Everyone can agree it’s critical for school bus operations to develop, test, and repeatedly practice vehicle evacuation plans. But how seriously do fleet managers take threats posed by cybervillains?
- Only 24% of organizations invest in cyberattack detection and prevention.
- 56% don’t have a cyberincident plan.
- Of the 32% with a plan, 44% aren’t confident in the plan’s effectiveness.
- By 2025, she said, it’s expected that cybersecurity spending will reach $1.75 trillion and that damages from cyberattacks could top $10.5 trillion.
Investing in classrooms and transportation fleet operations is important, she said, but so is making a serious investment in defending sensitive data about students and contractor payrolls.
“This is a real thing and it’s important to start paying attention,” Martin said. “If you own and operate a business, you need to stay on top of these things.”
Targets and Takeaways
Targeted data might include:
- Student routing information.
- Accounting and payroll.
- Operations software.
- Maintenance software.
Dan Kobussen, president-elect of NSTA and owner of Kobussen Buses in Wisconsin, shared his company’s experience with cyber criminals. A staffer opened an email attachment that compromised their mailbox and led to repeated attempts to break into the company’s data.
What improvements did Kobussen implement?
- Added two-factor authentication.
- Cleaned up unnecessary past student or employee files.
- Reviewed privacy laws.
- Moved as much data as possible off local servers to the cloud.
“Limit access to local servers,” Kobussen said. “They’re the weakest link. Like shooting fish in a barrel. The easiest thing to break. In the cloud, it’s more secure. Not perfect, nothing’s perfect, but a little more secure than having the server yourself.”
Sam Hamilton, a cybersecurity specialist with Tyler Technologies, explained that it’s vital for operations to develop and practice plans for protecting and, if necessary, recovering from cyberattacks and data breaches.
Types of attacks include:
- Data breach.
- Distributed denial-of-service (DDoS).
Ransomware is particularly malicious in the K-12 education space, Hamilton said, because it can lead to data breaches where the criminals try to extort money while threatening to release student information to the public.
“It’s really complicated because you may be looking to get out in the easiest way, but you don’t have the power once they have that lever,” he said.
And there’s certainly no incentive for them to stop making threats and demanding money in the future if they get ransom the first time.
Prevent, Protect, Prepare
GP Singh, founder and CEO of ByteCurve, urged webinar participants not to be overwhelmed or scared by the thought of cybersecurity planning.
“There are some simple and specific steps that can be taken as early as tomorrow,” he said.
- Think before you click email links or open attachments.
- Keep computer systems patched and antivirus software updated.
- Have a strong password policy, with mandatory resets every 90-180 days.
- Control access and perform regular audits, eliminating accounts for ex-employees.
- Use firewalls.
- Forbid unauthorized application downloads and installations.
- Back up data, because it’s not a matter of if a company may be attacked, it’s a matter of when.
Singh also recommended penetration testing – enlisting experienced hackers to test your security and recommend fixes. Then the company should formulate and regularly update a cyber breach recovery plan for how to communicate to employees, customers, and external agencies; how to keep the business going if payroll or routing systems are down.
“Having to think about that and document that can go a long way,” he said.
Martin, a former bus driver herself, expressed confidence in school bus contractors when it comes to such planning, given their responsibilities for managing routes, keeping children safe, and handling maintenance.
“What better people to be prepared?” she said.