October is National Cybersecurity Awareness Month, a time to reflect on the many things we do as a school District to keep student data safe and protect employees and families from falling victim to phishing and other scams.

On this episode, find out how partnering with parents and the community can make a big difference in defending against cyber-attacks and reducing risks online.

David Bowman:
So these threats look like, yeah, hacker kids in basements all over the world. It looks like cyber criminal gangs. We even have fairly consistent attacks from nation threat actors.

Anthony Godfrey:
Let's talk about the scale of the threat.

David Bowman:
Wow, shock and awe number of about four million a day.

Anthony Godfrey:
Hello and welcome to the Supercast. I'm your host, Superintendent Anthony Godfrey. October is National Cybersecurity Awareness Month, a time to reflect on the many things we do as a school district to keep student data safe and protect employees and families from falling victim to phishing and other scams. On this episode, find out how partnering with parents and the community can make a big difference in defending against cyberattacks and reducing risks online. We're talking today with David Bowman, the Systems and Security Manager for Jordan School District. Thanks for taking some time.

David Bowman:
Yeah, absolutely.

Anthony Godfrey:
We want to talk about all things cybersecurity. First of all, is cyber like an outdated word? Is that like a Ray Bradbury word, or is that the term, cybersecurity?

David Bowman:
You know, the only other way I kind of express it now is the idea of cyberdefense.

Anthony Godfrey:
Cyberdefense, but cyber is right in there.

David Bowman:
Cyber is still the word.

Anthony Godfrey:
Cyber feels like a 50's sci-fi word, so I kind of like it though. It has a little bit of a nostalgic sound to it.

David Bowman:
It's something, it's a word in IT that hasn't changed in 30 years. That's kind of different.

Anthony Godfrey:
Well, let's talk about cybersecurity. Let's talk first about student data. What do we do to protect student data? There are strict laws in place and I know that sometimes we've actually frustrated some folks because we don't give access to certain apps that refuse to follow the rules when it comes to student data privacy. I know we're very serious about that, so let's talk about exactly what we do.

David Bowman:
You know, the biggest piece of what we do that makes it more effective for us to help protect things is it's intentional. Access to student data, what it's being used for, where it's going, we don't give or share that data to anyone without an intentional evaluation of why it's needed, where it's going, and do they need all of the things they're asking for or just some of the things.

Anthony Godfrey:
Yeah, let's make sure that we're only giving what they absolutely need for us to be able to work effectively with them.

David Bowman:
Yeah, so a good example of what that might have looked like in the past is, you know, we have a lot of folks that may offer grants or educational opportunities like a higher ed institution. Traditionally in the past years ago, we just said, "Okay, here's student records about the students participating." Now we've learned from past history of how cybersecurity incidents have taken place, and in working with our partners that want data that they actually just need to know what grade the student is in and a first and last name and that's really all they need to help them get access to that additional resource, so we don't give them all the things.

Anthony Godfrey:
So we're more thoughtful about the information that we give, first of all. I remember buying things with a credit card and the receipt would have your entire credit card number printed out on it, so you had to be careful about throwing away the receipt. When you had an email, you know, you emailed to get your password or to reset your password on a website. They just emailed you your password instead of a link to change it. So I think over the years, the amount of information we share and the way we share it has had to evolve just based on technology and what people can be up to using technology.

David Bowman:
Well, and not only that, but we have learned that as an institution with data or whatever that is, the pushback that we provide to vendor partners or other businesses on, “Listen, we don't want you to do that with our data.,” or, “No, you can't have that type of data,” that actually is what effectuates the greatest amount of change because a lot of folks won't just stop collecting data on their own. So even here at Jordan, there's a what we call a metadata dictionary that has a list of every piece of identifying information that's collected about students that are in our systems. They're indexed on the website publicly of what pieces of data are provided to what vendors or different things along those lines. Now part of that is driven by the fact that state law made that necessary, but the good news for us is that wasn't really a new process for us. So the types of things we do now are not only anytime something new is coming in we have that evaluation. But because we've done that for a long time, most of the tools that we already have in place are being effectively audited for that. So we even have internally at the District. We have a data privacy committee, so anytime a new piece of software or tools that are being used in the District come up, they have to be reviewed by the committee. So we have a data privacy officer and a data security officer and we have a data learning officer to kind of help us evaluate . . .

