Vendor security is an important concern for school districts as students become digitally native at young ages. Educators can use this technological proficiency to maximize students’ learning potential when harnessed correctly. However, the dark side of increased internet access raises concerns about the safety of third-party-provided applications.
Districts are often scrambling for ways to ensure the integrity of the apps kids are using. While TikTok may be touted as having education-enhancing properties, America hasn’t imposed guardrails on the application’s ability to increase the classroom as some other countries have. The BBC reports that Douyin, China’s equivalent to TikTok, boasts an in-app design that limits a child’s presence on the app to 40 minutes per day. While we’re not there yet, there’s no doubt many educators would appreciate a little self-regulation from the vendor-provided platforms showing up in their classrooms.
They’re not the only ones expressing concern. Worrying over data breaches, account takeovers, cyber attacks, and exposure to apps like OnlyFans and Chaturbate have left many district administrators pacing their offices while vendor app audit results load on their workstations.
Although there’s no easy answer, vendor risk management is a hot-button topic in K-12. Here we will provide insight into how you can mitigate the risk and streamline your vetting and monitoring processes.
Put, third-party risk management addresses the data above security and student safety concerns created by access to third-party applications. According to K12 SIX, the most significant threat to school data comes from third-party vendors responsible for the majority of cyber incidents and data breaches in 2021.
The Record reports of case studies like the Battelle for Kids incident — a ransomware attack targeting 500,000 students and 60,000 teachers in the Chicago area — led to cybersecurity policies like StateRAMP. The nonprofit aims to standardize cybersecurity efforts in the education space, focusing on K-12 entities.
School districts must implement best practice guidelines to effectively manage and reduce their potential attack surface. The basic tenets of a solid third-party risk management program will ensure that:
Before we discuss identifying threats and implementing risk management protocols, let’s take time to make a distinction.
Despite the need for vigilance about third-party applications, it’s important to note that most apps accessible to students aren’t malicious. On the contrary, they’re often designed with the best intentions to further their intended audience’s education and entertainment.
However, malicious actors may use these apps to infiltrate networks and devices. By taking advantage of user permissions that administrators have authorized, cybercriminals have backdoor access to a district’s systems and are free to operate within your monitoring radar.
So, how do you identify where the risks lie?
Let’s examine the types of risks commonly associated with third-party cloud vendors.
The Infrastructure Investment and Jobs Act is set to provide $1 billion in federal grants to improve state and local government cybersecurity between 2022 and 2025. Aimed at enforcing monitoring and restriction capabilities to protect against students using unwanted apps, malicious cloud services, and poor security practices, the Act is an example of America’s recognition of the dangers associated with cybersecurity.
While oversight from developing federal policy will undoubtedly help, schools can take action immediately by creating a vendor risk management program.
Here’s how your district can implement measures to target and reduce their vulnerable attack surface:
ManagedMethods is a cloud security platform built specifically for K-12 school districts, which can help audit, monitor, and automate your district’s third-party apps. In addition, the platform makes securing data and detecting student safety signals in Google, Microsoft 365, and Zoom easy and affordable.
Let’s examine how implementing a cloud access security broker (CASB) for your schools can reduce the attack surface and aid your vendor risk management efforts.
We understand the appeal of cloud computing in the education sector and how applications like Google Workspace and Microsoft 365 are beneficial for many reasons. However, a CASB offers an additional layer of security for your connected apps and devices by providing visibility and control beyond where your firewall, native phishing filters, and content filter can go.
Vendor risk management software, like a CASB, can make the difference between a heightened risk level and a cloud-based architecture that is protected from attacks riding piggyback on your third-party apps.
To save your district from the operational risk associated with data privacy leaks and data breaches, consider deploying a CASB solution. Not only will you reduce your cyber risk, but you’ll take comfort in knowing your district is free to pursue an education-enhancing third-party relationship with reduced worry.
With the aid of ManagedMethods, your IT team can overcome the challenges of managing and monitoring apps with the support of a cloud security platform that makes these processes easier to perform.
ManagedMethods offers an API-based cloud security platform that doesn’t require a browser extension, proxy, agent, gateway, or virtual appliance.
We give your IT team visibility into what apps are connected to your Google and/or Microsoft 365 domain, assess their risks and/or educational appropriateness, and revoke access with the click of a button. Admins can also automate this process with a sanctioned/unsanctioned apps list and the use of policies.
Further, the auto-discovery of threats will immediately alert your administrators and IT teams of potential attacks so that you can take a proactive approach before your data and PII are exposed. By providing continuous visibility and control over the data stored on-cloud and vigilant monitoring of activity on the cloud, your teams can mitigate threats and effectively protect your students and educators.
ManagedMethods is certified FERPA, COPPA, and CSPC compliant by iKeepSafe. We’re also a Student Data Privacy Consortium member, a Student Privacy Pledge signatory, and a Consortium for School Networking (CoSN) cybersecurity initiative sponsor.
Simply put, we take the safety and security of your third-party applications seriously. To learn how ManagedMethods can assess your risk factor and protect your data and PII, take advantage of our free 30-day audit. Then, within minutes (well, a little longer for Microsoft 365 domains), you’ll be up and running without impacting your domain, data, or network.
Fair warning: ManagedMethods is hard to quit once you’ve started. Over 70% of school districts who take advantage of our 30-day free audit become active users. Book your free audit today to boost your operational resilience and see for yourself.