Oct 04 2019

Balancing Act: Cybersecurity in the Connected Classroom

While emerging digital tools are opening doors for students, schools must be sure integrations do not also open a window for bad actors.

With K–12 schools leveraging connected technologies to help improve student outcomes and boost classroom collaboration, effective cybersecurity is not optional. It’s essential to meet student expectations and to satisfy state regulations.

This requires a balancing act: How do educators leverage connected technology without putting student data and other critical information at risk?

With National Cybersecurity Awareness Month (NCSAM) in full swing, it’s the perfect time for schools to identify key risks and develop effective security solutions.

BECOME AN INSIDER: Sign up access to exclusive EdTech videos, whitepapers and articles.

The State of STEM Classrooms

Science, technology, engineering and math initiatives are helping students nationwide prepare for STEM-track careers, but they’re also gaining traction as fundamental aspects of the K–12 curriculum.

This creates a potential cybersecurity gap: Greater adoption of connected tools provides enhanced student opportunity but requires increased oversight of how data is stored, managed and utilized.

Consider the work of Aurora Public Schools, which serves more than 60 area schools and was recently recognized as a leader in education by nonprofit group Colorado Succeeds. According to Kevin Riebau, Director of Learning Resources for APS, the school district is leveraging several connected classroom initiatives to empower student outcomes and launch IT deployments, including:

  • Google Classroom Tools: For Riebau, cloud-based solutions “help manage the day-to-day sharing of resources” among students and staff, creating “feedback loops” that let students develop their own digital footprints. 

    The challenge? Ensuring cloud services provide a secure environment for data storage and comply with current legislation.

  • AR and VR Experiences: APS is now deploying both augmented reality and virtual reality experiences for K–12 students, including “expeditions” for elementary and middle school students and VR-based postsecondary tours for high school students. As noted by Riebau, “It’s not always practical to conduct college tours physically,” and VR lets schools bridge the gap. K–12 schools are also diversifying their device footprints, using everything from school-issued laptops to interactive touch panels. Here, accessibility matters. Who has access to this technology? For what purpose? How is use tracked, cataloged and stored for potential cybersecurity audits?
  • The APS Digital Badge Program: The APS Digital Badge Program uses microcredentials to describe student success across five key areas: collaboration, critical thinking, information literacy, invention and self-direction. Riebau describes the program “as a way to recognize student assets and open doors of opportunity.” Once in high school, students can choose to move their badges from internal networks to public-facing social sites such as LinkedIn. But making this shift from private to public networking introduces risk. Both students and teachers need training on how to effectively handle credentials in-house and ensure the move to public networks doesn’t compromise local data storage.

Emerging Educational Concerns in an Online World

Classroom technology offers key student opportunities, but the rapid uptick of connected student solutions also creates the potential for malicious actors to compromise critical data locks. To effectively secure IT, schools must identify the most common paths to cybersecurity compromise:

  • Cyberattacks: Educational institutions are increasingly targeted by cyberattackers: Schools in Florida and Maryland were recently victimized by ransomware, while a Connecticut district was compromised twice in the past 12 months.
  • Accidental insider breaches: A recent study found that 91 percent of IT pros feel vulnerable to insider threats, and 62 percent believe the biggest threat comes “from the well-meaning but negligent end user.” This is critical for schools; students, teachers and even parents may unwittingly post sensitive information or click on malicious links.
  • Misconfigured controls: Insecure database controls, limited oversight and too-broad admin account privileges can put schools’ data at risk of attack.
  • Hardware or software vulnerabilities: For many school districts, it makes more sense to partner with IT platform providers than to create new software from scratch — for example, APS uses a credentialing platform to manage its digital badge initiative. This introduces the problem of third-party risk: If systems don’t meet security expectations, schools are ultimately responsible
  • Cloud security concerns: While connected cloud resources offer both speed and flexibility, Rob Clyde, executive chair for White Cloud Security’s board of directors, notes that the digital distance between schools and provider means “they may not recognize they’ve been compromised.”

MORE ON CYBERSECURITY: Check out why K–12 schools should choose to upgrade to a next-generation firewall.

5 Ways to Find a Balance Between Technology and Vulnerability

When it comes to connected solutions, “it’s not the tools, it’s what you’re doing with them,” Riebau says. This is true for the classroom — students and teachers must have access to the right services at the right time — and similarly applicable for security. How schools use and monitor tools makes all the difference between safeguarding student data and increasing security risk. 

To protect IT, schools must deploy five cybersecurity best practices:

  1. Prioritize least privilege: Limiting cybersecurity risks means taking a zero-trust approach to access. Grant students, teachers and parents the least amount of access they need to complete tasks and leverage tools. While it’s always possible to increase access on-demand, reducing access after a breach is too little, too late.

  2. Encrypt everything: Clyde says there’s a simple rule for protecting digital assets: “For any kind of data, always encrypt.” Also worth noting? It’s never a good idea to embed decryption keys in application code, and while tools like in-app obfuscation can help frustrate attackers, they’re not enough in isolation.

  3. Educate users: Connected classroom technologies are rapidly becoming intuitive to operate and understand, but security takes work. From regular email and in-school reminders about safety practices to on-file nondisclosure agreements to ensure schools are meeting regulatory mandates, education and information matters.

  4. Have an end-of-life plan: What happens to device and network data when students leave school? At APS, Riebau and the IT department provide graduates with “the steps needed to port their data to external domains.” If students don’t want their data, schools need archiving and deletion plans in place.

  5. Choose wisely: School budgets make it impossible to build connected classrooms from scratch; third-party providers are critical to delivering digital experiences and underpinning administrative tasks. The key? Choosing wisely. Clyde recommends opting for experienced providers that won’t suddenly vanish with digital data, and backing up service promises with detailed service-level agreements that specify remedies in the event of data compromise.

The Fight for Security Is Ongoing

Finding cybersecurity balance isn’t about speed. It’s a step-by-step process that requires school districts to take ownership of IT initiatives, recognize the inherent challenges of secure IT and deploy IT protection strategies capable of reducing risk without constricting connectivity.

AndreyPopov/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.