Ep. 6: When Hackers Head Back to School

Summary

Cybersecurity at primary schools is serious business. In 2021, ransomware attacks struck 73 school districts covering nearly 1,000 schools. And these incidents are on the rise. But not at Canada’s Burnaby School District 41, in British Columbia, which employs a proactive cyber strategy to safeguard learning opportunities for Burnaby’s 25,000 students. Listen in and get a crash course in Burnaby’s cyber resilience.

HOST: Doug Thompson, director of technical solutions engineering and chief education architect, Tanium
GUEST: Aylwyn Ribeiro, manager of networking and security, Burnaby School
District 41

Show notes

Check out these articles in Focal Point, Tanium’s new online cyber news magazine.

• Cyber Threats to K-12 Remote Learning: One School District Fights Back
• To Strengthen Cybersecurity, Let’s Support Our Tech Teachers

Transcript

The following interview has been edited for clarity.

Aylwyn Ribeiro: School districts, aside from the networking attacks, were very vulnerable to social engineering, phishing attacks, and stuff like that. So we have to be on our game when it comes to that, because that’s where a lot of our issues stem from. And a lot of people to this day still fall for it.

Doug Thompson: Imagine you recently started a new job as head of networking and security at Burnaby School District 41. That’s one of the largest school districts in British Columbia. And just as you’re getting used to the place, well, all hell breaks loose.

Hi, I’m Doug Thompson, and today on Let’s Converge, we’re talking primary schools and cyber threats and how one district is fighting back.

Consider these numbers: 4,000. That’s the number of teachers and staff who work at Bern. 25,000. That’s the number of students whose sensitive data is on the line. And 19, 19? Ohhh, COVID-19. This drove all these students and staffers to their homes for remote learning. The challenge: Many of these folks lacked adequate home computers. So an additional 9,000 school devices were sent home with them.

This was the challenge for Aylwyn Ribeiro back in 2020. Aylwyn quickly realized the tough spot he was in. He and his team lacked visibility into what these devices were up to, not to mention their patching status and antivirus software. And then there was the entirely new threat he’d never encountered before:

Coming from the world of business, he was used to fending off cyber criminals, but now he also had to anticipate the wily schemes and shenanigans of would-be student hackers, who all saw this as a chance to infiltrate his network as a hilarious joke, or even more likely, a badge of honor.

Cybersecurity at primary schools is serious business. In 2021, ransomware attacks struck 73 school districts covering nearly a thousand schools. And these attacks, unfortunately, are on the rise. But not at Burnaby, thanks in part to a proactive strategy that Aylwyn has helped deploy over the last few years.

Welcome to the podcast, Aylwyn. How’re you doing?

Ribeiro: I’m very good, Doug. How are you?

Thompson: I’m better than I deserve. Part of what intrigues me about your story is not just how you took on this new job at the start of a crisis, but the fact that you did so with no experience in the field of education.

Ribeiro: Yeah, kind of an interesting story. My IT background is actually hospitality IT. And, you know, during COVID, unfortunately, hospitality took a big hit. A lot of the hospitality organizations were downsizing their teams, their front-end teams, their IT teams, and just their teams across the board, [which] led me to go to the Burnaby school district [Laugh.]. So really interesting change of path there, and [change of] industry altogether. But that’s been a great change so far. [Laugh.]

Thompson: You know, like when I was looking at leaving Microsoft and the opportunity to come to Tanium came along, I wasn’t particularly looking for anything at the time, but I find that if you’re a religious person, god or whoever puts things in your way sometimes to make you change direction in areas that you wouldn’t have considered before. What attracted you to the school district?

Ribeiro: Mainly, the fact of the role. My role with the school district is manager of networking and security, which encompasses the entire infrastructure and the security of the organization, which is my main bread and butter. I love that kind of stuff. I love tinkering, I love security, I love networking and infrastructure. So it was kind of a natural path for me to take on this role. [Laugh.].

