A hacker infiltrating the local high school doesn’t sound like much of a threat in today’s threat-filled world, but Alyssa Rosenzweig begs to differ. She knows what the bad guys are after: students’ data.
“It’s not an immediate threat but, in 10 years, when they go to apply for their first loan, then it will show up,” she said. “Criminals are very patient.”
Stealing students’ information to impersonate them online isn’t a theoretical concern. Case in point: A massive breach of security at PowerSchool, an education software provider, exposed data belonging to some 9,000 people in New Hampshire — students, teachers and staff — as well as hundreds of thousands nationwide last December.
That personal information is now available for the taking. Bad actors can use it for things such as taking out credit cards, overriding social media accounts or filing fake insurance claims, which can ruin credit histories and cause years of turmoil to the victim.
“We’ve already seen it. People who were 17 when that breach happens, they turn 18 and their data’s out there. Suddenly it’s being sold, monetized, all that,” Rosenzweig said.
Rosenzweig is familiar with this in her role as deputy director of The Overwatch Foundation, an unusual four-year-old nonprofit that helps local governments in New Hampshire plan against and deal with online threats. Last year, the foundation focused on water and wastewater treatment plants, an often-overlooked vulnerability, and this year it launched what they call the K-12 Cybersecurity in a Box program, which makes a portfolio of cybersecurity services available to public schools.
The program faces two big obstacles: money and attention.
“We have two people on staff that used to be school I.T. staff. They say the school was always willing to spend more money on a physical security thing instead of the digital. They would lose battles constantly — ‘I want this money’ or we could add to the baseball field. […] Towns too; they’d rather buy another plow than invest in basic cybersecurity,” she said. “It’s hard to get people to vote yes on a warrant article […] about tech support.”
The Overwatch Foundation’s funding comes from FEMA and is slated to last through 2030.
They don’t provide 24/7 tech help — the foundation, based in Concord, has just 10 full-time employees — but give expertise and advice on ways to educate people to avoid phishing or other routes for network breaches. They also help in getting grants to buy technical packages like one offered by Texas firm CrowdStrike.
“We encourage understaffed schools to go the managed route,” Rosenzweig said of hiring a company. “That’s the only way you can do it.”
Rosenzweig said the foundation has so far been involved with CrowdStrike licenses for “high value targets” that protect around 75,000 students.
The foundation is working to build a statewide database of knowledge that all schools can use to boost their protection.
But perhaps its biggest job is to getting the word out, said Rosenzweig, because cybersecurity is like herd immunity: the more people have protection the better everybody is. They try to move cybersecurity from the bottom of most operational priority lists and make it higher, responding to concern about hacking from other governments or criminal groups.
“Around 50% of municipalities in New Hampshire are working with us […] a lot haven’t received their first touch yet,” she said. “We’ve only been around two years. When you’re new, you need some of that network effect.”
For more information, check the Overwatch Foundation website at www.overwatch.org/
Return to the Concord Monitor