The EdTech migration started before the COVID-19 crisis, but the pandemic forced school districts across the country to jump into remote learning almost overnight. As a result, cloud-based EdTech became a replacement for classroom learning rather than a tool used to enhance it.
In the chaos of the moment, the quick shift to EdTech tools for classroom learning and other school functions created cybersecurity and student data privacy challenges. New SaaS apps were connected to school Google accounts without proper vetting or sanctioning.
Apps that have not been developed with proper infrastructure security in place pose a significant threat to school data. There are also real student data privacy concerns around how these unvetted vendors are able to collect and use student data. For most IT teams, the extent of the problem is still going completely unnoticed due to a lack of visibility into what EdTech and other SaaS apps have been granted permissions to their domain.
The shift to remote learning communication technologies and physical distancing orders also lead to concerning student safety issues. There were the widely reported “Zoombombing” incidents in the early days. But other issues caught little attention. Students sharing inappropriate content and cyberbullying using school technology continues to plague schools. And students that were already struggling with depression and anxiety are impacted by the events of the past several months.
K-12 remote learning is here to stay for the near future, at least in varying degrees across the country. Many districts are now looking into implementing hybrid learning models, where some students will be in-class and others will log in remotely on any given day. But whether districts are planning on 100% in-class learning or some variation on remote learning next school year, all IT directors seem to agree that the EdTech pandora is out of the box.
EdTech is shorthand for education technology. It refers to the technology resources available to improve education, and the vast majority of teachers are big supporters. In situations like responding to COVID-19, it helps educators establish remote learning. But even when EdTech is used to enhance classroom learning, it can help to increase student engagement, dynamically track progress, increase collaboration, and strengthen digital literacy.
EdTech tools can be built using different types of infrastructure. But, these days, the most common is a cloud-based application infrastructure. Also often referred to as SaaS (software-as-a-service), cloud applications are today’s favored application development infrastructure because it provides a lot of flexibility and scalability. It is also favored by customers because it’s typically much easier to access cloud apps from a variety of devices and locations. Users don’t have to work off of one, specific computer that has software installed on it. They can access the application anywhere they have an internet connection, as long as they know their login credentials.
Therefore, cloud-based EdTech is simply education technology that is built in the cloud. There are far too many EdTech vendors to list out. But, som popular examples include:
G Suite for Education is the gold standard in classroom enablement. One could argue that it led the EdTech migration. It became even more important as classrooms closed, as sales of Chromebooks skyrocketed and schools surged into Google’s free G Suite for Education licensing. Google also started providing valuable COVID-19 remote learning resources for teachers and students including:
As both IT and student safety teams began supporting G Suite, they discovered that the EdTech migration requires additional resources to address cyber safety and security.
Protecting yourself against cybersecurity threats is different when you’re working with cloud applications compared to on-premise network security. Luckily, Google cloud security features are among the best in the market. But the important thing to remember is that Google is responsible for securing the infrastructure that their apps run on. It is your responsibility to properly configure access and security settings for your district’s domain.
Configuring your Google Drive security settings is one part of securing district data. Remote learning and working make it more difficult to monitor, detect, and control data security risks in Google Drive. Logins are coming from many locations and devices, few of which are within the school’s network. District IT teams need a cloud security tool to secure cloud access since firewalls aren’t effective once activity moves off of the network and into the cloud.
Any district using G Suite must also conduct Google monitoring to prevent data loss, account takeovers, and malware threats. Many people think that cloud monitoring is difficult and time-consuming. However, when you automate cloud application security, monitoring is easy. In fact, there are G Suite data loss prevention best practices that will help you see and control user behavior within the cloud.
School districts that are using technology that allows students online access (this includes cloud-based EdTech) are responsible for maintaining cyber safety compliance. This is true whether students are accessing classroom technology from home or in school.
As previously mentioned, cyber safety issues are continuing to plague school districts where students are increasingly using technology to communicate with each other. Beyond the “Zoombombing” incidents that we’re all aware of, the sharing of explicit content between students is also a significant issue. Students who now have access to tools such as Google Chat have found this to be a great place to share explicit content, use inappropriate language, and cyberbully each other often without being detected by campus safety or IT personnel.
Cyber safety monitoring in schools can also be a tricky subject. Administrators often end up caught between trying to protect students and maintaining their privacy. For example, a number of for-profit cyber safety companies will track and store a student’s online activity. Districts want to have things such as self-harm detection and monitoring for cyberbullying and discrimination, but they don’t want to create a surveillance culture.
There have been examples of students appearing at board meetings to raise privacy concerns, and parents expressing their concerns about online activity stored by for-profit businesses. IT teams are looking for vendors that can monitor and alert administrators about risks to cyber safety in schools that don’t collect or store that data themselves.
Whether or not the COVID-19 pandemic closed classrooms, EdTech is here to stay. Investment in the EdTech sector is growing rapidly, and it supports innovation and elevates students’ learning experience. But, using it can present risks that district IT teams must understand and address.
One of these risks is the prevalence of “Shadow” EdTech. Shadow EdTech refers to apps discussed earlier in this post that have been granted access to your district’s domain (almost always through OAuth) without proper security and privacy vetting by the IT team. It is finding its way into virtually every district’s G Suite and/or Microsoft 365 domain.
There are three main EdTech risks that shadow apps can cause in your environment. In quite limited cases, there are malicious applications that are developed specifically to gain access to a school’s domain in order to steal data, launch malware and/or phishing attacks, and otherwise create havoc.
The more likely risks revolve around student data privacy compliance and accidental security breaches. There are many apps that don’t have privacy policies that comply with regulations such as FERPA, COPPA, and CIPA (not to mention state regulations). There are also vendors that play it loose with their app’s infrastructure security. This means that if an app is breached by a hacker, and that app has been granted OAuth access to your Google or Microsoft 365 environment, then the hacker can use any access credentials that have been granted. Apps with read and write access to email are particularly risky.
There are other EdTech security risks. Cybercriminals are targeting school districts because they’re a veritable goldmine of sensitive data and security isn’t as strong as it is in other industries. Here are some of the problems that risky EdTech can cause for your district:
Managing the EdTech migration is one of the best ways you can protect your data and your student’s safety and data privacy. Planning for the next school year is a topic that every school district is facing. You’re invited to our free webinar where we will discuss the state of K-12 cybersecurity and safety. We’ll identify the trends, lessons learned, and how K-12 IT teams are planning for the 2020-2021 school year.