May 04 2023

Do Schools Have the Funding to Manage Third-Party Risk?

As the federal government rolls out recommendations for stronger cybersecurity, K–12 budgets struggle to support upgrades.

The recent government attention on K–12 cybersecurity has, in many ways, benefited school districts by raising awareness of security threats. However, schools can’t take action to meet the government’s recommendations without funding. They don’t have the budgets to implement the cybersecurity solutions the Cybersecurity and Infrastructure Security Agency deemed necessary.

“One of terms you see a lot is ‘unfunded mandate,’” says Jim Siegl, a senior technologist for the Future of Privacy Forum. “Regulation gets passed, and there aren’t any additional resources for schools to hire a privacy officer or someone to manage cybersecurity measures.”

In some cases, state governments are providing financial resources to help schools meet cybersecurity requirements, Siegl says. “Utah has done a pretty good job in terms of providing funds for complying with the privacy laws that they pass for schools, but that’s certainly an exception.”

K–12 schools are facing significant threats when it comes to third-party risk. Districts need to recognize which applications their users are running and how the apps are collecting and storing data. This often requires someone in IT with cybersecurity expertise or the help of an outside party, both of which schools struggle to afford with limited budgets.

Click the banner to explore additional data security resources from CDW.

“You need funding from the federal and state governments to provide resources for these schools to take action,” says David Waugh, chief revenue officer of ManagedMethods. “That’s why there’s so much attention now on E-rate and pressure on the FCC to overhaul E-rate.”

E-Rate Funding’s Limitations Exclude Needed Cybersecurity Solutions

Organizations including the Consortium for School Networking and Funds for Learning are petitioning the Federal Communications Commission to expand the technologies and solutions that qualify for E-rate funding. The funding is intended to provide broadband internet to K–12 public schools and libraries. But 99 percent of public K–12 schools in the country have had sufficient fiber-optic connections for online learning since 2019, according to a report from Education Superhighway.

E-rate covers some cybersecurity technologies at this time, including firewalls and other network products for schools. Often, these security measures don’t protect schools from risks such as third-party data breaches.

“That’s the No. 1 threat vector today, not the traditional old network, and yet there’s no funding for it,” Waugh says.

READ THE INTERVIEW: How should schools teach cybersecurity to staff and students?

Schools Can Turn to Online Resources and State Funding

School districts can find free and low-cost resources to help them manage third-party risk.

“The Department of Education has a group called the Privacy Technical Assistance Center, which does technical assistance, and it’s a fantastic resource that puts out guidance for schools,” Seigl says. “Organizations like Common Sense Media have put together a division that looks at and rates educational software privacy policies, and CoSN provides a privacy toolkit that covers understanding the laws and vetting applications. It also provides a set of 25 best practices for schools as part of its trusted learning environment.”

Moore Public Schools in Oklahoma is working on its TLE certification, but the district has also funded its data privacy and application vetting efforts with the help of the Oklahoma Society for Technology in Education.

“Our district had been phenomenal about pushing this to other districts,” Jun Kim, the district’s director of technology, says about Moore Public Schools’ efforts to earn the TLE certification. “It got the attention of our state Department of Education and folks over at the Oklahoma Office of Management and Enterprise Services.”

DIVE DEEPER: Moore Public Schools takes strong data protection measures.

There are many avenues through which schools can pursue or push for cybersecurity funding. Protecting student and staff data from third-party breaches can save schools more than money; it can protect their reputations in a world where cybercriminals are targeting the most vulnerable users.

dem10/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.