Security

What K–12 Technology Leaders Need to Know About Reducing Data Exposure

Webinar panelists note that basic tools are only the first step in keeping bad actors out of school networks.

Taashi Rowe is the managing editor for EdTech: Focus on K-12 magazine.

For hackers, K–12 student data is some of the most valuable information in the world, which means that data privacy plays a central role in any cybersecurity strategy. In CDW’s recent webinar “Building Cyber Resilience: Strategies for Strengthening Cybersecurity in K-12,” a panel of experts shared thoughtful approaches to helping schools harden their networks against bad actors.

Schools are “sitting on a lot of very clean data, and that’s what people are after,” explained Rob Chambers, vice president of platform strategies at Lightspeed Systems. Over the past few years, there has been an explosion of free and rogue apps, many of which IT staff may not have been able to vet, let alone enter into data privacy agreements with their vendors. And that’s if staff are even aware of the apps at all.

Easily Keep Track of Apps and Other Tools That Contain Data

According to data from Lightspeed Digital Insight, K–12 districts access more than 2,000 apps during the school year, on average.

“That's just an unmanageable task, really, to do on your own,” Chambers acknowledged.

He noted that schools also can’t ignore data privacy for these tools, which need to comply with federal and state laws mandating that schools protect student data privacy. K–12 schools across the nation have taken to drafting student data privacy agreements with vendors to ensure they follow certain data privacy guidelines.

Chambers said this is important because it starts the conversation about proper data sharing and the use of secure methodologies for accessing and using student data.

Click the banner below to watch a replay of the latest webinar and get updates on upcoming webinars.

A monitoring tool from a partner such as Lightspeed Systems can be vital in these instances. “With our Digital Insight tool, you are able to monitor those safety policies,” Chambers said. “It can tell you when there are updates and build approved apps into your workflows, as well as let you block apps that don’t meet your standards.”

He noted that schools can also use the software for hardware deployments and to manage devices and security policies. Monitoring software like Lightspeed’s can be particularly beneficial for keeping tabs on mischievous student hackers with access to the “school network, a lot of time on their hands and a lot of motivation,” he explained.

DISCOVER: Why data governance policies are a must for schools.

Keep a Tight Rein on Data Sharing

Educators and administrators are extremely busy, but they also have a stake in their schools’ cybersecurity. Still, it can be a challenge for them to safely share data without exposing personally identifiable information or protected health details.

“Schools are investing in tools that are focused on making sure that threats are being detected as they enter your network or your district,” said panelist Matt Sack, director of global business development at Virtru. However, there is “not nearly enough investment being made by districts and schools into securing information as it leaves your environment.”

Sack said it is critical to rectify this gap because, at the end of the day, teachers, administrators and students are handling and sharing so much sensitive data outside of the school organization.

He explained that IT teams can help reduce the cybersecurity burden on educators by providing them with security tools that are seamless, easy to use and won’t disrupt existing workflows.

He noted that Virtru’s tools are built directly into native platforms such as Google Drive, Gmail and Microsoft Outlook, making it easy for everyone to adopt data protection while sharing information with parents, government agencies, doctors and more.

DIVE DEEPER: Find out how cyber resilience gives schools an edge.

When sharing student records and other information with third parties, “you need data protection in place,” Sack said. “But if the encryption and data security tools you’re using are difficult to use, you’re really just going to frustrate the people you’re collaborating with, and people are going to go outside of the tools your school offers to share this data. Then that data is going to be compromised.”

In the case of email and file sharing, Sack added, Virtru’s tools allow senders to set expiration dates on the data sent or read, recall emails and files, and even revoke access after information has been viewed.

“If you really want to make sure that you have all your bases covered, you have to demonstrate that you care about your students’ and your teachers’ data,” he said. “Take proper ownership of that data and make sure you’re protecting it.”

When we’re sharing data from vendor to vendor, it’s that copying process that we call data sprawl, and this creates a significant risk.

Padraig O’Shea Chief Product Officer, Global Grid for Learning

Prevent Data Sprawl via Third Parties

Another challenge for schools is reducing data sprawl across platforms. With many K–12 schools understaffed, they often turn to technology vendors for a variety of solutions and services. While this can provide relief, it can also come with the threat of spreading data across multiple platforms.

Padraig O’Shea, chief product officer at Global Grid for Learning, said firewalls used to be the main tool to protect against data spread. However, “the reality is that Software as a Service or the vendor ecosystem in the cloud has created this security monster, and we call that monster data sprawl,” he said.

“This happens when we’re sharing data from vendor to vendor,” O’Shea continued. “It’s that copying process that we call data sprawl, and this creates a significant risk.”

He said Global Grid for Learning’s main mission is to help schools securely move data between vendors.

“Data duplication has really become standard practice,” O’Shea said. “And I think that the general sentiment is, well, everybody’s doing it, so it’s fine. But it’s not fine anymore. It’s like giving the keys to the vault to 1,400 different people, and we’ve got to do a little better.”

He noted that third-party risks are very real: 98% of organizations have a relationship with a third party that has been breached. He also acknowledged the tough spot that schools are in as digital transformation has become a game changer.

Global Grid for Learning helps schools connect apps without risking student data. Its privacy governance console can be implemented districtwide in about two minutes, O’Shea said.

The tool has a built-in artificial intelligence program that creates an inventory of school applications and scores data privacy risks for every vendor. Global Grid for Learning also provides data anonymization services and single sign-on for vendors, which eliminates the need to share data downstream.

Protecting Users from Unwittingly Sharing Their Data

Most schools have gotten the message that it’s important to offer consistent training to staff and students on how to protect themselves from phishing attacks. However, with social engineering now rampant, phishing attempts aren’t always easy to spot. So, while bad actors are designing new exploits to open up reinforced doors and windows on a school’s network, sometimes users are unknowingly giving those hackers a way in.

“Schools are battling it from both sides,” said John McInerney, an account executive at Identity Automation. So, they also need to offer a backstop to help protect their users.

He shared that students at one of the company’s customers were using a proxy service to circumvent content filters for gaming. What students did not know was that the proxy service was actually a malicious credential-harvesting site phishing for their usernames and passwords.

McInerney said in cases like this most schools would attempt to lock out bad guys with content filtering, then single sign-on and multifactor authentication. However, schools can benefit from a third layer of security with Identity Automation’s PhishID, a point-of-click solution.

In the case of the students attempting to circumvent the content filters, “we enable AI to basically use computer vision in the browser itself to stop people from spear-phishing attempts in real time,” McInerney explained.

Panelists wrapped up the webinar by noting that as threats against school networks continue to evolve, so should K–12’s cybersecurity strategies. A multilayered approach to protect student and staff data is critical.

UP NEXT: Learn how data loss prevention can protect K–12 schools.

Continue Learning with Additional Webinars

Sign up here to watch the replay of the webinar. You can also check out CDW Education’s robust library of on-demand webinars, with content on device deployment, esports, artificial intelligence and more.

gorodenkoff/Getty Images