Do You Have Gaps in Your Cybersecurity Tech Stack?

Fill gaps in your cybersecurity tech stack to meet today’s challenges

How would you feel if you were in charge of IT when a hacker stole $2 million? What would your reaction be if a cybercriminal held your district’s systems hostage and you had to pay them $10,000? Would you be happy if your state’s U.S. Senator had to ask for Federal aid to fight a cyberattack that disrupted your school district?

A 2019 K-12 cybersecurity review shows that all of those cyberattacks—and more—happened last year. If your district hasn’t experienced an attack yet, you’re lucky. K-12 cybersecurity is getting more complicated as time goes on.

  • Your district is storing increasing amounts of sensitive data
  • You’re increasing your use of different types of technology, including more endpoints and EdTech software
  • K-12 institutions are the second most targeted industry segment (behind local government)
  • Education is ranked last in cybersecurity preparedness compared to 17 major industries

Given these facts, it’s critical that you make sure there are no gaps in your cybersecurity tech stack.

What is a Cybersecurity Tech Stack?

The term cybersecurity tech stack refers to the tools, technologies, platforms, and vendors you use to manage cybersecurity in your school district. Different organizations need different cybersecurity tech stack configurations based on their IT infrastructure—and their needs for risk and compliance management. These tools form layers of protection, giving rise to the term cybersecurity tech stack.

In the business world, cybersecurity tech stacks can easily get out of control. CISOs are using over 300 products provided by 57 vendors. This is untenable for the business world—and downright impossible for school districts given the lack of funding, small IT departments, and limited cybersecurity know-how.

As a result, many K-12 district leaders believe that building a cybersecurity tech stack is too complicated, too costly, and out of reach. As an alternative, some leaders have decided to rely almost entirely on cyber insurance instead of investing in security. But cyber insurance can’t replace cybersecurity.

If you focus on a prioritized list of your district’s specific requirements, investing in cybersecurity doesn’t need to be complicated or expensive.

Step 1: Identify Your District’s Cyber Risk Profile


The National Institute of Standards and Technology (NIST) has developed a NIST cybersecurity framework to share information on cybersecurity threats and create a framework for reducing cybersecurity risks. NIST developed the framework in partnership with other government agencies, private sector industries, and educational institutions. The first step that it recommends is to conduct a risk assessment. Your risks might include:

  • Physical security: Securing the information on hard drives, devices, servers, etc.
  • Intrusion prevention: Examples include phishing, malware, ransomware, and account takeover
  • Data loss prevention: Data loss prevention must account for accidental and malicious activities
  • Detection, mitigation, and response: Plans need to be tested, implemented, and maintained

Simply using firewalls and content filters are not enough for most contemporary school districts to secure sensitive district business, student, and staff data. This is because K-12 cyber risks have changed drastically in the past few years. Your risk profile should reflect your district’s IT structure and will be different depending on a number of factors, including whether:

  • You store data in G Suite or Office 365 (or other cloud-based storage)
  • Your teachers and/or administrative staff are using 3rd party SaaS vendors
  • You have a 1:1 and/or BYOD program in your school district

cybersecurity infrastructure for K-12Step 2: Organize Your Cybersecurity Infrastructure

Your cybersecurity infrastructure includes not only technology, but also the strategy, plans, people, and training required to secure information systems. It will be multi-layered, but it shouldn’t be overwhelming. Set it up to meet the needs you identified in Step 1 and it won’t get out of hand. Be sure to cover the following six categories:

  • Infrastructure Security: Protect the systems underlying your IT system. If you’re operating in the cloud, your cloud vendor is responsible for most of this protection. For on-prem infrastructure, use internal staff or a managed service provider to handle security
  • Identity and Access Authentication: Ensure that you can accurately restrict access to only those users who can be authenticated
  • Endpoint Security: Secure all devices that access your network, including computers, laptops, tablets, smartphones, and on-prem servers
  • Network Security: Secure all underlying connections and interactions between all endpoints that connect to your network
  • Cloud Security: Protect the information stored, accessed, and shared in the cloud. Cloud vendors are responsible for the infrastructure security, while you will need to secure information stored in the cloud applications themselves
  • Incident Management and Response: Integrate incident management and response into your overall cybersecurity infrastructure




Step 3: Build Your Cybersecurity Tech Stack

Traditionally, cybersecurity is focused on defense at the perimeter. But, in today’s distributed and accessible environment, the focus of your cybersecurity tech stack should be on data security. This change is largely due to districts’ use of Google G Suite and Microsoft Office 365, as well as other web and cloud-based EdTech. Therefore, your cybersecurity tech stack should start, but not end, at the perimeter.