Thompson: Well, … welcome to the oven, because I find that education is a prime target for all the bad guys who want to break in. And as a security person, you’re sort of on the front line of that. In hospitality, I’m sure there’s the normal things, and the bigger the companies are, the more attraction you get. But I do find that education, especially primary education, K-through-12 is a prime target for the bad guys, especially as school starts and all that, because they know when your workload is through the roof and all, and they will leverage that to take advantage and sort of form an attack. So I’m sure you’re on a really front line now. I don’t know if you’ve noticed that or not.

Ribeiro: [Laugh.] Most definitely. You know, school districts, aside from the networking attacks, were very vulnerable to social engineering, phishing attacks, and stuff like that. So we have to be on our game when it comes to that because that’s where a lot of our issues stem from. And a lot of people to this day still fall for it. So it’s, it’s crazy. We definitely have to be on our game on that [Laugh.].

Thompson: Oh, yeah. I mean, it’s common. You’re not the only one. I know that from like August here, here in the States, from August through October, that’s when the networks are getting [hit]—the phishing emails are really ramped up because [hackers] know that the IT staff is busy resetting passwords and just trying to make sure the stuff is working for the semester and they don’t really have time to sort of watch the normal stuff that you would be able to watch.

And, notoriously, education is—I joke with my peers who are in enterprise or corporations—I say, look, education has half the staff and three times the users that a corporation would have. You guys are really the front line—I would call you almost like the SEAL team getting in; you’re very lean but very efficient at doing things.

Ribeiro: Yeah, absolutely. September is our busiest time where we have our computer support technicians going around. They’re getting the schools ready, getting all the technology ready. And my team does all the backend work, getting the networks ready, getting all the servers ready, and it’s really hard to focus and find that balance on usability of the network and security and finding the balance on how to use both at the same time successfully. So, you know, we were fortunate enough to find the balance. I have a great team that, you know, supports me, and we support each other very well. It’s really all about the people, in the sense that you treat them well but get the stuff done, and that’s all you can really ask for them, right? Provide ’em the tools, provide ’em the training, and they’ll do it.

Thompson: Well, that’s an outstanding approach. It seems common sense, but it’s a great way to do it. And with you being an outsider, new to education, how were you received?

Ribeiro: Well, that’s an interesting question actually. When I first got there, I was received very well, especially for my experience in private sector and hospitality. Going through the district’s—I’m gonna call it technology profile, I found out that a lot of the services and hardware and what was actually going on was really defined by the vendors they used, and the team really didn’t have any say in what was going on. So these vendors, they’d have an out-of-box solution, kind of a solution that’s one-size-fits-all, and in reality that doesn’t work. So my approach was, I lined up all the vendors side by side and thought, Hey, do we need this service? Do you need that service? Is this redundant? If it is, get rid of it. And really, what can my team do that they haven’t been doing before? And, you know, get them on that path to learn it and succeed in it.

Thompson: To have the courage to go in and do that, it’s something I want to applaud you for, because people hate change in general. Humans, we hate change. We like the comfortable, we like what we’ve been doing. And I think sometimes the longer we’ve been in a IT or something like that, we get comfortable with the tools that we use, and they tend to be—I heard somebody describe it as here’s my tool bag that I’m going to be carrying from place to place because that’s what we know.

And it’s not always the best approach. Because there are new and better ways to do things, and a lot of times from an organizational standpoint, we’re sort of locked into this old model where we have this tool to do X, we have this tool to do Y, and we have this tool to do Z, when there are options now to sort of let you do all of those things a lot more seamlessly and sort of play nicely together.

And it sounds like you took that vision, you said, how do we get out of the tool business and more into the making technology just work business? And making it safe.

Ribeiro: Exactly. A lot of times the tool sets are redundant and nobody uses them to begin with ’cause they’re not trained or they don’t wanna know how to use it. That’s the biggest pet peeve of mine [Laugh.]. So I’ve kind of redone our entire tool set and have been making the team learn it and use it, and they realize, you know, it supplements their abilities and makes them a more powerful player [Laugh.], right?

