District technology leaders once again named cybersecurity as their top priority, yet school districts continue to be victims of cyber attacks. In fact, K-12 education is now one of the most targeted industries. Why?
Cybercrime has evolved, but cybersecurity strategies have not. While K-12 education is a leader in cloud adoption, driven by adoption of Google workspace and Microsoft 365, districts often do not secure it properly.
School leaders understand the benefits of the cloud. Students and staff collaborate on homework, communicate with each other, and access important school resources in the cloud. With the help of Google and Microsoft, all of this activity can happen anywhere and anytime.
K-12 districts have even been leaders in adopting cloud collaboration technology. However, for administrators who are not directly involved in the technology, cloud security is somewhat new and neglected. Here are three reasons why.
1. A culture of sharing and accessibility in education
Fundamentally, kindergarten to grade 12 education promotes a culture of knowledge sharing and accessibility. It gives students the freedom to explore new ideas, collaborate and learn from each other.
It also goes against the base cybersecurity practices that technology leaders encourage. For example, staff and students are more likely to share files, personally identifiable information, images, and passwords without thinking about the implications for privacy and data security. And the passwords created are weak, which makes them easy to remember and guess.
We have also seen many examples of administrator level access being granted to staff members who do not need it. This may seem like a good idea to those who do not understand the seriousness of the risk this creates. Most school data breaches and ransomware the attacks are the result of a staff member victim of a phishing attack. Imagine how much more damaging it becomes if the person who clicked on a Phishing link provided the criminal direct access to the entire domain.
In addition, remotely and blended learning are here to stay. Our traditional idea of the classroom has changed forever. Students and teachers can create and share from anywhere, putting districts in a difficult position.
How does your district protect classroom activity that takes place outside of classrooms? Your firewall and content filters focus on school networks and managed devices. These tools are still important and necessary. However, when students and staff use home networks and personal devices to connect to their school accounts, the protections you put in place may become much less effective.
Administrators not involved in tech don’t want cybersecurity to interfere with teaching and learning. This makes it difficult to implement new cybersecurity measures aimed at improving security, and also puts school districts at risk.
2. Lack of understanding on the part of district leaders
The biggest hurdle that technology leaders face is budget. This stems from a lack of cybersecurity knowledge and buy-in on the part of government leaders and, in some cases, school boards.
A district administrator has many high priority initiatives and a limited budget. These initiatives include needs such as increased connectivity and accessibility for students, devices that everyone can use, and network and endpoint security to protect everything. Most, if not all, of technology purchases and improvements are based on student results. Therefore, classroom technology is allocated the largest part of the budget. In most states, education must spend about 80% of its technology budget on the classroom. The remaining 20% goes to an operational budget, which includes cybersecurity.
From the many conversations I have had with district leaders, it is clear that cybersecurity is poorly understood and seen as too complicated. The easiest option is to ignore it, resulting in a lack of funding for new cybersecurity initiatives. When the district has a firewall in place, it can be hard to believe that it needs more resources. However, as the many cyber incidents that continue to plague neighborhoods illustrate, this level of protection will not be enough. Districts Need Cloud Security in addition to their traditional protections.
We don’t just see these misunderstandings when it comes to cybersecurity. Confidentiality of student data school district regulations are also poorly understood. Districts must adhere to regulations such as the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act, and Internet protection law for children. While they frequently are, it’s important to note some of the common misconceptions, especially about CIPA.
In addition to preventing students from visiting inappropriate websites, CIPA requires districts to address “the safety and security of minors when using email, chat rooms, and other forms of communication. direct electronic communications ”.
This means that communications in cloud programs fall under CIPA requirements. The sad reality is that some staff and students will misuse the emails, file sharing, chat apps, and collaborative documents provided by the school. Districts should be able to detect these activities and remove them if the content is inappropriate for minors, as defined in CIPA.
3. Unique security challenges in education
Education is one of the sectors most targeted by cybercriminals, and district IT teams face challenges that other sectors do not have to consider. For example, districts do not have as many trained and experienced cybersecurity professionals. It can be more difficult for a school to find an IT manager with specific knowledge of cloud security.
Additionally, MFA is not used as much as it should be for cloud software, but this challenge goes beyond the use of MFA itself. In an educational setting, MFA poses its own complications. When deciding to use it, an IT team should consider a few questions.
What complications can arise for students – will it make it burdensome for them to access their schoolwork? Can schools require teachers to use personal devices for AMF? Do they need to purchase MFA keys or school-provided mobile devices for staff? Is there room in the budget for this? AMF is relatively easy to implement in a business, but not so much in a school district.
Another unique challenge for school districts is that cloud-specific cybersecurity tools are often aimed at businesses. This makes it particularly difficult for a underfunded IT team short on budget, staff or training to effectively use these tools. When we talk to CTOs, the problem we often hear is that the tools take too long to use and impossible to keep up with. This problem becomes exacerbated when IT teams are faced with many other school incidents simultaneously.
School district IT teams need tools designed to help them easily and efficiently accomplish basic cybersecurity tasks. Your staff are likely to have some level of access to district information, and your IT team should be able to quickly see this activity, while protecting your district from growing cyber attacks targeting schools.
Looking to the future in cloud security
The cloud is the newest layer of technology in K-12 districts, and district IT teams continue to call for more attention. With the cloud, a school’s technology team can lose visibility and control. District administrators should work with their IT teams to strike a balance between implementing cloud security tools and ensuring that they don’t negatively affect the culture of sharing and accessibility that education has. always had.
For each cybersecurity incident that targets a school district, the importance of cloud security becomes more obvious. Efforts to strengthen cloud security in schools are already underway, but we still have a way to go. It’s important for admins to talk to their IT teams and look beyond what cybersecurity has traditionally entailed, as the threat landscape has changed and will continue to do so.