  • Perimeter and Network Security: This protection includes firewalls and next-gen firewalls. Advanced Threat Protection (ATP) is also required at your email gateways.
  • Access Security: Users access your systems in a variety of ways and you need to manage those endpoints. Use access-control management tools, including Single Sign-On (SSO) solutions, password management, and authentication.
  • Data Loss Prevention: Start by categorizing your data to identify the types of data you collect and store. You can then create and manage policies that assign appropriate security controls to each category. Finally, ensure that you put DLP monitoring technology in place to identify and remediate risks.
  • Account Behavior Detection: You need the technology to identify anomalous behavior within your perimeter. For example, a monitor that detects lateral phishing activity can alert you to the fact that hackers have likely breached your systems.

Cyberattacks can affect students, parents, staff, and teachers. Attacks can cost the district money and tarnish its reputation. No one wants to be in charge when a cyberattack hits. Take action to ensure that your cybersecurity infrastructure and tech stack are ready to protect your systems. It will help you avoid being caught in the middle if a hacker decides to target your district. Get started today with a free cybersecurity risk assessment by ManagedMethods!

K12 Cybersecurity Free Risk Assessment - Blog CTA XXL

Cybersecurity for K12 Essentials for District IT Teams

Avoid incidents using these 4 cybersecurity for K12 essentials

If you are a leader or member of a K-12 cybersecurity IT team, you’re seeing that cybersecurity is a critical issue for your district. Your systems are collecting and storing more student information, and your district is using more technology.

What you may not know is that, according to The K-12 Cybersecurity Resource Center, there were 712 cybersecurity incidents in the public school system since 2016. In 2018, hackers mounted 122 attacks on 119 K-12 school districts…that we know of.

Cybercriminals are targeting K12 district systems in part because the education sector ranks last in cybersecurity preparedness out of all major industries. The lack of preparedness makes it easier for hackers to succeed in their attacks. Fortunately, you can use these four cybersecurity for K12 essentials to help upgrade that ranking and foil attacks.

1. Raise Awareness

Raising awareness is half the battle in K-12 cybersecurity. K-12 district IT teams aren’t incapable of protecting their systems. The problem is often that there isn’t enough focus on the issue of cybersecurity. Many teams don’t seem to be aware of the issue—or are simply trying to ignore it because it seems like an insurmountable challenge.

They know that they’re storing more sensitive data than ever before, but they may be caught in the “it won’t happen to us” mindset. A look at the statistics shows that cyberattacks can happen anywhere, and are extremely widespread. Attacks have happened to districts in the middle of Kansas, and to schools in the upscale community of Greenwich, Connecticut.

Other IT teams think that their next-gen firewall and/or content filter is sufficient to protect their data. Unfortunately, those two systems can’t provide cloud security in the modern K-12 environment.

Many districts use G Suite and Office 365. These cloud apps provide the benefits of accessibility and collaboration, but they also present unique K-12 cloud risks. When cybercriminals find ways past your perimeter security (i.e. firewall), their activities look like authorized access. This leaves your district’s data stored in cloud systems with no protection.


For example, a hacker can send phishing and malware links in a shared document. They get past phishing filters because the body of the email looks innocent. But, the links in a document can cause the same devastation as those in the email itself.

Probably the most disturbing awareness issue is the idea in some districts that cyber insurance can replace efforts to increase a district’s cybersecurity preparedness. The truth is that, like any type of insurance, you should use cyber insurance to offset losses that you’ve already worked hard to prevent.

Raising awareness among K-12 District IT Teams, staff, teachers, parents, and students can get your entire community working together to prevent cyber incidents.

