's the inland Northwest cybersecurity hub. They put on a conference each year and I have the great fortune of being able to go. Go to that conference. And interview a bunch of people. So that's what you're going to hear on this episode. I hope you enjoy it. And if you want. To learn more about inch 360, go to inch 360 dot O R G.

Thank you for being part of, uh, the Cybertraps podcast. We are here in, the beautiful Gonzaga campus in Spokane at the Inch360 Cybersecurity Conference. And you're a panelist today talking about a breach that happened. One of the [00:01:00] most popular sessions at this conference is what I learned from a breach, and it was a great session last year.

And so we were really excited to bring that back again this year. can you just give us a little overview of what happened with the breach, what's public, and what is allowed to be said, and all that kind of stuff?

Basically, our school district, we're a small school district in the mountains of North Central Washington.

And last winter, we had a substitute payroll officer who basically fell victim to a phishing attempt in which A current employee was spoofed. So she thought that she had received a request to change direct deposit information from an actual legitimate employee because it came from the actual legitimate employee's email address.

And then she went ahead and changed the direct deposit information. Well, it turned out that it was fraudulent. And so it did cause a breach in that [00:02:00] person's. paycheck went to some cyber thief somewhere.

And that is a very scary thing for anybody. Money is one of the things that when we're working that is like, is always a point of contention if things aren't deposited right or on time or any of that kind of stuff.

And so that can be really scary. How did you find out about it, and how did you respond, and what practices or solutions have you put in place since then?

Honestly, we found out about it when the employee didn't get paid. So the employee's like, where's my pay? And we're like, where is your pay? So we had to look into that and figure out what happened, and then we realized, oh my gosh.

Our payroll substitute was phished. So did you ask me what we did in response? So one of the first things that we did was say, we will not change any direct deposit information without a wet signature. So now somebody has to make a [00:03:00] physical request on a piece of paper. And I think that's one thing that we've learned, right?

Is it's so nice to have electronic transactions, There's nothing like pen and paper, to make sure that we're not you know, we're not falling prey to cyber attacks.

And so, I'm sure that there's also been some education to do with the staff, and what does, what does that look like, and what kinds of things are you doing there?

Well, there's a variety of things. I mean, there's different trainings that we can do, and also just, Somebody today was talking about micro trainings. So now when we have phishing emails come through or spoofing emails, or the term I learned today which is whaling, which is pretending to be me or pretending to be a principal.

When those come through, we're telling somebody. They staff what they are and that they're fake. And that and staff are learning to be more skeptical about the things that they're getting on email, even if it's coming from their principal or from [00:04:00] me. So that's a piece of the education. Another piece that I feel like I really had to learn was, That we need to, to put a lot more protections in place.

I think when you're a non-IT person, it's really easy just to think that it is in the hands of the IT department, and I think I've had to learn to be a lot more hands-on about. our cybersecurity maturity and how we can continue to grow in protecting our network and our system and our data and everything about our technology.

And there's a lot that we need to continue to do, but I feel like we've made a lot of strides since that breach occurred.

one of the things that people struggle with as it relates to technology and security is that it's an unknown world for non technical people. How do you make sure that the technical people are able to explain the [00:05:00] priorities and the things that need to happen to non technical people in a way that they understand the severity of it and then can actually do something with that information?

So, for us in Cascade School District, we work with our ESC, our Educational Service District, and their IT department. And they, you know, give us different pieces of advice about how to improve cyber security. So, a piece of it is just having those meetings and, having opportunities to talk. And then the piece of it that I've really, one of the things that I had to grapple with is just not being afraid to ask what that means.

Because a lot of times the technical language doesn't make sense if you don't have that background. So there's a lot of acronyms and a lot of, like, rather than saying multi factor authentication, they'll say MFA. you know, different things like that. I don't even think they realize they're doing it.

But when you're not from that field. It's hard to know what they're actually asking you to do. So [00:06:00] I think it's important for us to kind of get over our own fear of looking dumb and just ask. We just have to ask a lot of questions until we understand the answer. and then if we have to ask a follow up question again a week later, then we have to just keep asking.

Because I think there's a really important partnership between the non technical people and the technical people. I think it takes both sides in order to be more protective of, a school district's technology profile.

and we do the same thing in education when we say IEP instead of an individualized education program for students with disabilities.

And It's easy to use shorthand and jargon when you're so familiar with the topic and it's challenging To explain all of that all the time, but it's worth it to do that You know especially when it comes to Families who are new to a student with a disability and don't know how to navigate that world There are so many ways that you can make it easier for them by [00:07:00] explaining all the processes how they work things that are second nature to you that they that they don't totally understand.

the other question I want to ask was about your, how do you make it so that teachers don't feel dumb asking those questions and don't feel like they're somehow less than because they don't know all the security stuff? How do you create that culture of it's okay to ask questions about these things?

