The Liberty Central School District sits at the crossroads of the Catskill Mountains and Hudson Valley in Sullivan County, New York. Serving approximately 2,000 students across an elementary school, middle school, and high school, Liberty is part of one of the smallest BOCES regions in New York State by student population. The district's rural, mountainous setting creates unique cybersecurity challenges that reflect the struggles of small school districts across upstate New York and rural America more broadly. From limited broadband access to constrained IT budgets, Liberty's experience illustrates both the vulnerabilities rural districts face and the resources available to help them strengthen their digital defenses.
State Comptroller IT Audit: A Wake-Up Call
In 2022, the New York State Comptroller's Office conducted an information technology audit (2022M-73) of the Liberty Central School District. The audit examined whether district officials adequately safeguarded computerized data from unauthorized use, access, and loss. The findings revealed significant cybersecurity gaps that are common across small rural districts:
Finding 1: Unnecessary Network User Accounts Not Disabled
The audit found that district officials did not disable unnecessary network user accounts. When employees leave a district or change roles, their network accounts should be promptly deactivated. Accounts that remain active after an employee departs create a serious security risk: they can be exploited by attackers to gain unauthorized access to district systems. In a small district where IT staff may not have automated account lifecycle management tools, this task requires manual tracking and coordination with human resources. The failure to disable inactive accounts is one of the most commonly exploited vulnerabilities in school district cyberattacks, as attackers can use dormant credentials to move through systems undetected.
Finding 2: Inadequate IT Vendor Contracts
Auditors found that the district did not establish adequate information technology contracts with its vendors. Small districts like Liberty rely heavily on outside vendors for everything from student information systems to network management to cloud-based learning platforms. Without clear contractual terms defining each vendor's security responsibilities, data handling practices, encryption requirements, and breach notification obligations, the district cannot ensure that student and staff data is protected throughout the vendor ecosystem. This finding is especially significant given New York's Education Law 2-d, which requires specific data privacy protections in all third-party contracts involving personally identifiable information.
Finding 3: Outdated IT Contingency Plan
The audit determined that the district's IT contingency plan was not kept up to date. A contingency plan, also known as a disaster recovery or business continuity plan, outlines how a district will respond to and recover from a cyberattack, natural disaster, or major system failure. For a rural Catskills district that could face both cyberattacks and weather-related disruptions such as severe winter storms or flooding, having a current and tested contingency plan is critical. An outdated plan may reference systems, contacts, and procedures that no longer exist, leaving the district without a functional roadmap when crisis strikes.
Finding 4: Lack of Comprehensive Security Awareness Training
The audit found that officials did not provide users with comprehensive IT security awareness training. Human error, particularly clicking on phishing emails, remains the number one entry point for cyberattacks against school districts. Without regular, structured training that teaches staff to recognize phishing attempts, social engineering tactics, and suspicious system activity, every employee with a network account becomes a potential vulnerability. The absence of security training is particularly dangerous in small districts where a single compromised account may provide access to a significant portion of the network.
Lessons from the Audit for All Rural Districts
While the Comptroller's audit focused on Liberty specifically, the findings are instructive for rural school districts everywhere. The four areas identified, account management, vendor contracts, contingency planning, and security training, represent the foundational elements of any school district cybersecurity program. Districts that address these four areas dramatically reduce their exposure to the most common attack vectors.
The audit is also a reminder that state oversight mechanisms exist and are actively monitoring school district cybersecurity. New York's Comptroller conducts IT audits of school districts throughout the state, and districts that receive findings are expected to develop and implement corrective action plans. For communities, these audits are a valuable transparency tool that reveals how well their district is protecting sensitive data.
The Digital Divide as a Cybersecurity Challenge
Sullivan County faces one of the most significant digital divides in New York State. Between 8% and 20% of students in the county lack adequate internet access at home, and available bandwidth from internet service providers is often insufficient during peak usage times. This digital divide creates cybersecurity challenges that go beyond simple connectivity:
- Unsecured public networks: When students and families cannot access the internet at home, they turn to public WiFi at libraries, restaurants, and other locations. These unsecured networks are prime hunting grounds for attackers who can intercept login credentials and personal information
- Device sharing: In households where one device serves multiple family members, the risk of malware infection increases. A compromised personal device that is then used to access school systems can introduce threats to the district network
- Delayed software updates: Students with limited bandwidth may not be able to download important security updates for school-issued devices, leaving known vulnerabilities unpatched for extended periods
- Reduced monitoring capability: When significant numbers of students access school systems from uncontrolled environments, the district loses visibility into potential security incidents and anomalous behavior on those connections
New York State has recognized Sullivan County's broadband challenges. A $29.9 million broadband infrastructure project through the state's ConnectALL initiative is bringing high-speed internet access to more than 22,000 homes and businesses across Sullivan County's rural and mountainous terrain. This investment will not only close the digital divide for students but also strengthen the cybersecurity posture of the entire community by enabling families to access school systems over more secure, reliable connections.
