Cairo-Durham Central School District fell behind in IT protections leaving users at risk, state auditors say

Carly Miller

Hudson Valley 360

Mar 14, 2018

Inadequate and outdated information technology policies in the Cairo-Durham Central School District could expose students, employees and the computer network to cybercriminals, according to an audit released by state Comptroller Thomas P. DiNapoli.

The audit reviewed web history reports from 11 Cairo-Durham Central School District computers dating from 2015–2017, looking for accessed websites that could put the network at risk. Six of those computers were used by school treasury officials and five computers, selected randomly, contained the school’s education plan application, which contained private information, according to the report. The fieldwork began last June and continued over three months, School District Superintendent Anthony Taibi said. The comptroller’s office shared its findings with the district in January, and made the report public on Feb. 27, including a written response from Taibi.

The district’s computer and internet use policies have not been updated since 2006, lagging behind advances in technology, auditors found. The report lists several gaps in the district’s IT policy, including no procedures for classifying sensitive information, wireless security, managing mobile computing and storage devices and training staff on cybersecurity, according to the report. In addition, inadequate web filters allowed staff members to browse games, hobbies, job searches, social media, shopping and travel websites. In addition, computer users could access websites about “terrorism, adult entertainers and gambling,” according to the report.

“Inappropriate use of district computers could potentially expose students to inappropriate content or the district to virus attacks that compromise systems and data, including key financial and confidential information,” according to the report. For example, some websites infect computers with malware that installs a keystroke logger to capture identification and password information.

These policy gaps don’t necessarily mean that school computers were a high-risk target for hackers, Comptroller’s Office spokesman Brian Butry said. “But the district’s policies are insufficient.”

“Over the last few years, we have undertaken as a district and board, a comprehensive review and update of every single board of education policy,” Taibi said. “In a few places, these policies are still under review.”

The Comptroller’s office recommends that the district board update its Information Technology policies, provide periodic cybersecurity training to employees, and block access to sites that violate the school’s policy.

“Immediate steps were taken throughout the audit process as well as a result of the exit conference to address identified areas,” Taibi said. “The school district is currently finalizing our corrective action plan which is submitted back to the comptroller for review.”

In a written response to the report, Taibi noted filters could interfere with curriculum work.

“Even something as simple as a travel website, while no one would argue that staff should not be booking flights on district computers, access for educational purposes by both students and teachers should not be limited,” Taibi wrote in an email on Wednesday. “Through education and supervision, we can ensure appropriate use.”

There are approximately 1,400 students in the Cairo-Durham Central School District, according to the school’s website. The district stretches from the towns of Cairo, Durham, Athens, Catskill, Coxsackie and Greenville in Greene County, Conesville in Schoharie County, and Rensselaerville in Albany County, according to the report.

The district’s Information Technology budget for this school year is $1,165,764, Cairo-Durham Central School Business Administrator Jeff J. Miriello said. The school’s total budget is $30,103,377.

“The IT upgrades will have a minimal effect on the annual budget,” Taibi said. “We constantly anticipate upgrading our equipment and have prepared purchase cycles that can be adjusted for such changes.”

In addition, cybersecurity training for staff members is funded through the professional development budget, Taibi said.

Comptroller DiNapoli’s office announced the completion of five school district audits in the state Feb. 27, according to Butry. Other audited districts include Elmwood Village Charter School, Islip Union Free School District, McGraw Central School District, Middletown Enlarged City School District and Mount Vernon City School District.