There is no data privacy without data security
Simply put, cloud data breaches are a threat to student data privacy. In K-12, there is an awareness issue with cloud data breaches. What are they, how are they different from on-prem data breaches, and why they are a problem for student data privacy.
Some school districts tend to concentrate on protecting student data from unauthorized use by vendors and advertisers. That isn’t wrong since student data privacy and 3rd party apps is something you need to address. But you must recognize that it’s just a part of your district’s responsibility for protecting student data privacy and security.
What Are Cloud Data Breaches?
What is a data breach? A data breach occurs when information is exposed or taken from your systems without your knowledge or authorization. Cloud data breaches simply refer to the exposure of data that is stored and shared in your cloud applications, such as Google for Education and Microsoft 365.
Cloud data breaches have similarities and differences to data breaches from on-prem servers and information systems. One of the main differences is that cloud data breaches can be more difficult to detect and remediate. This is because the data lives outside of your network—in the cloud—and those in charge of district data security often have less visibility and control over cloud apps. This is particularly true if you’re only relying on native security tools, such as those provided in Google’s Admin Console.
There are three common causes of data breaches that haunt district IT teams.
- Accidental: Mistakes by authorized users can easily cause cloud data breaches, and often do. This is the most common source of a cloud data breach. All it takes is for someone to set the wrong document sharing settings or lose their laptop.
- Internal Criminal: When someone in your community wants to steal data, it’s difficult to detect in the cloud without a cloud monitoring tool. This can happen in a number of situations, such as when a disgruntled employee or contractor decides to take data with them when they leave the district.
- External Criminal: Hackers often target schools because of the amount of data you gather and store. An outside attack can come in many forms, including a phishing attack, or account takeovers.
For most districts, protection against data breaches takes the form of network security such as firewalls or MTAs. Those same districts are using cloud applications such as Google for Education and Microsoft 365 to store and share sensitive data. Network security doesn’t protect these cloud applications. If you don’t have zero trust cybersecurity protections in place, this data is at a high risk of exposure.
How Do Cloud Data Breaches Relate to Student Data Privacy?
It’s impossible to ensure student data privacy if that data is subject to cloud data breaches.
When a data breach occurs, personally identifiable student data is often exposed. There is also the risk of exposing other types of sensitive data, including employee PII, W-2, and other tax information, and district financial information.
In 2019, 60% of all school cybersecurity incidents involved a data breach.
As you know, there are student data privacy laws that require your compliance, which include data loss prevention regulations. And, it’s such an important issue that state student data privacy laws have been passed to supplement where outdated federal laws leave gaps.
How are Cloud Data Breach Risks Different?
Perimeter-based security doesn’t sufficiently protect access to the district data that is in your cloud apps. The data is stored in the cloud, not on your network or on-premise server. Therefore, the data is outside of your network and isn’t protected by your network security.
Further, access to the data is increasingly originating from outside of your network. This was already the case before COVID-19 induced remote learning and working. The pandemic simply amplified and accelerated this behavior. Student data privacy in remote learning will be an ongoing problem. In many cases, you simply have no control over access to your district’s data.
Cybercriminals will get past your perimeter security using phishing, social engineering, weak passwords, or risky 3rd party apps. Once they’ve managed to take over user accounts, they can use the permissions of those accounts to have free range within your cloud apps.
You also have nearly zero visibility or control over staff members who send or share sensitive and protected PII improperly. Whether that sharing is due to ignorance or accident, it’s still creating a massive student data privacy liability.
EdTech and Cloud Data Breaches
The EdTech industry is growing rapidly. It’s another trend that was growing before and has been fueled into hyperdrive by the pandemic. Experts predict that the EdTech industry will continue to have a big impact on learning even after the pandemic and remote/hybrid learning has subsided.
EdTech security risks are even more complex due to the existence of “shadow” EdTech. While you may be putting procedures in place to control the EdTech brought into the classroom, there are still applications that users may be able to connect to your district’s cloud environment using OAuth that you don’t know about. These risks can include account takeover, data loss, and general disruption of the classroom.
OAuth is handy for users. They can access applications using their credentials from another application on a different server rather than creating a new login. OAuth uses access tokens to log in to the new application.
Unfortunately, OAuth risks exist because a hacker can easily create an app to obtain access tokens from unsuspecting users. Hackers can gain access to your applications while avoiding password and two-factor authentication protocols. They can also accomplish this by exploiting a legitimate application’s security vulnerabilities.
Cloud data breaches are a serious threat to student data privacy. And, you know why student data privacy is so important. It goes beyond just the need for compliance. When hackers gain access to student data, the resulting attacks can have long-term effects on students and their families.