Scrolling through the staff directory on a Campbell County school’s website allows people to see teachers’ and staff members’ names and titles, but as of early November they no longer have ready access to email addresses.
As a way to better improve cybersecurity, the division decided to take all teacher and staff email addresses off school websites. Campbell County Public Schools is the only division in the Lynchburg area that doesn’t provide staff and teacher emails on schools’ websites.
Director of Instructional Technology Mark Slusher said cybersecurity experts at a variety of seminars he and other division staff members have attended recommended the removal of email addresses.
“It opens a door for anybody to send an email to a person with illicit links in an email, and that’s how the school network can be hacked. Instead of advertising it to the world, we made the decision to protect our teachers, protect our data and remove those emails and replace them with nondescript emails like firstname.lastname@example.org,” Slusher said.
According to Slusher, the move is not in response to any attack on the division.
“We were being proactive per our research and the aspect of keeping up with the industry recommendations. We were beginning to have many of our employees’ emails subjected to many diverse phishing scams, however. We educate our employees as best as possible about email scams,” Slusher said.
The nondescript emails are checked by multiple people, and the response time is typically “anywhere from within an hour to the next day” depending on the “nature of the email from the sender,” Slusher said. He said the division finds people usually call the school or administration for information.
Although the public no longer can access teacher and staff emails, parents still can contact anyone by calling the schools or contacting teachers through the Parent Portal, a secure web-based application that allows parents to view their child’s attendance, lunch account, class schedule, grades and more.
Joe Goldman, supervisor of technology for Amherst County Public Schools, said he doesn’t know if the division has had a conversation specifically about removing emails from websites but “what we talk about a lot is we are public figures and government employees, and we need to not hide information like email addresses and our names.”
“We do care about security, but we also want our parents to be able to email us, so there’s been no real discussion about that,” Goldman said.
With many school divisions not having an Information Technology department with the expertise, equipment or funding to provide top-of-the-line security, Susan Sons, the chief security analyst at Indiana University’s Center for Applied Cybersecurity Research, said she can understand why some school divisions might conclude taking emails off public sites might be safer, but she doesn’t think it’s as effective as other security measures.
“I think that some schools say, ‘we don’t know how to figure this out,’ so they say if teachers get less emails there’s less of a chance there will be a phishing attack,” Sons said.
At some point, Sons said people are able to guess a person’s email address or teachers are going to give their emails to parents.
Sons said phishing, the practice of sending emails that look like a legitimate request but actually leads someone to log into a non-legitimate site with their personal information that then becomes accessible to the scammer, is the leading cause of cyberattacks.
Because contact lists are an easier source for someone to obtain, Sons said there are other controls that can be effective such as having a good filter at the email server or rejecting emails that have the same domain name but don’t come from the server itself.
IT directors, supervisors and systems engineers from Lynchburg City Schools and school divisions in the counties of Amherst, Appomattox, Bedford and Nelson all said their school divisions have not considered taking teacher and staff emails off their schools’ websites.
Slusher said improving Campbell County’s cybersecurity has been an ongoing process since he became the director of instructional technology four years ago.
“My number one job is to protect the student data, and my second job is to protect my network from the ability of someone being able to access that data in a negative fashion,” Slusher said. “We’re a small staff. We’re doing everything we can to protect our teachers’, staff and students’ data. Other large companies that have large teams are increasing cybersecurity. It’s a growing concern nationwide at all industry levels.”
Slusher said the trend for hackers has switched from attacking big companies to focusing on smaller companies and organizations such as schools.
All Lynchburg-area school divisions use firewalls and different types of software or processes to prevent cyberattacks or hackers from obtaining any information.
“Security is not a destination. You never get secure. … You hope you’re using best practices and most secure configurations. We secure our devices through various means like antivirus or antimalware clients,” Goldman, with Amherst County, said.
All school divisions also educate teachers and staff about possible phishing attacks and how to identify them, such as emails coming from an unfamiliar IP address or asking a person to go to a website and provide login information.
Lynchburg City Schools Director of Information Technology Amy Pugh said as a public institution, LCS provides “internal access to devices and resources” for groups such as staff, students and parents, and “the network is configured to prevent unauthorized access to systems and data from inside the network.”
At Appomattox County Public Schools, Brette Arbogast, the director of technology and Career and Technical Education, said the division hosts its own email, which allows for a little better protection because it gives the division complete control over the server.
Barry Sexton, a systems engineer at Bedford County Public Schools, said the division has a traditional firewall and a secure gateway appliance that provides internet protection, malware detection and sandboxing, which isolates applications from important system resources and other programs.
In Nelson County Public Schools, Director of Technology Joe Dan Johnson said the division has moved to the Cloud for most information and data and emails are filtered with live monitors. Also, when students take their Chromebooks home, there’s a small application on it that can’t be disabled that routes students back to the division’s network so everything can be filtered the same way at home as it is at school.
Johnson said Nelson County schools have a vendor-supported firewall so if the division is attacked “it’s been handled before it even gets to us.”
Slusher said the IT department in Campbell County schools also requires everyone in the division to change their password and has recently increased the requirements for passwords.