In the interim, Sullivan BOCES and community partners have developed creative solutions to bridge the gap, including a converted school bus serving as a mobile classroom with WiFi connectivity for students in underserved areas.
The Role of Sullivan BOCES
Sullivan BOCES serves eight component school districts, making it one of the smallest BOCES regions in New York State by student population. Despite its small size, Sullivan BOCES provides critical shared services that help member districts like Liberty manage technology and cybersecurity challenges they could not address independently:
- Shared technology infrastructure: Centralized data and network services that provide security capabilities beyond what individual small districts could maintain
- Professional development: Training and support for teachers and administrators on technology integration and digital safety
- Compliance support: Assistance with Education Law 2-d requirements, including data privacy agreements, vendor management, and the Parents' Bill of Rights
- Career and technical education: Programs that can introduce students to cybersecurity concepts and career pathways
For Liberty and its neighboring districts, maximizing BOCES services is essential for maintaining cybersecurity protections that would be unaffordable on individual district budgets.
Addressing the Audit Findings: A Model for Small Districts
The four areas identified in the Liberty audit provide a practical framework that any small rural district can use to evaluate and strengthen its cybersecurity program:
- Implement account lifecycle management: Create a written policy requiring that network accounts be disabled within 24 hours when an employee leaves the district or changes roles. Conduct quarterly reviews of all active accounts and reconcile them against current employee rosters. Even without automated tools, a spreadsheet-based process maintained by the IT department and HR office can close this gap
- Strengthen vendor contracts: Review all third-party technology contracts to ensure they include Education Law 2-d required provisions: data encryption, prohibited data sales, breach notification timelines, and data destruction upon contract termination. BOCES and the Student Data Privacy Consortium's National Data Privacy Agreement provide template contract language that small districts can adopt
- Update and test the contingency plan: Review and update the IT contingency plan annually. Include contact information for BOCES, CISA, state homeland security, and law enforcement. Identify critical systems and acceptable recovery timeframes. Conduct a tabletop exercise at least once per year where key staff walk through a simulated incident scenario
- Establish regular security awareness training: Implement mandatory annual cybersecurity training for all staff with network access, supplemented by monthly phishing simulation exercises. Free training resources are available from CISA, MS-ISAC, and many BOCES. Track completion rates and report them to the school board
What Liberty Community Members Can Do
Parents, staff, and community members in the Liberty school district and surrounding Sullivan County communities can take several steps to support cybersecurity:
- Review the Comptroller's audit: The 2022 IT audit report is a public document. Reading it helps you understand your district's specific cybersecurity challenges and ask informed questions at board meetings
- Practice secure internet habits: Especially in areas with limited broadband, avoid entering passwords or sensitive information on public WiFi networks. Use a VPN if available, and ensure home WiFi networks are password-protected with WPA3 encryption
- Freeze children's credit: Place free credit freezes with Equifax, Experian, and TransUnion for all minor children to prevent identity theft, whether or not a breach has been disclosed
- Ask about Education Law 2-d compliance: Request to see your district's Parents' Bill of Rights and ask the Data Protection Officer about what vendors have access to your child's data and how it is being protected
- Support broadband expansion: Advocate for continued investment in rural broadband infrastructure. Better connectivity benefits education, economic development, and cybersecurity simultaneously
Resources
- NYS Comptroller IT Audit (2022M-73): The full audit report on Liberty Central School District's information technology practices
- Sullivan BOCES: Shared educational and technology services for Sullivan County school districts
- NYSED Data Privacy and Security: State guidance on Education Law 2-d compliance, model policies, and privacy resources
- CISA K-12 Cybersecurity: Free vulnerability scanning, phishing assessments, training, and incident response support
- MS-ISAC: Free cybersecurity monitoring, threat alerts, and incident response for public sector organizations including school districts
- Liberty Central School District: The district's official website with information on technology services, safety plans, and data privacy policies