Orange County Public Schools

Not to be deterred by its size, Orange County Public Schools—one of the largest districts in the country—has the ambitious goal of putting a device in the hands of each of its 203,000 students. Perhaps more notable, though, is the district’s awareness of the security risks presented by such a flood of technology.

Or so says the newly-hired chief information officer for Orange County Public Schools (OCPS) Jim Pulliam.

Pulliam has worked in the U.S. Air Force, aerospace industry, municipal governments and higher education. Over the years, he’s realized that data security is no longer solely a concern of the federal departments of defense and energy. So, in a move to protect the data and identities of the most vulnerable, K12 students, he joined OCPS.

“In another four years, there’s going to be 200,000 devices in our district, which inherently has information security issues,” Pulliam says. “And I just wanted to be part of that. I wanted to be part of educating our children, and young adults about information security because it’s happening every day.”

Protecting the most vulnerable

 School districts like OCPS get hit with IT security threats from all angles.

There’s an onslaught of phishing, ransomware and distributed denial of service (DDoS) attacks. There is the physical risk of device theft, and then there are internal threats, or what Pulliam describes as students pushing the envelope to demonstrate their technical abilities; in other words, low-level hacking.

Cyberthreats are especially concerning in the K-12 environment, says Pulliam, who has a master’s degree in information assurance and is on the executive board for the K-12 National Advisory Council on Cybersecurity (NACC)

“If a kid’s identity is stolen at 12, nobody may realize that until the kid is 18, applying to buy a car or for a student loan and realizes their credit has been destroyed,” he says.

In contrast, if an adult’s identity is stolen, chances are a bank will sound an alarm and take action to, say, send new credit and debit cards.

There’s a strong business case, too. According to the 2015 Cost of Data Breach Study conducted by Ponemon Institute—which conducts independent research on privacy, data protection and information security—and sponsored by IBM, in the education sector, the average cost for each lost or stolen record containing sensitive and confidential information is $225. The study also found the average consolidated total cost of a data breach to be $4 million.

Battening down the network

Pulliam worked in higher education for 14 years, but he wanted to protect the identity of younger students, those who arguably need the most protection, and decided to make the move to OCPS.

He didn’t miss a beat before enlisting the Department of Homeland Security, which he asked to perform a “cyber hygiene test,” or cybersecurity audit. The department identified 30 critical and high vulnerabilities, that is, common points of entry for hackers.

OCPS quickly fixed those issues, and now it’s diving deeper.

It’s partnering with local law enforcement to recover stolen devices. It is installing firewalls and encrypting its hard drives. It’s doing seemingly minor, yet surprisingly effective things, like etching its name in bold letters on devices, so they cannot be sold at pawnshops. It’s making sure essential equipment is locked properly, and it recently increased its cybersecurity insurance.

OCPS now has a data loss prevention program in place, and it’s implementing a security information and event management system (SIEM) which gives OCPS a pulse on network activity.

There is constant refinement, as well. Pulliam says OCPS receives an estimated 5 million emails weekly, and roughly 80 percent of those are “malicious garbage,” or hack attempts. The district boosted its filters and drastically reduced the number of phishing scams that get through.

Vital to all of this has been restructuring the IT department. Previously, OCPS outsourced many of its IT needs, including cybersecurity. Now, contrary to the outsourcing popular throughout the nation, Pulliam is bringing those roles back in-house. He’s building a cybersecurity team that will include seven people. He has already hired a senior director of information security, as well as a staff member who can perform forensics when needed.

Teaching info security

Perhaps most importantly, OCPS is bolstering its information security education.

“Information security is a way of life now,” Pulliam says. “It’s just never going to go away, and I think what will really help us with our cause and moving this forward is educating our students and their parents about information security.”

Students and parents alike need to understand that once information is put online, it’s out there for a very long time, he says. Employers and college admissions officers look at sites like Facebook, and what students post online can have a real impact on their futures.

“These young people are going to grow up with it for the rest of their lives,” Pulliam says. “Why not teach them now, before it’s too late?”

In addition to sending his IT team to OCPS schools, where they will teach students, teachers and parents about information security best practices, Pulliam is working to organize a conference on the subject. He envisions bringing in major players like CISCO, HP, Dell and Apple, to get students excited about technology, while offering student, teacher and parent workshops on information security.

Stronger together

Though protecting the identities and information of 203,000 students is no small feat, Pulliam doesn’t want to stop there. He’s pushing for changes at the state and national levels.

In Florida—home to four of the 10 largest school districts in the country—Pulliam is partnering with neighboring districts. If they need, for instance, a forensic specialist, he’s happy to share OCPS’s. Likewise, if OCPS needs additional support, he hopes other districts will return the favor.

Through NACC, Pulliam is pulling for changes that would, for instance, make federal E-rate funding, usually reserved for infrastructure like wireless access points and fiber, available for security-related gear, firewalls, applications and hardware.

“If we get ahead of the curve, it’s going to make a difference,” Pulliam says. “I firmly believe that, and that’s why I’m here.”