A recent survey by EdWeek Research Center and ManagedMethods uncovers a cloud security “achievement gap”
Over the past several months, we partnered with EdWeek Research Center to survey K-12 technology leaders, decision-makers, and influencers to try to gain a better understanding of how they perceive cloud security. Responses to the survey uncovered what can only be described as a cloud security achievement gap in school districts. The findings are published in our recently released report: What You Don’t Know Can Hurt You.
We talk with a lot of district leaders every day, and several of the findings weren’t overly surprising. We hear a plethora of cloud security myths being repeated out there that are absolutely putting student and district data at risk.
What did surprise us in the survey results was the sincere lack of knowledge among decision-makers and influencers about where their data was being stored, and how it was being protected—even at a basic level.
District Leaders Show Significant Gap In Cloud Security & Safety Concerns
District technology leaders and influencers seem to have a healthy concern about student safety issues online. 88% reported feeling somewhat or very concerned about student mental health, self-harm, and suicide issues in their district. 85% responded that they were somewhat or very concerned about cyberbullying and threats of violence being communicated on school-provided technology.
But those concerns drop off significantly when it comes to securing students’ data.
The same group of respondents reported feeling UNconcerned about:
- Ransomware, malware, and phishing threats: 21%
- Data breaches or leaks: 37%
- Theft of district finances: 56%
- Compliance with student data privacy regulations: 45%
- Existence of “shadow” technology accessing district data: 44%
The lack of concern for these threats is deeply disturbing. It’s understandable that district leaders want to do everything they can to keep their students healthy and safe from a physical and mental wellbeing standpoint.
But it’s clear that there is a real lack of understanding regarding how data security and privacy impacts students’ safety and wellbeing.
One extreme example is the case from 2017 when Dark Overlord hacked multiple districts across several states, leaked student data, and texted threats of violence against kids to their parents. Johnston School District, just one of the victims of the attack, recently reported to Axios that they continue to be the target of ongoing and increasingly sophisticated attacks.
Ransomware is top-of-mind for many district leaders today, likely due to the amount of attention it gets in the media. Not to mention the hefty price tags that districts have spent limited funds to recover from an attack—whether they pay the ransom or not. This is probably why ransomware, malware, and phishing get at least a relatively healthy amount of concern from district leaders, compared to the other cybersecurity risks we surveyed.
But, interestingly, data breaches/leaks are by far the most prevalent cyber incident type impacting schools, according to ongoing research by Doug Levin at K12 SIX. Meanwhile, 37% of district technology leaders and influencers reported being unconcerned about such incidents.
3 Simple Steps To Understanding Your District’s Cloud Security Risks
1. Conduct a simple cloud risk assessment
A cloud risk assessment doesn’t have to be super complicated. If you’re just getting started, you can run an audit report to find issues of common concern.
A good place to start is to see if sensitive, personally identifiable information is being improperly shared with accounts that shouldn’t have access to it. This is by far the most common issue we see when we start work with a new district.
Another relatively easy, yet commonly overlooked cloud security risk involves 3rd party OAuth apps. Many states have started putting rules and reporting requirements around 3rd party edtech apps and the data that schools are sharing with vendors. But, from a security standpoint, this issue goes further. These apps, whether malicious or not, can be used to improperly access account controls and sensitive data. They should be monitored and controlled.
2. Audit account behavior
Behavior analysis plays a big role in modern zero trust cybersecurity. A cloud behavior security audit can uncover hidden issues in your district’s cloud applications, such as:
- Account takeovers
- Login attempts from unusual locations
- Sudden spikes in user activity
- Lateral phishing
- Changing admin privileges
- Unusual and/or inappropriate file sharing and downloading
- Risky or unauthorized OAuth permissions
3. Check for risks in content stored in your cloud apps
Very similar to behavior analysis, a cloud content security audit looks at what content is being stored, accessed, and shared in your district’s cloud apps. This will help you take action to revoke inappropriate sharing, remove risky 3rd party apps, and more. Common content risks we see be flagged in district cloud apps include:
- Improper sharing of Personally Identifiable Information (PII)
- Improper Sharing of payment information
- Malware and phishing content in emails, shared drives, files, and attachments (yes, these do often get through native Microsoft and Google phishing filters, as well as additional perimeter-based phishing and malware technology)
- Inappropriate and explicit content that could create CIPA compliance issues
Should We Be Concerned About The Cloud Security “Achievement Gap”?
In short, yes. And it’s not just a budget problem.
Let’s be clear: K-12 schools are critical infrastructure. The fact that gaping cloud security gaps are resulting in sensitive student, employee, and financial data not being properly managed and secured would be unheard of in any other critical infrastructure sector.
Most technology leaders have known that this is a huge problem for years. They’ve presented issues and data to superintendents and board members only to be met with glassy-eyed stares. And, of course, the usual “we can’t afford it” response.
If you were to ask the 70+ districts that were victims of ransomware attacks in the past 12 months, they’d probably say “you can’t afford not to.”
But cybersecurity isn’t just about spending money and buying technology. It’s about training users to be cyber aware. And it’s about changing the culture in your district.
Make no mistake, the cyber incidents we’ve been hearing about do, in fact, impact students. Cyber attacks can make learning more difficult, they can lead to anxiety and mental health problems, and they can also lead to identity theft and financial fraud that could impact students for years to come.
District leaders can no longer afford to ignore the importance of securing sensitive, personal, and/or financial data. They need to become willing partners with their technology department so that they can work together to influence positive change.
Because a cyber-secure school creates a safe space where your students can learn and grow without obstruction or fear.