The State of School Vendor Security and Compliance

June 17, 2021

K-12 Cybersecurity report finds that 75% of data breaches in 2020 were related to district vendors and partners

School vendor security is a hot topic in districts across the country, and for good reason, based on the statistics in the latest report on the state of K-12 cybersecurity.

Doug Levin is the national director of the K12 Security Information Exchange (K12 SIX), and he has spent his career focused on technology and education. He also maintains The K-12 Cybersecurity Resource Center. Levin has published his third annual report: State of K-12 Cybersecurity: 2020 Year in Review that documents the reasons why school vendor security is an issue that needs to be addressed.

School Vendor Security is Impacting Students’ Privacy

For the second year in a row, at least 75% of all data breaches affecting public K-12 school districts in the U.S. were related to incidents involving school vendors and other partners. Attackers like to target vendors because one attack can allow them to access hundreds, if not thousands, of other organizations like schools where they can download sensitive student data.

For example, Blackbaud, a cloud computing vendor for nonprofits and education institutions, was the victim of a ransomware attack in 2020. Before the cybercriminals triggered the attack, they stole information such as usernames, passwords, social security numbers, and more.

Reportedly, several of the millions of victims of the breach have filed suit against the vendor. This is just one of several incidents. Others involve popular K-12 tech vendors such as Active Network, Aeries, K12 Stride, Tyler Technologies and SolarWinds.

The troubling stat brings to light the fact that schools need to better control 3rd party apps and vendors that have access to and/or store their data off-site to better protect themselves. School ransomware most often starts with a successful phishing campaign, but 3rd party apps and vendors are a growing area of concern.

In particular, third-party apps ransomware threats are on the rise. Criminals can break into a much bigger, and broader, pool of victims by hijacking a vendor’s app infrastructure. They use single-sign-on capabilities, such as OAuth, to access data as though they were an authorized user. A vendor breach can lead to threats such as ransomware in the cloud, account takeover risks, and more.

[FREE] K-12 Cybersecurity & Safety Leadership Panel Discussion. REGISTER TODAY >>

Student Data Privacy and 3rd Party Apps

There is no doubt that 3rd party apps will continue to be used in schools. They offer many benefits to teachers and students. As a result, the problem of student data privacy and 3rd party apps will continue to stay on the to do list for every school’s IT team.

The problem that many districts face is a misunderstanding of the full scope of student data privacy risks when it comes to vendors and 3rd party apps. Most administrators, parents, and media articles tend to focus on the problem of how vendors, schools, and potential future employers will use the data being collected about individual students. This is an important issue that needs to be addressed. However, it is not the full scope of the problem.

School stakeholders tend to overlook the issue of data security, student data privacy, and vendors. This is a problem because, when a vendor’s data is breached, student data can become exposed in a number of ways. In the end, there is no data privacy without data security.

There are two separate problems when it comes to data security in 3rd party apps. One is the problem of legitimate apps that don’t have effective security controls built into its architecture. This makes it possible for hackers to hijack an otherwise legitimate application and use it to gain access to user accounts, sensitive data, and more. In the 2020 Year in Review report, it was noted that the problems that continue to affect school district vendors should raise questions about whether the industry’s self-regulatory efforts and the data privacy security regulations are adequate.

Managing EdTech security risks needs to start with the “shadow” EdTech that invades most districts. This type of EdTech refers to apps that haven’t been approved by the IT team. In some districts, it’s easy for an app to be in widespread use and the IT team may not even know about it. Many states have passed, or are in the process of passing, student data privacy laws that would help prevent this type of activity. Many of these laws require schools vet vendors and keep detailed records of 3rd party apps and vendors being used.

School districts can take action by creating an EdTech Policy Manual that identifies the apps that have been approved for use, and the process for vetting new EdTech apps. It’s also critical that everyone in your district knows why EdTech rules are so important—and why breaking those rules can lead to attackers gaining access to sensitive data concerning students, teachers, and staff.

[FREE] K-12 Cybersecurity & Safety Leadership Panel Discussion. REGISTER TODAY >>

The second problem is malicious apps. This refers to those 3rd party apps that are used by hackers to gain access to school IT systems. Often, they will create apps that look a lot like a trusted app in the hope of duping some people to install it. Another tactic is to create gaming and lifestyle apps that people (particularly kids) will want to download for entertainment. Google, Microsoft, and Apple app stores are constantly working to clean out these types of malicious or suspicious apps. But they can also easily be found on “unofficial” websites. As a rule, apps should never be installed from a website outside of official apps stores.

Once either a malicious or a compromised legitimate app has been installed and granted permissions to an account, it can use OAuth to act as if it’s activity is authorized in your cloud environment.

For example, the app might give an attacker access to that user’s email, which can start a process of sending lateral phishing emails and taking over additional accounts to gain access to sensitive data.

Again, there are things that district IT teams can do to address OAuth risks. For example, don’t partner with vendors until they can produce detailed security protocols and have agreed to provide proof of compliance. You can also implement a system to monitor SaaS apps and notify your team when suspected risks appear, and a system to automatically disconnect risky apps.

With the current rise of ransomware, data security, and student data privacy concerns, now is the time to learn more about the state of K-12 cybersecurity and find out what other IT leaders are doing to stop the loss of sensitive data related to school vendor security.

free-panel-discussion-k12-cybersecurity-safety-leadership-series