Schools concerned about cybersecurity, PA survey finds |

Schools concerned about cybersecurity, PA survey finds

A majority of Pennsylvania school districts are concerned about cybersecurity but say they don't have enough resources to prepare for potential breaches, concluded a statewide survey released Thursday by state Auditor General Eugene DePasquale.

“While a lot of attention, rightly so, is being put on the data breach at Equifax, we cannot ignore the cybersecurity needs of our school districts and local government offices,” DePasquale said in a statement.

Western Pennsylvania school districts have been preparing for possible cybersecurity attacks with backup networks, cyber liability insurance packages and making sure they are up-to-date on security software.

October is National Cybersecurity Awareness Month.

“The concern grows more deeply ever year,” said Scott Gutowski, information and technology officer for Pittsburgh Public Schools, who oversees more than 28,000 students in 65 schools. “It is something that we constantly have to evaluate.”

DePasquale's office conducted the anonymous survey over three weeks in August and September. It received 954 responses from 177 school officials and 777 municipal officials.

More than two-thirds of respondents said they do not employ or consult a cybersecurity professional.

Of 113 school districts represented, 87 percent said they were concerned about cybersecurity, 87 percent said they expect cybersecurity risks to increase and 81 percent said they needed more resources to combat cybersecurity challenges.

DePasquale said the findings should be a “wake-up call.” He called for increased state aid, including funding, a resource center and a state agency assigned to assist during emergencies.

Potential breaches could affect everything from internal personnel data, such as Social Security numbers and tax information, to student records, including grades and special-needs education plans.

“It is a huge priority,” said Jon Amelio, chief technology officer for Allegheny Intermediate Unit, which provides support to 42 school districts countywide (not including Pittsburgh Public). “There's a lot at risk at the district levels.”

Several districts in Western Pennsylvania were affected by a data breach in 2016 when a Franklin Regional student launched a series of cyber attacks against more than a dozen school districts, the Catholic diocese and Westmoreland County government.

Brandon Wagner, director of technology at Hempfield Area School District, said the attack prompted his district to set up a secondary network as a backup in case the first goes down. The district also has a more robust antivirus system and is improving processes for backing up data.

“We're constantly making changes, constantly making improvements,” he said. “We have to.”

Chris Suppo, coordinator of technology with Greensburg Salem School District, said last year's student hack didn't have negative effects on them and has not led to any changes in the district's cybersecurity practices.

The district takes standard precautions to protect its computer systems by regularly updating its computers' operating systems, installing antivirus software and keeping staff computers on a separate network from those used by students.

Beyond that, Greensburg Salem regularly informs employees about potential cyber threats such as phishing and ransomware attacks.

“A lot of it is really educating users,” Suppo said. “They're the first and best line of defense.”

Pittsburgh Public urges employees and students to be good “digital citizens.” The district strives to explain the significance of digital footprints and share tips for protecting personal information, including refraining from sharing logins and passwords with friends.

Freeport Area School District added a cyber liability policy to its insurance coverage this year, said Business Manager Ryan Manzer. The district has been targeted in cybersecurity attacks but not impacted by one yet.

“If we did have a breach, we know that the policies and procedures as far as protecting employee data and helping our employees through that recovery process,” he said.

Manzer said Freeport Area would be happy to partner with local universities to help prevent cybersecurity breaches.

“We're certainly always open to those partnerships,” he said.

Staff writer Jamie Martines contributed. Emily Balser and Natasha Lindstrom are Tribune-Review staff writers. Reach Balser at 724-226-4680, [email protected] or on Twitter @emilybalser. Reach Lindstrom at 412-380-8514, [email protected] or on Twitter @NewsNatasha.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.