2. Use a Cybersecurity for K12 Framework

K-12 districts will get many benefits from using a well-designed cybersecurity framework. It provides an organized approach to cybersecurity that districts can incorporate into their existing programs. You can tailor the framework to meet your needs and it will help you to find areas where you should increase your defenses. Luckily, it’s not necessary for each district to develop its own cybersecurity for K12 framework.

In 2013, Executive Order 13636 established a call for an effort to share cybersecurity threat knowledge, and to create a framework for reducing risk. The National Institute of Standards and Technology (NIST) accepted the challenge. NIST published Version 1.0 of the NIST Cybersecurity Framework in early 2014. The agency continues to work with the private sector, educational institutions, and other government agencies to refine the framework.

Version 1.1 of the NIST Cybersecurity Framework was published in April 2018. The framework defines five steps an organization can take to avoid cyberattacks. Several states are currently working to incorporate the NIST cybersecurity framework into student data privacy and cybersecurity for K12 regulations. You can incorporate the cloud security you need into the framework to protect your district’s G Suite and Office 365 systems.

layered cybersecurity for k12 infrastructure 23. Upgrade Your Cybersecurity Infrastructure

Your cybersecurity infrastructure refers to the set of tools you use to protect your data. No single tool can achieve the complete cybersecurity for K12 coverage your district needs on its own. Therefore, using a multi-layered set of tools is the best practice for your district. You need to cover the following:

  1. Infrastructure Security: Traditionally, infrastructure security meant making sure your on-premise servers were secured from attack. If your district has fully migrated to using G Suite and/or Office 365, you’re able to outsource most of this. Or, like many districts, you have a bit of a combination of the two.
  2. Access Authentication: Access management is like putting a lock on your front door and giving a key just to the people who should have access to your house. This layer includes requiring strong passwords, enabling multi-factor authentication, and putting policies around login locations.
  3. Endpoint Security: Endpoints include laptops, computers, mobile devices, and servers. Today’s K12 IT teams are managing exponentially more endpoints than ever before mainly due to 1:1 and BYOD programs.
  4. Network Security: Securing your network with firewalls and gateways is still an extremely important layer in your cybersecurity infrastructure. Network security is often also referred to as perimeter security, which is focused on securing access past the perimeter of your information systems.
  5. Cloud Security: If your district is using Google G Suite, Microsoft Office 365, and/or other cloud-based EdTech apps, you need a cloud security layer. This is because cloud data storage and access happen outside of your perimeter, rendering network/perimeter security mostly useless.
  6. Incident Management & Response: Incidents happen even in organizations with tons of funding and cybersecurity management. Have a plan in place for when an incident does occur to detect and remediate, communicate to stakeholders, and improve your systems going forward.

When you have the right tools in place to address these six critical areas, you’ve established an infrastructure that will help to avoid cyberattacks.




4. Provide Effective Training

90% of data breaches start with human error. This is easy to understand in a K-12 district. Your community doesn’t consist of IT wizards, and you’re working with a wide variety of stakeholders. The people using your systems likely include staff, teachers, students, parents, and contractors. Your users don’t study the latest cybersecurity research, which makes them vulnerable to initiating a cyber incident without knowing it.

For example, users in your community are more likely to click on a phishing link in an email or a shared document if they aren’t properly trained. Your users may use passwords like “123456” or fail to change their passwords on a regular basis.

Ongoing training and education on strong cybersecurity policies is the key to keeping security top of mind with your staff, faculty, students, and parents.

No one wants to leave their district and student data open to cyber incidents. Luckily, there are tools at your disposal to avoid becoming a statistic. Protecting your district data isn’t complicated; if you use these four essentials as a guide, you can establish the protections you need to foil many of the types of cyberattacks plaguing school districts. Or at least send the hackers off to look for an easier mark.

Learn more about cybersecurity for K12 essentials during our free, live webinar with Tim Miles, Director of Technology at Steamboat Springs School District. Together, we’re demystifying cybersecurity for K12 IT teams. Learn more and register today!