Anthony Godfrey:
The DLO. Yes of course.

David Bowman:
And to help us evaluate what all of those things look like.

Anthony Godfrey:
Sure well, I appreciate the efforts that everyone makes to be sure that we keep that student data protected. Let's talk about the scale of the threat of the attacks that we have on our system every day. You are an expert that's recognized throughout the state. You were presenting to the group of superintendents from throughout the state and you asked them to estimate in Jordan School District how many attacks do they think we have per day. The numbers they guessed were woefully low; they were way off. Talk about the number of attacks we have in any given day.

David Bowman:
The wow shock and awe number is about four million a day.

Anthony Godfrey:
Yeah.

David Bowman:
So when that number comes up people go, “What? Four million a day? Like, what does that look like and what does that mean?”

Anthony Godfrey:
Yeah.

David Bowman:
That really kind of helps people understand the scope of why it takes so much for us to protect that data that we're such critical stewards over. So these threats look like, yeah, hacker kids in basements all over the world. It looks like cyber criminal gangs. We even have fairly consistent attacks from nation threat actors. These things have been constantly focused at us, at school districts. Now one of the things that, because then the follow-up question is, “Well, why a school district?”

Anthony Godfrey:
Right.

David Bowman:
What is it you know they want to have, they want to change in credit cards they don't . . .

Anthony Godfrey:
Right, you want to change in eighth grader’s English grade, you know that's not . . .

David Bowman:
Well, and you know what. In my ten years as a security person in education, I've never caught a kid trying to change their grade. Now when I was in school and the hacking movies all showed kids wanting to change their grades and that's why they would be hacked.

Anthony Godfrey:
Well, when I wanted to change my grade, I just drew another leg on the F to make it into an A. That's all you did, you know.

David Bowman:
You know I wouldn't want to inadvertently disclose any private identifiable information so we maybe don't want to talk about your specific grade transcripts. But ultimately that's the biggest piece where it used to be we fought against people that had some experience or were after some individual change. Now what we fight is large groups trying to get it all at once.

Anthony Godfrey:
Get access to the system as a whole.

David Bowman:
Yeah, they want the whole thing and they want all of those records that we have, in particularly the records about our students. The fresher the data is or the least likely it is to be monitored, the more value it has. So an individual student record on, you know, the dark sides of the internet might be worth six dollars. Me, as a public school employee, is maybe worth a dollar. It's just the scale of what the value is is significantly different.

Anthony Godfrey:
Now how do we know that people have not had access to the information that we have as a district?

David Bowman:
No tool is perfect, so to say it absolutely has never happened would not be something I want you to record me saying. But we have multiple controls in place on all of the data, in particular the large repositories of data, to alert us when something shares more data than it should. So we have a monitoring tool in our Google Space is an example where, if someone were to share personally identifiable information, it actually pops up to the user and says, “Hey this is personally identifiable information. Are you sure this should be shared externally?”

Anthony Godfrey:
I think you've walked down to talk with me when I just downloaded a large file, and you know, asked me what was up and why so much was being downloaded at the same time. So I feel very confident in the tools that we have in place, just alerting us, one of those tools being you watching alerts.

David Bowman:
Well, and I would tell you the biggest piece that we have, too, that really makes a significant difference is the role that our parents and our teachers spend in this room. So yeah, we have folks that have access to lots of things and the more access you have to things, the more you get to spend time with the hacker on staff at Jordan District and get little lectures about what's going on on your computer or data.

Anthony Godfrey:
Yeah, that hacker being you, of course.