Thompson: It probably gives them more time. So, when you can get in and you can automate things and streamline things a little bit, then it gives you more time to look at the important things.

Ribeiro: Absolutely. You know, we’re in the education business; we have to focus on the kids. So getting all that time back to support them? Hey, it looks good in my book.

Thompson: Did you change some reporting structures? Did you sort of change that and flatten the org a little bit so [as] not to get in these silos?

Ribeiro: I didn’t really flatten the organization per se, but I allowed two separate teams to function as one. Our network services team, for instance: We had them segregated from a WAN and a LAN side, and I’ve kind of been merging them together slowly.

Thompson: OK, Aylwyn, this is an acronym-free zone, so I need to do a little Cyber Jargon 101 here: When we’re talking about a WAN and a LAN, those are acronyms for different types of networks. For example, a LAN is a “local area network” that connects users in a small area, such as a classroom or in a building or something like that. And a WAN “wide area network” connects those local networks across a broader area. Think about it as across town, maybe to a different campus or something. Now enterprises spread out across multiple locations have to master security for both. And often that’s handled by a separate group of people. These are like the uber nerds that really know the ones and zeros and know how stuff moves around the world. So is this another way you were aiming to streamline and simplify the security at Burnaby?

Ribeiro: Ultimately you don’t need that separation [Laugh.]. It’s just made them work together way more efficiently because they’re not going between teams to figure out information when they can grab it themselves easily.

Thompson: But you’re removing the silos that are in here.

Ribeiro: Yeah.

Thompson: Where, again, you’re all sort of working off the same data, right. Especially since people have gone home [to work], the LAN and the WAN now, the border is out wherever the user is. And being able to manage that, the tools—as you found—that used to work great when you had castle walls and that’s where everything resided don’t work so well when everybody picks up and takes the ball and goes home. [Laugh.].

So you’re removing silos and streamlining tools. I get that. Burnaby has also instituted some interesting security programs. You conduct cyber awareness campaigns, simulated phishing attacks—not like with a boat and a rod and reel, but phishing emails—and one-on-one training, when you spot staff members who repeatedly fall victim to these cyber scams. How do you sell all this to senior leadership, who probably, by the way, are also some of the victims of these scams?

Thompson: So, I’ve been really painting a picture on how we can save money, how we can improve the organization, make it leaner and more efficient by finding the appropriate tools. Using the appropriate people and resources, we can get there. And defining that purpose, defining that path forward is the ideal way to do it. And leadership really loves it when you can define that and even put monetary values to it and show them how much they’d actually be saving. Right? So that was the biggest way I was able to get the things I needed done quickly and efficiently.

Thompson: I like the way you look at it as a holistic type thing. There’s how do we spend the taxpayers’ money wisely— that’s one thing I appreciate—but we also can share, here’s some new things that we can do because now we’ve freed up these other assets, be it human assets or financial assets.

Ribeiro: Absolutely. Financial assets are huge specifically because we are a public sector organization. We report basically to the taxpayers. So the amount of money we save, we can use it more efficiently and put it where it’s really needed first.

Thompson: Mm-hmm. Out in the classroom is where a lot of this money goes.

Ribeiro: Exactly.

Thompson: Does the leadership—the superintendent and things like that—do they have any IT experience or background or all? What made them choose you for this role above all the other people with a big educational IT background?

Ribeiro: I believe they chose me because of my experience. Also my ability to work with people, explain concepts simply, and to communicate well with them. That would be my biggest selling feature. A lot of IT people talk the jargon, the mumbo-jumbo, and people don’t really understand that. And at the executive level, they hate that. They just want plain ABCs, plain English. [Laugh.]

Thompson: I know, that’s a great thing. I call that “techsplaining.” All that mumbo-jumbo—I call that techsplaining.

Do you think the hospitality industry taught you those skills to be able to do that? Because you’re dealing with people all the time—you want them to part with their money at your resort or things like that. So did that sort of help foment that?

