Threat Vector by Palo Alto Networks
Episode: Securing Pre-K-12: A Tech Leader's Perspective
Date: October 16, 2025
Host: David Moulton, Senior Director of Thought Leadership, Unit 42
Guest: Mohamed Salah, Associate Chief Technology and MIS Officer, Paterson Public Schools
Overview
This episode dives into the unique cybersecurity challenges facing K-12 educational environments, with an in-depth conversation between David Moulton and Mohamed Salah. Drawing from his experience overseeing technology in Paterson Public Schools, Salah discusses strategies for protecting sensitive student data, adapting security policies for diverse populations, and fostering a resilient, security-focused culture—even with limited resources. The episode is packed with real-world incidents, actionable advice, and an emphasis on making technical issues resonate with non-technical audiences.
Key Discussion Points & Insights
Mohamed’s Journey to Leadership in School Cybersecurity
- Early Start: Began as a high school tech intern, hired as a technician after graduation.
- “Really my career started in education as a technician and from there I continued working in technology. I really loved working in education. It gave me a deep sense of purpose and understanding…” (02:16 – 02:52)
- Sense of Purpose: Finds deep satisfaction in protecting educational environments.
Pressing Threats in K-12 Environments
-
Not Immune to Enterprise-Grade Threats: Schools face the same risks as large enterprises.
-
Main Threats Identified:
- Ransomware
- Insider threats (e.g., unauthorized network access by non-affiliated community members at facilities)
- Data exfiltration (student information as a “gold mine” for attackers)—especially valuable due to its “clean” and unblemished nature
- Third-party providers being held to higher standards
“Threat actors are non discriminate. They go after whoever is available…” (03:25 – 04:12)
Major Incident: Business Email Compromise (BEC)
-
Incident Overview:
- Teacher’s email compromised
- Attacker requested a direct deposit change; payroll sent funds to the wrong account
- Led to a post-incident learning process and a push for systemic change
-
Policy Response:
- MFA (multi-factor authentication) for emails
- Better logging and incident response plans
- Improved communication by reframing the security narrative—from technical protection to personal impact (“making sure a teacher never loses their paycheck again”)
“I changed the narrative as far as protecting the livelihood of the staff members and making sure that everyone gets paid…” (05:18 – 08:17)
The Power of Storytelling in Driving Security Change
- Reframing Security Initiatives:
- Adapting the message for non-technical stakeholders to gain buy-in
- Examples:
- Penetration tests framed as boiler safety tests—making the abstract relatable to real-world scenarios
“Hey, do we, do we get our boilers tested every year?... We need annual penetration test. Like, we, we have to do this now.” (10:45 – 11:38)
- Result: Increased adoption and support for new security measures
Chromebooks, SaaS, and Cloud-First Security
- Chromebook Deployment:
- 30,000+ Chromebooks for Pre-K-12 students; Google Workspace as core platform
- Focus on sustainability: devices are affordable, secure, and scalable
- Google’s built-in management and security tools eliminate much endpoint complexity
“Chrome OS is an inherently secure operating system, we really don’t have to worry about any type of endpoint protection...” (12:47 – 14:30)
- SaaS Adoption:
- Reduced on-premises servers (from 90 to 40–50), shifting risk to vendors
- Emphasis on strong contracts and legal controls to ensure vendor accountability
Tailoring Identity & Access Management to a Diverse School Population
- Staff & Teachers: MFA, strong password policies, tight access controls (increased post-BEC incident)
- Students — access tailored by age:
- High school: strong passwords, optional MFA (as equity allows)
“We try to prepare them for the real world… as close as we can get...” (17:25 – 18:12)
- Middle school: moderate complexity
- Elementary: simple passwords, QR code logins for youngest, camera-enabled for ease
- High school: strong passwords, optional MFA (as equity allows)
- Innovative Student Authentication:
- Exploring picture-based MFA (e.g., student chooses a favorite sports ball) for ease and equity
“I had to come up with an easy solution for them to be able to sign in...” (19:11 – 20:20)
Cybersecurity Awareness & Culture
- Internal & Community Leadership:
- Participation in New Jersey Association of School Technology Officials to share tactics state-wide
- Phishing Simulations:
- Phish click rate dropped from 10% to 4% after mandatory training
“When I first started… we started phishing simulations… 10% phish click rate… last school year… went down to 4%.” (23:24 – 24:28)
- Engagement Strategy:
- Uses humor to make lessons stick (e.g., Jimmy Fallon segment as a cautionary tale)
“These people are trying to make you feel special...” (26:20 – 26:36)
Responding to AI/Deepfake Threats
- Awareness Without Fearmongering:
- Uses humorous, viral content to illustrate how easily people can be fooled
- Encourages vigilance and skepticism: "Think before you act. Consider all of the variables…"
“I'm not sure if you saw that video of the bunnies jumping on a trampoline... Half the room thought it was real and the other half thought it was AI...” (27:02 – 28:24)
- Practical Guidance:
- Don't trust everything online; always verify surprising requests
Superintendent’s Institute: Sharing Security Wins and Key Practices
- Core Security Hygiene Advice:
- Strong passwords everywhere (school and personal)
- MFA is a must—even if “annoying”
- Keep devices up to date
“If you have an iPhone that hasn’t been updated in three years, take the hour, put the phone to the side and update it.” (29:52 – 31:00)
- Automation Advances:
- Phishing alert/reporting tool automates remediation, making ops more efficient
- AI Tools Guidance:
- Use Google’s Gemini for sensitive work; anonymize student data before using generic AI platforms
Notable Quotes and Moments
- On Relatability in Cybersecurity:
“To change somebody’s mind is one of the hardest things that you can do. Maybe just reframing something or changing the way you describe something can change somebody’s outlook and perspective…” (09:39)
- On Resource Constraints:
“There are things that you can do to secure your environment that don’t cost anything... knowledge is just making sure that you’re setting up your systems… Doesn’t take money. It takes time and effort.” (33:48 – 34:56)
- On the Collective Mission:
“Every department’s important because we’re all trying to do the same thing—have efficiently run school that teaches kids.” (33:48 – 34:12)
Timestamps for Key Segments
- Mohamed’s Career Journey: 02:16–02:52
- Main Cyber Threats in K-12: 03:25–05:05
- Business Email Compromise Story & Aftermath: 05:18–08:17
- Changing the Cybersecurity Narrative for Buy-in: 08:17–11:38
- Chromebook & Cloud Security Strategy: 12:47–17:05
- Identity / Access Management for All Ages: 17:25–21:28
- Phishing Simulations & Training Impact: 22:35–24:28
- Making Security Fun and Relatable: 24:28–26:36
- AI/Deepfake Awareness & Staff Education: 27:02–29:52
- Key Advice for School Staff & Takeaways: 29:52–34:56
Final Takeaway
- “Put time and effort into securing your systems, you have a far better security baseline than a lot of the other schools that are out there... hopefully become such a deterrence that those threat actors decide to look somewhere else.” (33:48–34:56)
Tone: Friendly, conversational, and focused on practical, relatable solutions.
Audience: Security professionals in education; school administrators; IT leaders concerned with protecting young learners.