David Bowman:
I have no idea what you're talking about.

Anthony Godfrey:
Yes that's right.

David Bowman:
You know the . . .  but even coming down to our students and our cybersecurity programs at the JATC. Like we are helping to teach our students those skills and that translates out into them helping mention to their teachers like, “Hey, is that a particularly secure idea?” Lots of times when we identify challenges or things going on, our parents are our biggest resource because they can have a conversation with their kiddo about, “Hey, what did you see about this?” or “Why are they asking this information?” But for us, one of the things we've really tried to do in Jordan is not take a punitive approach to students that are expressing a significant curiosity and the functionality of security and systems. So instead of saying, “Okay, we're expelling you because you tried to hack something.” Instead, we're able to reframe that and try to understand what were you curious about that you were trying to achieve. A couple of years ago, we had and this was the youngest kid I've ever seen it seen do it, but we had a fourth-grade student who was messing around on his Chromebook trying to play a game and he was attempting to play a game and got it to work. The teacher calls us just all flabbergasted about, like, “He's in fourth grade. What's he doing? What's going on?” We got a chance with the principal and the teacher and his parents to sit down and talk to him and he had expressed some real interest in trying to code something. You know a lot of our advanced classes around that nature aren't set up in the elementary school realm. But we talked with this student and he talked with his teacher and identified one of the things that his teacher has to do every day is send a report to the cafeteria of who needs hot lunch or cold lunch.

Anthony Godfrey:
Yeah.

David Bowman:
And so the student said, “Well, could I program something that could just send an automated email to the cafeteria to give them the lunch count?” So the teacher and the parents all worked together. We provided a controlled resource to the student and then he built the system that the whole school started using to help them send the lunch count to the cafeteria, so they knew what they needed. That's that type of intentional curiosity. We find that when we hone that and encourage that it's infinitely better for our student growth but then that carries on to our staff and to our students' homes. Ultimately, we have security folks in the District but there's 57,000 students and 7,500 staff, and almost a hundred thousand computers connected to all of the things, and we only succeed at it when we do it as a group.

Anthony Godfrey:
Yeah. I can see that it takes everybody working together. So what are some of the things that we do to defend the District's system?

David Bowman:
One of the biggest things that we do is about having protection at every layer possible. So whether it be a Chromebook or a computer or a camera or a badge reader that is used to enter and exit the building, every one of those things we have different types of security software and controls for. The biggest way you look at this is what the principle in the security world we call it ‘defense in depth.’ The idea is there's not just one magic bullet, there's not two, there's not three. There's as many as we can put into place because if one gets broken, then we have another one, and when we look at those layers, we're always looking to bolster those up where they're the most significant. If you think about that, that number we were talking about earlier, about this idea of four million attempts a day, the attackers only have to be right once in four million. We have to be right every single time, and because of that, we spend a lot of . . . a little bit of losing sleep about it. Part of that is because of the stewardship focus of it as IT professionals in a school district. We have our kids that go to the school district. We feel that same way about our data. We have the general public who looks to us from a leadership perspective. I have aging parents and grandparents, and they're calling me and saying, “Hey, like what am I supposed to do about this cybersecurity thing?”

Anthony Godfrey:
So all of those layers are important. All of the people in place are important. It's obvious that you take it very, very seriously. Stay with us when we come back more with cybersecurity expert David Bowman.

Male Voice:
Never miss an episode of the Supercast by liking and subscribing on your favorite podcasting platform. Find transcripts for this episode and others at supercast.jordandistrict.org.

Female Voice:
Does your child need the flexibility to learn from anywhere, at any time, on a cruise, in another country, or simply at home, cozy on the couch? The Jordan Virtual Learning Academy is tailor-made for you and your family. It's personalized, dynamic virtual learning on your schedule. The Jordan Virtual Learning Academy is an integrated system of three schools in Jordan School District: Rocky Peak Virtual Elementary School, Kelsey Peak Virtual Middle School, and Kings Peak High School. Our programs are designed to meet or exceed District and state core curriculum standards, ensuring your child receives a superior educational experience tailored to their needs. Join us today at jordanvirtual.org.

