Schools are using cloud applications more frequently with the surge in hybrid learning, but IT teams struggle to secure this environment.
District technology leaders once again named cybersecurity as their top priority, yet school districts continue to fall victim to cyberattacks. In fact, K–12 education is now one of the top targeted industries. Why?
Cybercrime has evolved, but cybersecurity strategies haven’t. While K–12 education is a leader in cloud adoption, driven by the embrace of Google Workspace and Microsoft 365, districts often aren’t properly securing it.
School leaders have realized the benefits the cloud provides. Students and staff collaborate on assignments, communicate with each other and access important school resources in the cloud. With the help of Google and Microsoft, all this activity can happen anywhere and at any time.
K–12 districts have even been leaders in adopting cloud collaboration technology. However, for the administrators not directly involved in technology, cloud security is somewhat new and overlooked. Here are three reasons why.
1. A Culture of Sharing and Accessibility in Education
At its core, K–12 education fosters a culture of knowledge sharing and accessibility. This gives students the freedom to explore new ideas, collaborate and learn from each other.
This also goes against basic cybersecurity practices that technology leaders encourage. For example, staff and students are more likely to share files, personally identifiable information, pictures and passwords without thinking about the data privacy and security consequences. And the passwords created are weak, making them easy to remember and guess.
We’ve also seen many examples of administrator-level access given to staff members who don’t need it. This may seem like a good idea to those who don’t understand the gravity of the risk it creates. Most school data breaches and ransomware attacks are the result of a staff member falling victim to a phishing attack. Imagine how much more damaging that becomes if the person who clicked a phishing link provided the criminal with direct access to the entire domain.
Further, remote and hybrid learning are here to stay. Our traditional idea of the classroom has forever changed. Students and teachers can create and share from anywhere — putting districts in a difficult position.
How does your district protect the class activity taking place outside of classrooms? Your firewalls and content filters focus on school networks and managed devices. These tools are still important and necessary. However, when students and staff use home networks and personal devices to connect to their school accounts, the protections you have in place can become much less effective.
Administrators not involved in technology don’t want cybersecurity to inhibit teaching and learning. This makes it difficult to put in place new cybersecurity measures aimed at improving security, and it also puts school districts in harm’s way.
2. A Lack of Understanding from District Leadership
The most significant obstacle technology leaders face is budget. This stems from a lack of cybersecurity knowledge and buy-in from administration leaders and, in some cases, school boards.
A district administrator has many high-priority initiatives and a limited budget. These initiatives include needs such as more connectivity and accessibility for students, devices for everyone to use, and network and endpoint security to protect it all. Most, if not all, of the technology purchases and improvements are based on student outcomes. Therefore, classroom technology is allocated most of the budget. In most states, education is required to spend about 80 percent of its technology budget on the classroom. The other 20 percent goes toward an operational budget, which includes cybersecurity.
From the many conversations I’ve had with district leaders, it’s clear that cybersecurity is misunderstood and seen as too complicated. The easier option is to ignore it, which results in a lack of funding for new cybersecurity initiatives. When the district has a firewall in place, it may be hard to believe it needs any more resources. However, as illustrated by the many cyber incidents continuing to affect districts, this level of protection won’t suffice. Districts need cloud security in addition to their traditional protections.
We’re not just seeing these misunderstandings in cybersecurity. Student data privacy regulations for school districts are also misunderstood. Districts must meet regulations such as the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act and the Children’s Internet Protection Act. While they frequently are, it’s important to note some of the common misunderstandings, especially on CIPA.
In addition to preventing students from visiting inappropriate websites, CIPA requires districts to address “the safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications.”
This means that communications in cloud programs fall under CIPA requirements. The unfortunate reality is that some staff members and students will misuse school-provided email, file sharing, chat apps and collaboration documents. Districts must be able to catch these activities and remove them if the content is inappropriate for minors, as defined in CIPA.
3. The Unique Security Challenges in Education
Education is one of the most targeted industries by cybercriminals, and district IT teams must overcome challenges that other industries don’t have to consider. For example, districts don’t have as many trained and experienced cybersecurity professionals. It may be more difficult for a school to find an IT leader with specific knowledge of cloud security.
Additionally, multifactor authentication isn’t used for cloud software as much as it should be — but this challenge goes beyond the use of MFA itself. In an educational setting, MFA poses its own complications. When deciding whether to use it, an IT team must consider a few questions.
What complications may arise for students — will it make it tedious for them to access their schoolwork? Can schools require teachers to use personal devices for MFA? Do they need to buy MFA keys or school-provided mobile devices for staff? Is there room in the budget for that? MFA is relatively easy to implement in an enterprise company, but not so much in a school district.
Another unique challenge for school districts is that cloud-specific cybersecurity tools are frequently geared toward enterprise companies. This makes it especially difficult for an under-resourced IT team short on budget, staff or training to effectively use these tools. When we talk with technology directors, the pain point we often hear is that the tools are too time-intensive to use and impossible to keep up with. This issue becomes exacerbated when IT teams are dealing with many other school incidents simultaneously.
IT teams within school districts need tools built to help them accomplish basic cybersecurity tasks easily and efficiently. It’s likely that your staff has some level of access to district information, and your IT team must be able to quickly see that activity — all while protecting your district from the increasing cyberattacks targeting schools.
Looking Ahead on Cloud Security
The cloud is the newest layer of technology in K–12 districts, and district IT teams continue to call for more attention to it. With the cloud, a school’s technology team can lose some visibility and control. District administrators must work with their IT teams to find a balance between having cloud security tools in place and ensuring these do not negatively affect the culture of sharing and accessibility that education has always had.
With each cybersecurity incident that targets a school district, the importance of cloud security becomes more obvious. Efforts to bring more cloud security into schools are already underway, but we still have further to go. It’s important for administrators to talk with their IT teams and look beyond what cybersecurity has traditionally entailed, because the threat landscape has changed and will continue to do so.
by David Waugh, for EdTech Magazine