Emerging Educational Concerns in an Online World
Classroom technology offers key student opportunities, but the rapid uptick of connected student solutions also creates the potential for malicious actors to compromise critical data locks. To effectively secure IT, schools must identify the most common paths to cybersecurity compromise:
- Cyberattacks: Educational institutions are increasingly targeted by cyberattackers: Schools in Florida and Maryland were recently victimized by ransomware, while a Connecticut district was compromised twice in the past 12 months.
- Accidental insider breaches: A recent study found that 91 percent of IT pros feel vulnerable to insider threats, and 62 percent believe the biggest threat comes “from the well-meaning but negligent end user.” This is critical for schools; students, teachers and even parents may unwittingly post sensitive information or click on malicious links.
- Misconfigured controls: Insecure database controls, limited oversight and too-broad admin account privileges can put schools’ data at risk of attack.
- Hardware or software vulnerabilities: For many school districts, it makes more sense to partner with IT platform providers than to create new software from scratch — for example, APS uses a credentialing platform to manage its digital badge initiative. This introduces the problem of third-party risk: If systems don’t meet security expectations, schools are ultimately responsible
- Cloud security concerns: While connected cloud resources offer both speed and flexibility, Rob Clyde, executive chair for White Cloud Security’s board of directors, notes that the digital distance between schools and provider means “they may not recognize they’ve been compromised.”
5 Ways to Find a Balance Between Technology and Vulnerability
When it comes to connected solutions, “it’s not the tools, it’s what you’re doing with them,” Riebau says. This is true for the classroom — students and teachers must have access to the right services at the right time — and similarly applicable for security. How schools use and monitor tools makes all the difference between safeguarding student data and increasing security risk.
To protect IT, schools must deploy five cybersecurity best practices:
Prioritize least privilege: Limiting cybersecurity risks means taking a zero-trust approach to access. Grant students, teachers and parents the least amount of access they need to complete tasks and leverage tools. While it’s always possible to increase access on-demand, reducing access after a breach is too little, too late.
Encrypt everything: Clyde says there’s a simple rule for protecting digital assets: “For any kind of data, always encrypt.” Also worth noting? It’s never a good idea to embed decryption keys in application code, and while tools like in-app obfuscation can help frustrate attackers, they’re not enough in isolation.
Educate users: Connected classroom technologies are rapidly becoming intuitive to operate and understand, but security takes work. From regular email and in-school reminders about safety practices to on-file nondisclosure agreements to ensure schools are meeting regulatory mandates, education and information matters.
Have an end-of-life plan: What happens to device and network data when students leave school? At APS, Riebau and the IT department provide graduates with “the steps needed to port their data to external domains.” If students don’t want their data, schools need archiving and deletion plans in place.
Choose wisely: School budgets make it impossible to build connected classrooms from scratch; third-party providers are critical to delivering digital experiences and underpinning administrative tasks. The key? Choosing wisely. Clyde recommends opting for experienced providers that won’t suddenly vanish with digital data, and backing up service promises with detailed service-level agreements that specify remedies in the event of data compromise.
The Fight for Security Is Ongoing
Finding cybersecurity balance isn’t about speed. It’s a step-by-step process that requires school districts to take ownership of IT initiatives, recognize the inherent challenges of secure IT and deploy IT protection strategies capable of reducing risk without constricting connectivity.