Ribeiro: Well, I’m a people person, so hospitality actually came natural to me. So I feel that it augmented my skillset and made it better. I was very public-facing before, in hospitality. So I do feel that it did help me out a little bit in this Yeah. [Laugh.].

Thompson: That’s a great skill to have, and probably more people should have that. One of the skills I learned early in my sales career—I took an improv class and sort of built on that. What it taught me to do was listen to what the customer—in this case, your end users—were telling me, and then assimilate that. That way I knew, because I found out the customers tell you what they need if you just sit there and listen.

Ribeiro: [Laugh.]. Absolutely. A lot of it comes down to listening. You know, a lot of IT people have the problem of not listening—in one ear and out the other, right? So you have to make it a point to listen and understand what’s actually going on.

Thompson: And then you can sort of absorb that and adjust your plan as necessary. So what’s next, if you can say, a year from now or so? Where do you want to be and what do you wanna be doing that’s even a little bit more impactful to what you’re doing?

Ribeiro: That’s a great question. You know, moving the district forward; my major focus is to secure the organization even more. I’ve been looking at potentially implementing more managed-threat services just to see what’s going on and then how it’s affecting us. And even, potentially, we need to bump up our user and staff training to mitigate a lot of those social engineering attacks. So, that’s definitely number one on my priority list. Right? Because, you know, you could have the best security in the world, but if your people aren’t trained, that’s the easiest way [for bad actors] to get in.

Thompson: Yeah, you mentioned this earlier, and I meant to touch on that. It is a balance between usability and security. Because you can make the most secure environment on the planet and then nobody uses it. [Laugh.] ’Cause nobody can do anything with it. And on the other hand, giving people access to the things they need does take sort of a different mindset, and it’s a trade-off. And getting your users to understand, like, MFA, multifactor [authentication], is a good thing.
I find that the older users, we have a harder time with change than those that are younger, that have sort of grown up with technology and understand that, you know, having multifactor is just a minor inconvenience, but at the end of the day, it makes you a lot more secure.

Ribeiro: Oh, absolutely. With the advent of MFA, that’s really been able to reduce account compromises. And actually that’s something we’re in the process of deploying in the district right now. It really finding the balance because, you know, kids K-12, can they really do MFA? Do they have a device that can do it? Or do we segregate the groups? Do the older students and staff get it and we leave the K-4s alone? So it’s finding the balance and seeing what risks we’re willing to accept.

Thompson: I really love what you’re doing. The reason I wanted to have you on the podcast is you’re proving that it can be done. And maybe your coming from the outside meant that you didn’t know that you couldn’t do it [Laugh.]. Sometimes we assume that, well, this can’t be done. But you sound like you’re just at the right [point], or on the crest of the wave of making these changes that really show thought leadership on how you can transform an educational system even without a lot of educational knowledge on the backend.

Ribeiro: Yeah, absolutely. Persistence is perseverance. Just getting through it. No challenge is unbeatable, right? [Laugh.]

Thompson: So you have your mantra, you call it, on your LinkedIn profile: “Your success is defined by your persistence to persevere when the odds are stacked against you.” And unfortunately in education, in IT, you need that a lot.

As I said before, half the users there are trying to hack into you, because they are kids; it’s a game to them. That’s the thing they do. So it’s just another extra, extra little challenge we get to have.

Well, Aylwyn, thanks for spending some time with me. I really look forward to watching what you do in the next year or two. Thanks for being on the front line with our kids and protecting them.

Ribeiro: Thank you, Doug. Really appreciate it. Thank you.

Thompson: I’ve been talking with Aylwyn Ribeiro, manager of networking security at Canada’s Burnaby School District.

If you’d like to read more about Burnaby’s cybersecurity strategy and the rising threat to K-12 schools, check out Tanium’s new online cyber magazine at Tanium.com.

To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app. And if you like this episode, which I know you did, please give us a five-star rating and recommend it to your friends.

Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.