How to Protect Your K–12 District from a Data Breach

Forty-six percent of organizations have experienced a serious data breach, according to CDW’s recent Cybersecurity Insight Report. And a quick scan of recent news demonstrates schools aren’t exempt from the risk of an attack.

Florida Virtual School, Victoria Independent Schools and Irvington School District are just a few of the most recent victims of data breaches where student names, dates of birth, staff Social Security numbers and other sensitive data have been exposed, stolen or held for ransom.

Unfortunately, when it comes to technical safeguards, the CDW report found that only 34 percent of IT pros are extremely confident their technology resources could mitigate risks over the next year. And just 30 percent are extremely confident their processes and people can stave off cyberattacks.

So how do you protect your school district’s valuable data?

Linnette Attai, project manager for CoSN’s privacy initiative and Trusted Learning Environment program, says there’s no one-time, fix-all solution. Instead, schools need to address data security as an ongoing exercise in risk mitigation.

But Attai suggests a good place to start is by ensuring you’ve addressed the fundamental elements of a solid data security plan, which include physical, technical and administrative safeguards.

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

Technology Safeguards: Scan, Assess, Protect

While technology is just one aspect of data security, it’s by far the most expensive element. But Attai, who is also president of PlayWell, LLC, a compliance consulting firm, says schools must have technologies in place to scan networks for vulnerabilities, perform penetration testing and run compromise assessments.

When it comes to technical safeguards, the CDW report found that to improve their cybersecurity risk posture, organizations are turning to a variety of powerful technologies. More than half of survey respondents have already implemented:

• Network access control (56 percent),
• Security assessment tools (54 percent),
• Supplementary email security (54 percent)

Administrative Safeguards: Put Clear Policies in Place

Even with solid technology protocols in place, one major security weakness plagues every school — human error.

According to Verizon’s 2018 Data Breach Investigations Report, organizations are "nearly three times more likely to get breached by social attacks than via actual vulnerabilities.” And in education, social attacks were present in 41 percent of breaches.

That makes data governance policies extremely important.

Along with ensuring only authorized personnel can access data, your policy should address why these rules are important and who’s responsible for enforcing them, as well as what sort of auditing and accountability measures will ensure the policy is followed.

But your policy can’t just sit on a server somewhere. “People need training and guidance,” says Attai. “We can’t expect them to be able to understand what we mean when we say ‘protect the privacy and security of data’ without giving them instructions on how to do that well.”

Physical Safeguards: Locks and Blocks Are Essential

Schools also can’t forget the importance of physically protecting their data. While it may seem simple, putting locks on the doors and having physical barriers to your servers is absolutely essential to data security.

As Attai explains, storing personal information is a tremendous responsibility, and organizations need to be educated and have the expertise and resources to protect that information properly.

“There’s no organization that is able to guarantee the security of its data. That just doesn’t exist in the world that we live in today,” says Attai.

“The keys are to really prepare and keep working on the program,” she says. “This is not something that gets fixed or addressed completely in one shot. It requires ongoing attention.”