- Report recommends training, bolstered security controls to prevent ransomware attacks
- Shortcomings were found in all four of the school districts audited
- Deficiencies across all districts included data protection and recovery protocols, but specifics were not provided to protect those vulnerabilities
- The report also recommended DeSoto and Pasco bolster their security awareness training
(The Center Square) — A recent audit of four Florida school districts has shown the need for stronger cyber-controls to be put in place as the threat from ransomware grows significantly each year.
The Florida Auditor General conducted an information technology operational audit from Dec. 2021 to Sept. 2022. The IT audit was to focus on four school districts — Desoto, Escambia, Indian River and Pasco.
According to the audit report, its focus was to “identify problems so that they may be corrected in such a way as to improve government accountability and efficiency and the stewardship of management.”
The audit turned up two findings, the first being that Desoto and Pasco school districts had to improve their training of staff in cybersecurity awareness. Desoto had been working on implementing processes to improve security measures, but as of August 2022, they had not yet established a mandatory security awareness program.
Pasco County school district had implemented security training for help-desk staff and had provided online training programs for staff regarding internet usage and email security best practices, but the audit found that Pasco had also not yet implemented an appropriate training program.
According to the audit, “Effective security awareness training programs include authentication and data handling best practices, sessions to recognize social engineering attacks, instructions to understand causes of unintentional data exposure, guidance for recognizing and reporting security incidents, and a requirement that all employees receive security awareness training. The lack of a comprehensive, mandatory security awareness training program increases the risk that employees may compromise the confidentiality, availability, and integrity of district data and IT resources.”
The audit also recommended that “management at Desoto and Pasco County School Districts should establish a comprehensive, mandatory security awareness training program to ensure that employees are aware of their responsibilities and the importance of securing District data and IT resources.”
In response, both the Desoto and Pasco County School District superintendents agreed that further measures will be put in place and are currently both in the process of implementing mandatory training for staff.
The second finding regarded security controls — specifically authentication, account management, data recovery, configuration management, vulnerability management and data protection.
The audit found that these areas were also lacking, but did not disclose recommendations “to avoid the possibility of compromising the confidentiality of district data and related IT resources.”
According to the Florida House of Representatives’ final analysis of HB 7055, a bill designed to strengthen cybersecurity, there were over 2,000 ransomware attacks in 2021 on state and local governments, schools and healthcare providers — some resulting in patients permanently losing their medical history. Ransomware has also interrupted the 911 emergency system, surveillance systems, police being able to conduct background checks and property transactions.
The Director of the Florida Center for Cybersecurity (Cyber Florida) at the University of South Florida, Ernie Ferraresso, told The Center Square that audits are “critical” to keep vital information secured.
“Cyberspace and cybersecurity are dynamic environments, and audits like this are critical to determining where our public organizations need to focus their limited security resources to stay vigilant,” said Ferraresso. “Florida is committed to bolstering the state’s overall cyber preparedness and resiliency, including a recent state appropriation of $30 million to provide cybersecurity awareness training resources to public employees and organizations — a program Cyber Florida is working to implement right now.”