Trace Id is missing
July 07, 2022

Securing Fulton Schools infrastructure with proactive planning and Microsoft advanced security features

Bad actors are constantly testing the fences of educational IT networks looking for vulnerabilities. Because of this, the Fulton County school district in Georgia put plans in place to monitor, detect, and mitigate these potential cyber security threats. The district’s plans involved advanced Microsoft security features through a Microsoft 365 A5 educational license. This gave them the tools to address cybersecurity risks from ransomware, malware, phishing, compromised credentials, and DDoS attacks. Those tools were needed in a recent incident that highlighted the importance of ongoing communication with leadership about these plans, so they understand what’s being done to protect the district, the teachers, and students.

Fulton County Schools

Vigilance behind the scenes

Fulton County Schools is the fourth largest school system in Georgia, with nearly 95,000 students, more than 10,900 full- and part-time employees, and more than 6,900 teachers and other certified personnel. Technology has become integral to all aspects of K-12 education, especially during the pandemic, which means cyber security is front-and-center. At the same time, it’s never just a question of technology. Dr. Emily Bell, Fulton County Schools’ CIO, advocates robust planning, education, and communication as part of a well-rounded cyber security strategy.

As school districts across the country have learned, education is especially vulnerable to bad actors. There are many reasons for this. Staff and students are often naïve about the potential hazards of accessing the wrong site or clicking on a tempting email. Identity thieves also target districts looking for students’ personally identifiable information. While students are using technology to acquire new skills, create together, communicate, and have fun while learning, a constant security net must be at work behind the scenes.

“Cyber incidents happen every day, all day. Our tools and our threat hunters set out to contain and eradicate them. As IT leaders, we’re used to just resolving problems before end users even know about them,” explained Dr. Bell. “Recently, however, a single incident of potential ransomware was detected by an external source. It was reported to our superintendent at the same time that it was reported to me. District leadership has experienced ransomware incidents with individual user devices but not against critical resources including sensitive data.  And they were aware of what has been in the news and how disruptive and costly ransomware has been for other school districts.”

Dr. Bell and her team needed to spend time reassuring district leadership and outlining the next steps. Because of their advanced monitoring, they showed leadership the number of incidents that are typically handled behind the scenes. For example, in a single 30-day period, they saw 39 ransomware attempts, all contained and eradicated; 712 malware attempts, all blocked; 983 compromised credentials, mitigated by automated disabling of accounts; 254,255 phishing attempts, of which nearly 89% were not delivered.

A plan that anticipates any incident

The Fulton County Schools Information Security team has a cyber incident response plan aligned with guidelines from the National Institute of Standards and Technology (NIST). Fulton’s plan outlines a specific series of steps the IT team takes to identify, contain, and eradicate every threat. “What was reported to the superintendent never even rose to the level of ‘incident.’ We had a report, then we found, contained, and eradicated the threat, and nothing came of it. It turned out to be a fire drill for us, but it also created unnecessary panic among leadership,” said Dr. Bell. Her takeaway was how important it is to have a plan and communicate it.

Dr. Bell wanted to make sure district leadership could sleep at night, so she showed them her team’s steps to respond to any potential incident. Once an incident is detected, the stages include triage, containment, eradication, recovery, post-incident activities, and finally, closure.

As a result, Dr. Bell notes, now each incident is dealt with at the appropriate level of urgency based on assessed risk. With the right plan and tools to execute, many potential risks are mitigated before anyone outside IT needs to know.

Transparency about cyber security plans translates to a clear understanding of the investments the district is making to assure educational continuity. Emily explains: “It’s about letting our board know what measures are in place and what they do. Without the right information, it’s easy for them to draw conclusions about why we are or are not spending a significant amount of our budget for infrastructure and security-related measures.” One of those investments is an ongoing partnership with Layer 3 Communications and Forsyte IT Solutions. The engineers at Forsyte helped Fulton deploy Microsoft’s advanced security features in their Microsoft 365 A5 subscription.

“Once the security environment was set up, they asked us about monitoring,” said Jeremy Fass, National Sales Director at Forsyte. “They had a lot of questions. ‘Can you help monitor our environment on an ongoing basis? Can you help us detect when threats are occurring? Help identify real threats from false positives?’ We started by looking at their data and alerting them, calling on the phone when there was a threat that required action. Then we evolved over time to create consolidated reporting, making it easier for everybody to monitor the district’s environment. We also created routines to automate the process of remediation.”

Taskforce assures alignment and communication

With the infrastructure in place to detect, assess, and mitigate cyber security threats, school district leadership can focus on educating and supporting young learners. Technology has been instrumental in helping to assure educational continuity, but it’s a double-edged sword. A high-level security incident can severely impact the ability to deliver the tools and support to students who’ve already had their share of pandemic-related disruption. School district leadership wants to be on top of what’s happening, so they know when–and how–to engage. This is where the cyber security task force comes in.

Dr. Bell explained the role of the newly formed cyber security task force: “The task force includes leadership from a number of departments, including IT, legal, physical safety and security, human resources, communication, risk management, operations, school leadership, and of course academic leadership. We meet at least two times a year. If an incident rises to the level of tier two or tier three, the task force is called together, so individuals get insight into what’s going on. They can see where we are with containment and eradication and how it might impact their department.”

Having a task force in place ensures communication happens quickly and in a coordinated fashion. Impacted departments know the dimensions of the incident, how it may affect them, and what’s expected of them. The task force also conducts tabletop exercises to walk through scenarios before they happen. “As part of our planning, we developed a risk registry,” said Dr. Bell. “We created run books for each of the potential risks. These are specific checklists we follow to contain and eradicate each specific kind of risk.”

With so much happening behind the scenes, it’s tempting to think nothing is happening on the cyber security front. So how does the school district measure results? The district utilized Forsyte to measure the number of attacks that are occurring within a network and quantifies cost based on industry standards. They can then show the value of preventing an attack. “We have within our reporting a monthly dollar figure associated with the number of successfully prevented attacks that our services and Microsoft software have provided for Fulton,” explained Jeremy. “On average, with that many users in their account and the number of attacks they have on a regular basis, we calculate around $25,000 to $30,000 worth of value associated with preventing potential attacks within their environment.”

Supporting educational continuity with secure technology

“It’s my belief that technology is a tool to be used in the classroom in the same way we use traditional tools like textbooks, paper, pencils, chalkboards, and now whiteboards,” said Dr. Mike Looney, Superintendent of Fulton County Schools. “Thankfully, our school board and our community have a long history of investing in technology and prioritizing the secure use of technology. Thanks to Dr. Bell’s leadership, we can ensure that we have the infrastructure and bandwidth to avoid shutdowns or slowdowns. We also believe in employing very talented people in the technology area to make sure we have the latest, most sophisticated, most robust protection and safety measures in place.”

“Cyber incidents happen every day, all day. Our tools and our threat hunters set out to contain and eradicate them. As IT leaders, we’re used to just resolving problems before end users even know about them.”

Dr. Emily Bell, CIO, Fulton County Schools

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft