Steps for Stronger Data Security in K–12 Schools
1. Make Admins Aware of Data Security’s Importance
The first step is making sure administrators and top-level decision-makers are aware of the importance of securing data. “It has to do with how people perceive data privacy,” Lombardo says. “Until there’s been some kind of compromise, it doesn’t seem real.” K–12 IT professionals can bring attention to the risks by reminding district leaders that there is a shared responsibility with vendors to keep data safe. Laying out the potential consequences of a data breach — such as bad press or harm to students and teachers — can also raise support for stronger protections.
2. Implement Data Privacy Policies and Provide Resources
Once administrators are aware of the importance of data privacy, they can create policies to maintain the safety of data within the district. These polices should cover who can share what information, who can access certain resources and more. “If you put a policy in place, you have to provide the resources to enforce it, be they internal resources or external,” Sander says.
3. Identify Where Student and School Data Are Stored
The next step is identifying where all the district’s data assets are stored. This includes data in the cloud and data on-premises. Look at what data is stored there, how sensitive it is and who has access to it.
“We’ve gone through audits looking at things that vendors want, and there might be a reading program for kindergarten through third grade that’s requesting data down to the level of the stepparent’s cellphone number,” Lombardo says. “In a lot of cases, the vendor will ask for all the data and hope that you give it to them.”
4. Identify Vulnerabilities
Once districts have identified where data is stored and what that data looks like, they need to identify where there are risks and vulnerabilities. “There are multiple ways that data can leak out of a platform,” Sander says. “Certainly, you see in the news the hacking and ransomware stories, but what doesn’t make the news is inadvertent sharing — in many cases, from the inside — with people who shouldn’t see certain files or email attachments.”
5. Make Plans for Data Privacy Remediation
Identification is the first step in solving the data security puzzle, but the bulk of the work may need to be done in remediation. School leaders should consider everything from training users in basic security hygiene to the implementation of data loss prevention systems.
ManagedMethods has “made it as easy as possible for a school to set up policies around data protection and data sharing,” Sander says. The company has tools to keep vulnerable data safe, including a tool that allows IT teams to remotely access users’ inboxes and delete risky files, whether it’s a mass phishing email or an attachment that went to the wrong recipient.
Schools should also establish data sharing agreements with vendors up front. These agreements lay out clear guidelines for what vendors can do with data, how long they’ll hold on to it and the conditions under which they’ll destroy it.
Traditionally, Lombardo says, administrators are concerned with data privacy measures like the Family Educational Rights and Privacy Act, but “the bar for FERPA is really low. Basically, you only have to notify your families of your data policies.” Having up-to-date data security policies in place can help district administrators shift their focus to cybersecurity that better suits the modern classroom.