Tech & Learning | Lateral Phishing: What K-12 Schools Need to Know

by Sateesh Narahari, Tech & Learning

Students and teachers in K-12 school districts use technology in the classroom for learning, teaching, administrative operations, and to have real-time conversations. With the rise of cloud apps such as Google G Suite and Microsoft Office 365, it’s no secret that students and staff are online during the school day–sending emails and sharing files–more than ever before. In the education sector, email apps like Gmail, Outlook, and Exchange are a must-have to share files and assignments in order to support today’s age of digital learning. As a result, billions of emails are sent every day.

What Is Lateral Phishing?

Lateral phishing is a phishing campaign executed by an external threat–such as a hacker–but the email is sent from a school district’s compromised account to other accounts within the organization. In the case of K-12 school districts, this means the email is sent from a student, staff, or faculty member’s hijacked account.

Since the email with malicious content is being sent from an internal school district account, the attack may not be caught by IT teams and can operate undetected for a long period of time. this could lead to more than one account becoming compromised in the same school, or another school within the district and the task of putting a stop to the phishing campaign becomes exponentially more difficult to contain.

In K-12, The Perimeter Is No More

K-12 education now lives in a post-perimeter world. Not only do IT teams need to monitor inbound and outbound traffic, but they also need to be monitoring what is inside the internal emails exchanged within a school district. Whether it be an email from a student to a teacher (or vice versa), a teacher to another teacher, or a teacher to a staff member (or vice versa).

Today, students, staff, and faculty bring their laptops and mobile devices home–outside of a school’s network–but still exchange data with one another inside a cloud application. This means a school district’s security perimeter isn’t as defined as it once was. Furthermore, one could argue a perimeter no longer exists because people are more mobile today than before.

But yet, the education market continues to look at cybersecurity from a traditional view, focusing on network firewalls, email gateways, and message transfer agents (MTA). When in reality, K-12 education needs to shift focus to monitoring what is taking place inside an application at all times. Here are three reasons why…



Steamboat Springs School District Secures Google G Suite with ManagedMethods

steamboat school district K12 cloud security customerThis regional K-12 public school district’s IT team supports the needs of over 8,000 students and 1,000 staff members

The Challenge

The Steamboat Springs school district’s IT security team encountered potential compliance and security challenges when it transitioned to Google G Suite for cloud email services, document collaboration, and sharing.

Compliance requirements mandate that the district must have systems in place to monitor for sensitive data such as FERPA, HIPAA/PHI, Individualized Education Plans, and ensure that data is not being stored or shared in a way that violates policies. In addition, the rise of 3rd- party connected applications was presenting a threat to school data due to potential phishing attacks or unauthorized access.

The district also needed to monitor for policy violations and scan documents for objectionable content (e.g., adult content and profanity) and keywords and phrases that would indicate a student is in danger (such as threats, bullying, and harassment.) When student safety is at risk, time is critical. So the IT team needed to be alerted of potential policy violations, as well as deviations from normal data access and sharing behaviors.

“ManagedMethods’ cybersecurity and safety solution provided us a level of visibility we needed to ensure the security and safety of our students and staff. The platform was quick to deploy and gave us immediate insights.”  Tim Miles, Director of Technology

The Solution

ManagedMethods offers both out-of-the-box and customizable policy monitoring features to cover the district’s compliance requirements to protect students against cyberbullying and exposure to inappropriate content. ManagedMethods detects and alerts risks, quarantines sensitive information and remediates threats before they impact student safety or compromise identity.


Join Tim Miles, Director of Technology at Steamboat Springs School District, and ManagedMethods for a free live webinar. Register today to learn how Miles and his IT team use layered security tools to manage cyber safety and security in his district’s schools


How To Apply the NIST Cybersecurity Framework in K-12 School Districts

Use the Framework to Help Tame K-12 Cybersecurity Threats

The National Institute of Standards and Technology (NIST) is a federal agency that doesn’t impose regulations. Its focus is to act as an unbiased agency that provides scientific data and publishes best practices for a variety of things, including cybersecurity. The NIST Cybersecurity Framework was originally released in 2014 and continues to be updated since then.

As states look for ways to improve student data privacy laws and K-12 cybersecurity resilience, several are using the framework to guide new regulations and guidelines. As a district IT leader, it’s a good idea to familiarize yourself with the NIST cybersecurity framework to develop, audit, and strengthen your own cybersecurity infrastructure.