Anthony Godfrey:
You've talked about a culture of cybersecurity and cyber awareness, making sure that we're all very tuned in to what could go wrong and how we need to protect ourselves, and it's interesting the number of ways that people who may wish us harm or want to get information from us might try to make their way in. So tell us about some of the things that you have done to train folks to really be aware and pause and think things through. Because what I feel like is that we're on the, you know, we're online and things move fast online, and sometimes where I'm going through email, I'm going through text messages, I'm trying to do that quickly, and it can be easy to click on something that we shouldn't. So talk to me about awareness and preparing people to avoid those pitfalls.

David Bowman:
Yeah, you know you actually just used a good example word when you talked about ‘fast.’ One of the most common things that happens is we are in a hurry to do all the things that we're doing, and when we're fast or not fully thinking about it as we're going through it, that's one of the ways to easily get tripped up. So one of the phrases we try to help people remember is the idea of ‘think before you click.’

Anthony Godfrey:
Yeah.

David Bowman:
The other thing is, then I get a lot of emails like, “Hey I think I clicked a thing, I'm not sure,” and then people feel this reluctance to be like “I clicked the thing” as if somehow they did something wrong.

Anthony Godfrey:
I bother you before I click ‘the thing.’ I will email you at all hours and say, “Can you open this in your sandbox and tell me whether this is real or fake?”

David Bowman:
Even to that statement, you would think that me, as a very specifically focused cybersecurity professional, would feel comfortable saying “Hey, I don't click on the wrong stuff.” Well, guess what? I have news for you. I do. There are no things that are always foolproof.

Anthony Godfrey:
Yeah.

David Bowman:
Things become more and more sophisticated. So what the advice we give people is really about what you do after you click something that made you go, “Okay, something felt weird here.”

Anthony Godfrey:
Yeah, I guess if you're deleting something, you can delete quickly, but if you're clicking on something, you want to pause and think it through. For those who are listening and thinking, “Okay, what should I be doing differently at home? What can I do to partner with the District to make sure that data is secure or just when family members or I am online? What are some tips for me to be sure that my information is safe?”

David Bowman:
I used to use this phrase called ‘be politely paranoid.’ The cyber threats in the world have made it now so polite is not the way to do it. Just be paranoid. The good news is if it's something that really does need your attention, they're not just gonna text you or just call you or just email you. So just because it feels like urgent in the moment, and that's the one like, “Oh no, I have to respond to this because this is super important.” If it's really super important, it's not gonna be the only way you see that contact. There's two major technology principles that we've implemented within the District, but are super important for everyone. The biggest thing is using multiple methods of verifying something. So this is called 2FA or MFA. Or you're trying to log into your bank and they're like, “Okay, we're gonna text you a security code.”

Anthony Godfrey:
Yeah.

David Bowman:
The reason for that is it's extremely easy to get portions of data based on what we have online and the more methods that are involved in doing verification make you more safe.

Anthony Godfrey:
I do want to say, I know you won't say this yourself, but I really appreciate the level of expertise that you bring personally to this. I know that when other districts or organizations have issues, you're someone that they call for additional help. You are heavily involved with a committee at the state level to try to get support from the legislature to fund additional supports because not all districts have the infrastructure that we do to provide the layers of protection that we do. I also want to shout out the Information System staff and really every staff member in the District that helps, you know, do their part to make sure that we stay safe in Jordan. David, thank you very much for taking the time to talk with me and for all the hard work that you and others in the Information Systems department do to keep us safe.

David Bowman:
Thanks.

Anthony Godfrey:
Thanks for joining us on another episode of the Supercast. Remember, “Education is the most important thing you will do today!” We'll see you out there.