Well, it's interesting because that came up today at the conference about creating the culture and making sure that people don't feel dumb. I feel like in our district, we're really encouraging people to report suspicious activity, maybe because of the breach. but I was kind of surprised about that concept, honestly, because I feel like people have to forward the email that they think is bad, or, or question the link, or question the spoof, or question anything.

And then if they say, oh hey, this is legit, [00:08:00] great. But I haven't really seen our ESD, I haven't seen them being critical or calling people names or anything like that. So I, I do feel like it's okay for people to report in our school district, at least I hope so.

Well, and that, that becomes a, cultural piece as well that, They, they may not need to call names or, or do that, but they may make them feel that way.

And this is, something that IT professionals have been accused of for years, that they're not people, people, or they're not, good with communicating and, and they're too in their heads or whatever. Those are things that have been out there for a long time. And it just doesn't have to be that way.

What I envision is this This celebration, whenever somebody notices a spoofed email or a phishing email or an attempt or something like that, I find that to be a much better way to say, Hey, we can celebrate when this stuff happens, and that we caught it, rather than feeling ashamed or embarrassed that we got caught by it.[00:09:00]

And my experience has been that most of the time, if a teacher were to click a link, they just wouldn't say anything at all. Because they don't want to be made to feel dumb, even if somebody's not saying something specific. Any comments or thoughts on that?

I just think that's a fair point, and I think the communication challenge goes beyond making people feel dumb.

I was also thinking a lot today because there was someone from the FBI who was talking about threats. And we have these drills we do every month for preparing in the case of an active shooter or in the case of an emergency where we would need to, keep kids safe. But we don't really have such a process for cyber threats.

And so I think a piece of the communication is also that proactivity. And Having the IT professionals who know what could happen to actually say let's practice just in case. The tabletop exercise, the things like that. I [00:10:00] think a lot of the communication could be more proactive instead of just in response to something that happened, but also maybe anticipating the potential of something happening.

That would be something I would hope that IT professionals would think about because honestly they are privy to a lot of information that the non Technical people might not even be aware of or they might get to kind of come to a conference like this and hear the FBI Talk and it's a room mostly full of IT professionals And this is the first conference I've ever been at with a special agent from the FBI.

so when they're hearing these things from the people who know, I would love it if they would take it back to us and help us understand the risks, the threats, and what we need to do in response, before it's a problem.

Well, and that idea of doing tabletop exercises and, and walking through what would happen if this happened, there's something to the idea of.

of a fire drill that [00:11:00] is beneficial and it's not necessarily the act of doing it. It's about thinking ahead and, and having a plan in place when something happens. That it's not the process of going through it, it's a, it's the work that goes in ahead of time of saying, who are we going to tell about this?

Which of our students, are going to be really bothered when the fire alarm goes off? And we need to make sure that they know beforehand. How are we going to make it so that this is an orderly process and not something that is just everybody running out? and how do we take that type of training to other things in the school?

And I think that that's a really, insightful thing to be thinking about. And what could that look like that, that would work in a, in a cybersecurity threat? What would it look like in a, an active shooter situation? What would it look like in a? Fire situation. What would it look like in a power outage situation and all these different ways that you could do that Without having to take away tons of instructional time, right?

You don't want to have a different [00:12:00] drill every single day Any thoughts on that?

No, I agree with you and I think I also am thinking about, like, let's say I receive a threat, a physical threat, where I hear that a child might have a weapon or something coming to school. One of the first people I'm going to call is my school resource officer, my SRO, and go, hey, what are your thoughts?

I want that partnership with the SRO and with the Sheriff's Department so that I have help and their expertise. So I might be doing the drills and I might be thinking ahead, but I'll also be relying on the experts. So on the technology side, we need to be thinking ahead and we need to have a plan and we need to practice, but we also need that partnership where when the crunch time happens, we can talk to each other.

And we can understand each other, and the IT department knows their role, I know my role. And I don't think that we do as good of a job at practicing, for cyber threats as we do for potential [00:13:00] physical threats or weather related events.

I think you're absolutely right. Well, this was a insightful conversation.

I'm excited for your panel today, and thank you for being willing to come and speak to us and, and share your story, and especially to share it here on the Cybertraps podcast. Thank you, Tracy. And if anybody wants to reach out to you, uh, what's the best way to do that?

the best way to reach out to me is at my Cascade School District email address, which you can find on our website at cascadesd.

org. And thanks for inviting me.