Cloud computing may be on the rise in K–12 schools, but a recent survey from CDW shows K–12 IT workers still have many concerns. First and foremost: the security risks associated with operating in cloud environments.
According to CDW’s K-12 Cloud Possibilities Infographic, 46 percent of K–12 IT professionals say security concerns still represent major barriers to cloud computing.
The top security risks facing schools right now include data breaches and insufficient due diligence, which were highlighted in the CDW white paper “Playbook: Overcoming Cloud Security Concerns.”
But K–12 technology leaders, including those at Houston Independent School District (HISD), also say failing to educate users on cloud safety poses a serious security risk for schools.
While cybersecurity experts and IT professionals recognize these are valid concerns, they say schools should learn how to thwart these risks rather than avoid using cloud-based services and miss out on their benefits.
The top 3 cloud concerns for K–12 are:
1. Data Breaches
A data breach, where an unauthorized party gains access to data, is a particularly serious threat for schools. Attackers can get their hands on attendance records, medical data, phone numbers, addresses and even social security numbers, leaving hundreds if not thousands of staff and students vulnerable.
According to the Privacy Rights Clearinghouse, 727 breaches occurred at educational institutions between 2005 and 2014, resulting in more than 14 million records being made public.
In one example, attackers gained access to the e-mail accounts of 1,400 employees of Provo City School District in Utah, in October 2014, after an employee mistakenly clicked on a phishing link in an email.
Daniele Catteddu, chief technology officer of the Cloud Security Alliance, says encryption is a key way to protect against data breaches.
“In many cases, the encryption of data is not part of a standard contract. It should be added as an additional service, or it should be brought in by plugging in an external security service,” he says.
2. Insufficient Due Diligence
Adopting cloud technologies isn’t a quick and easy process. IT professionals need to fully understand what they’re signing up for, plan for the risks and negotiate how they will protect themselves before signing a contract.
Dan Manson, chair of the computer information systems department at California State Polytechnic University, Pomona and host of a weekly YouTube cybersecurity competition, recommends asking the following questions before moving to a cloud service.
- How will your provider back up your data?
- What steps will be taken to protect your data?
- Does the service meet Family Educational Rights and Privacy Act requirements?
- Will the provider share your data? What are their data sharing policies?
- Do you understand the details of the proposed service-level agreement?
Requirements gathering should in fact be an integral step before any school district moves to the cloud.
“The moment of sitting down and collecting requirements on paper is the fundamental step before any school goes to the cloud,” says Catteddu. “You want to make sure you’re taking care of the backup of the data, the encryption of data, etc. This very basic stuff can really change the outcome of a negative action.”
3. Failing to Educate Users on the Risks of Cloud Applications
For Lenny Schad, chief technology information officer for HISD, the biggest risk for K–12 school systems today isn’t district-purchased cloud services.
“It’s these cloud-based applications that teachers are signing up for on their own without understanding what the data sharing agreements are with these cloud providers,” he says.
SOURCE: Houston ISD via YouTube
Other districts see this risk and are working to educate teachers and protect their data. In fact, HISD, along with 100 other school districts, recently worked with Common Sense Media to create the District Privacy Evaluation Initiative. The initiative rates the safety, security, privacy and compliance of applications. Results are posted to the Common Sense Media website to help teachers choose cloud applications wisely without putting schools at risk.
Schad says the best way to protect against this particular security risk is to raise awareness. He suggests creating a mandatory data privacy awareness program, not just for teachers but for all staff and students.
“At the end of the day, it’s a two-legged approach: We’re continually looking at security from a technology perspective, and we’re heightening the awareness of our user community so they are much more cognizant about this issue and spend time looking at some of the terms and conditions.”