Evolution of Physical and Cyber Security in My District

by Kevin Richmiller – Director of Technology – City of St. Charles School District

This is a brief recount of how physical and cyber security has evolved in the City of St. Charles School District over the last eight years, and how physical security moved from being managed by the Facilities Department to mostly managed by the Technology Department. 

I started as Director of Technology for the City of St. Charles School District in July of 2012.  At that time all physical security was handled by the Facilities Department and cyber security by the Technology Department.  The district firewall was a very basic stateful inspection firewall that only actively looked at traffic on ports 80 and 8080.  We had two vlans, voice and data. We had five security cameras per building, and the exterior doors were left unlocked all day.  

That year we began talks of making our buildings more secure.  On December 13th, 2012, the board approved adding an Aiphone door buzzer system to every building so we could lock our exterior doors during the school day.  That next morning Sandy Hook happened which shook the entire school community.  The Aiphone project was fast tracked from a two month timeframe to a two week timeframe for installation.  Because this system involved cabling and wires, physical security slowly started shifting from being Facilities managed to Technology managed. 

That spring (2013) we began planning a bond issue for the following spring.  On the bond we added door access control and expanded our camera system from 75 cameras district-wide to 550 cameras.  Door access control and added cameras put physical security almost completely into the hands of the Technology Department.  The main thing the Facilities Department continued to manage was physical keys which most staff no longer required because of the access badges.  

During the last five or six years, we upgraded our firewall to a next-generation firewall, and we now monitor all ports, not just basic internet ports.  We also segmented as much out into separate vlans as possible.  This was a necessity as we discovered our outdated firewall could not keep up with growing demand, and outside entities were attempting to flood our network with DDoS attacks.  

As more and more products became web-based and the education field became apparent low hanging fruit for hackers, our district began yearly mandatory security awareness training for all staff and simulated phishing attacks to help staff identify phishing emails. The simulated phishing attack in our district that is most talked about, even three years later, is a phish around November appearing to be from Costco telling everyone they received a free turkey from the district for being such outstanding employees.  All they had to do was simply click the link below to claim their free turkey coupon.  That phishing attempt resulted in a 25% fail; apparently, our staff didn’t know our CFO as well as I do. 

With so many products now online and a need to ensure student and data privacy, two years ago our district began using a product called Education Frameworks.  This program does an initial review of a site’s privacy policy and provides a data privacy score.  We then review the score and make final determinations on if the site is safe for teachers and students to use in our district.  We were spending a tremendous amount of time going through privacy policies trying to determine if a site is safe for student usage.  Education Frameworks helps reduce our man hours spent on going through online privacy policies.    

Technology has changed rapidly these past eight years.  We have to be able to adapt and change with it or risk being left behind, both from a physical and cyber security standpoint.  Our district has made tremendous changes in the last eight years and more and more things keep falling into the responsibility of our Technology Department.  I believe most technology departments in education have seen the same or similar transformations over the last 10 years.