It’s no secret that most school districts are using cloud applications for everything from instruction to operations. Our recent survey found that over 94% use Google Workspace, Microsoft 365, Canvas, Zoom, and many more.
But many people don’t know that schools aren’t correctly preventing data leaks and loss in these apps.
Yes, there is a general understanding that district IT teams are overworked and underfunded. This is particularly true for cybersecurity resources, compared to classroom technology, for example.
But what I see here is a misalignment of data security resources. The same survey found that $20,000 is the median amount district leaders allocate to cybersecurity. That data point alone tells you that cybersecurity is woefully underfunded.
Only 20% of that budget will go toward cloud security. At the same time, districts are creating, storing, and sharing the vast majority of their sensitive data—student data, financial data, W2s, you name it—in cloud-based software. The percent of districts that are either currently using or are planning on moving to a cloud-based system soon is significant:
Let’s look at some best practices for preventing data leaks and loss in Google Workspace and Microsoft 365.
1. Set Password Policies
Enabling “require a strong password,” at least for your administrative staff user groups and potentially faculty, is an essential first step.
2. Turn on Multi-Factor Authentication:
There’s a lot of chatter around this topic lately. The fact is that most cyber insurance carriers are now requiring schools to do this or pay steep premiums.
Many IT leaders have been getting themselves wrapped around the axle about managing this for young students but don’t. Most insurance companies are technically only requiring it for staff, and this is the most logical place to start when you think about it. Student accounts shouldn’t have access to sensitive information and should be pretty walled off from communicating directly with those who do. If you’ve been dragging your feet about MFA, now is the time to get started.
3. Manage SaaS Access & Permissions:
EdTech SaaS is an often overlooked area of data security and privacy. Some states, like Illinois and California, have passed laws that require schools to keep an inventory of the apps and vendors that have access to student data. The aim is mainly to protect students from vendors misusing their data, but it has the added benefit of tightening the reins on apps with lax data leak/loss protections.
4. Set External Sharing Standards:
Staff inappropriately sharing sensitive data is the most common form of a data leak. It’s often referred to as “insider DLP risk.” Unfortunately, it happens all the time, and it is NOT OK. There are people out there who are actively looking for information shared globally, and they 100% can use it for several nefarious purposes.
We’ve seen cases where whole lists of employees’ social security numbers, addresses, etc., are shared publicly. Same with students and parent/guardian information. We’ve also seen cases of spreadsheets with login information transmitted via global link…why?
Who knows what’s going on in people’s heads when they do these things. But, for the most part, it just comes down to simple ignorance. They see the global share, and they don’t understand what it means. So they don’t think it through, and they go for the path of least resistance.
5. Set Up Data Loss Prevention Policies:
OK, maybe this should’ve been number one… many admins we talk to know that they have some data loss prevention capabilities in Google Admin Console and/or Microsoft’s Admin Center, but they’ve never set them up. Or, they did forever ago and have never gone back to make sure it’s working the way it should be. Tisk!
Your DLP setup is going to vary depending on whether you’re looking at Google or Microsoft and what license level you’re at (or, you can learn how to do it in one place with ManagedMethods).
Most districts think about student data privacy in terms of protecting students from being targeted by advertisers or from vendors using their data in non-educational ways. This is undoubtedly an important concern. But it’s not the full student data privacy story.
Student data is being improperly exposed shockingly often. And it’s not always due to vendors or even cybercriminals. Instead, accidental data leaks are most common and are usually the result of a staff member improperly sharing and/or storing that data.
While a data leak v data loss is a different scenario, they are both related. And they are both potentially harmful to your students’ privacy.
This is why preventing data leaks, and loss is critical to student data privacy. If their data is exposed openly on the internet where anyone who might be looking can find it without actually breaking into your system, then there’s no hope for keeping it private.
Education’s shift to cloud computing was gaining momentum well before COVID-19 forced us into remote learning. Even as students have come mainly back to in-class learning, the cloud has solidified its place in modern education.
Google Workspace for Education is the leading player, particularly for classroom learning. Our survey found that 43% of schools in the US and Canada primarily use Google Workspace, while 41% use both Google and Microsoft, and 9% use just Microsoft 365.
Now, there is a lot of misperception out there about how well protected your data in the cloud is. Many tech teams we talk with don’t realize that their firewall and phishing filters probably aren’t effectively protecting all this data. This is because cloud apps—like Google Workspace and Microsoft 365—exist outside of your network. Therefore, access to those accounts doesn’t even hit your network perimeter, where your firewall is.
The next most common misperception is that Google and/or Microsoft and/or other SaaS apps native security tools have you covered. This may be true to an extent. But the truth of this relies heavily upon: