The risks of someone inside your district improperly exposing student data poses risks to student safety and data privacy
A recent story about a high schooler and her mother “hacking” the homecoming queen vote got me thinking more about the insider data loss prevention (DLP) risks in schools. On the surface, this sounds like a silly story and a ridiculous example. But, if you read further, you’ll learn that the student had unfettered access to the district’s student information system (SIS).
Until the two were arrested, the mom was an elementary school assistant principal who shared her FOCUS login information with her daughter. The daughter bragged about having access to her fellow students’ records for four years. This is just the latest example of misuse of student information by an insider to hit national news. It’s certainly not the first and won’t be the last.
What are Insider DLP Risks?
When we talk about insider DLP risks, we’re referring to the unauthorized and/or inappropriate use of data by people who have authorized access to the information. More often than not, insider DLP incidents are accidental, not malicious. But malicious incidents do happen, and they have happened in K-12 school districts.
For example, in 2018, a contract worker was hired by the Chicago Public Schools (CPS) to perform work that included conducting background checks on CPS employees. This gave the worker access to personal information for thousands of CPS employees, contractors, and vendors. Later it was found that the worker had downloaded data without permission and deleted some parts of files. Luckily, the district was able to recover at least some of the data.
Whether an insider-caused data breach is accidental or intentional, it’s still exposing data that can cause long-term harm to students, faculty, staff, and districts.
What is a Data Breach?
Data breaches occur when private or confidential information is released either by accident or by design. Cyber criminals stage data breaches to gain access to a district’s personal information about students or staff, or to access district financial data.
Data breaches take many different forms. Some are caused by simple accidental improper sharing and security settings. A data breach can also be caused by a calculated, malicious act to gain information that can be used for some form of profit. Insider DLP risks can take both of these forms, though it’s most common for school districts to experience accidental data breach incidents.
According to the K-12 Cybersecurity Resource Center, the COVID-19 pandemic that prompted many districts to go to hybrid or totally remote learning resulted in a record-breaking number of cyber incidents in schools. 36% of those reported incidents were from data breaches alone.
In general, there are three causes of data breaches in K-12 districts:
- Accidental breaches: Examples include things such as someone in the district setting incorrect document sharing settings, or a student or teacher losing their device.
- Insider data breaches: Examples include the examples discussed earlier, or things such as a dissatisfied employee stealing data before giving notice.
- External criminal data breaches: Examples include cyber criminals gaining unauthorized access to district data from a phishing email, or because of inadequate network and/or cloud security.
Cloud DLP, Zero Trust Security, and Insider DLP Risks
Schools now mainly use cloud applications, rather than on-prem servers and software. Further, more students, faculty, and staff are using laptops and/or mobile devices that they can use to access data stored in the cloud from outside the schools’ network.
This means that districts need to adjust their cybersecurity stance from a focus on firewalls and network security to cloud DLP and zero trust security.
Cloud DLP is more important today than ever before. You need:
- Deep integration with cloud apps such as Google Workspace for Education
- Data that is classified into set categories defining sensitivity and protection
- Classifying new data when uploaded or created
- 24/7/365 monitoring
- Administrative alerts and automated responses when problems are spotted
Zero trust cybersecurity is sometimes described as a “never trust, always verify” approach. It focuses on securing your data, not just your network perimeter, regardless of the network or device someone is using. Zero trust protects you against someone reaching past your perimeter defenses and provides an additional layer of protection. Importantly, it also protects your sensitive data from insider DLP risks, which otherwise looks like authorized activity to traditional cybersecurity technology.
The FBI, Department of Homeland Security, and the Multi-State Information Sharing and Analysis Center published a report in December 2020 warning that “Cyber actors target K-12 distance learning education to cause disruptions and steal data,” and saying that those attacks are expected to continue. As a result, districts need to put cloud DLP and zero trust cybersecurity in place now.
To further prevent data loss, particularly from insider risks, zero trust security works by assuming that all access is unauthorized access. It puts the onus on the user attempting to access the account and/or data to prove that they are authorized to do so, and that what they are trying to do with it is approved use. It requires:
- Multi-factor authentication
- Behavioral threat detection, such as unusual amounts of downloads and suspicious email activity
- Setting DLP rules for files that contain sensitive information and automating remediation when a user is attempting to share that information improperly
School districts are required to comply with federal, and in many cases state, data loss prevention regulations. The problem that school IT teams are facing is that they are trying to secure cloud-based information systems with network-based security solutions. Cloud-based Google Workspace data loss prevention and data loss prevention for Microsoft 365 require a different layer of cybersecurity infrastructure than traditional on-prem network servers and software.
Beyond compliance, data breaches and student data privacy are inextricably linked. Simply put, there is no student data privacy when that data is breached. Districts need to focus on and fund data loss prevention methods that are meant for the information technology that they are currently using, not just the software or tools they used in the past.