A Brief History of the NIST Cybersecurity Framework

In 2013, Executive Order 13636 called for an effort to share cybersecurity threat insights, and to create a framework for reducing the risk to the nation’s critical systems. NIST was chosen to fulfill this Executive Order because of its reputation for establishing partnerships with private sector industries, educational institutions, and other government agencies to address critical national issues.

NIST conducted a process that included obtaining information from its partners to describe existing best practices for cybersecurity, to identify critical areas that weren’t included in existing best practices, and to develop plans for closing those gaps.

NIST reviewed the information they received and held framework workshops to encourage debate on a range of security issues. In July 2013, NIST published a preliminary Cybersecurity Framework that was widely discussed and NIST held additional workshops.

In February 2014, NIST released Version 1.0 of the Framework. The agency continues to encourage review by holding workshops to refine the Framework. NIST released Version 1.1 of the Framework in April 2018.

Why Do K-12 School Districts Need a Cybersecurity Framework?

It’s no secret that K-12 school districts collect and store an extraordinary amount of sensitive data. That data ranges from personal information about students to data used to run the business side of a school district. Protecting this information is critical, and using a framework to plan and execute your district’s cybersecurity strategy can be helpful. A 2016 survey found that 95% of IT security professionals that use some kind of cybersecurity framework experience benefits including greater security operations effectiveness, improved compliance, and a greater ability to present security readiness information and issues to leadership.


K-12 districts are near the top of the list of organizations that cybercriminals attack. Districts reported a 62% increase in cyber incidents in 2019 compared to 2018, and a 256% increase in data breaches. It’s obvious that K-12 cybersecurity is a significant issue for district leaders.

The NIST Cybersecurity Framework offers many benefits to school districts in managing the cybersecurity threat because it:

  • provides a systematic approach to cybersecurity
  • can be incorporated into your existing cybersecurity program
  • can be tailored to meet your needs
  • helps you identify areas where you need to strengthen your defenses
  • helps you communicate clearly within the district and other stakeholders
  • helps staff at all levels address cybersecurity issues in their areas of responsibility

nist cybersecurity frameworkUnderstanding and Applying the NIST Cybersecurity Framework

The NIST Cybersecurity Framework identifies five steps you can take to avoid cyberattacks. Here’s a brief summary of each step.

  • Identify: Start by listing all equipment, software, vendors, and data you use. Create a district cybersecurity handbook and update school board policies concerning employee and student records.
  • Protect: Take steps to track traffic, encrypt sensitive data, update software regularly, change passwords periodically, and train employees and students about cybersecurity.
  • Detect: Monitor computers and web use for authorized access, and identify any unusual activities.
  • Respond: Establish a business continuity plan, notify anyone whose data may be compromised, report attacks to authorities, contact your cyber insurance carrier, and update the cybersecurity handbook based on experience.
  • Recover: After an incident, repair any equipment that was affected, and keep everyone involved up to date with your response and recovery actions.

Including Cloud Security into Your Cybersecurity Framework

Does your school district use G Suite, Office 365, or both? If so, keep in mind that perimeter-based cybersecurity tools, such as a next gen firewall, aren’t enough.


A variety of unique K-12 cloud risks increases a district’s vulnerability. And, the native security administration tools in G Suite and Office 365 make it difficult and time-consuming to configure settings, detect incidents, and find the information you need to respond. You can address those issues by including cloud security into your district’s cybersecurity framework.

  • Identify: Include asset management and governance for cloud apps in your list of things to monitor. Set up periodic and automatic risk assessment audits and reporting in your plans.
  • Protect: Provide layers of protective technology specifically for unique cloud risks, and ensure data security in cloud storage.
  • Detect: Account for the fact that once hackers gain access to an account, or if you experience an insider threat, firewalls won’t be able to detect unauthorized behavior. Establish continuous monitoring of cloud apps on a 24/7/365 basis.
  • Respond: Set up systems to quickly identify the account, files(s), or app that is causing an incident and take action. In many cases, you can automate action to respond in milliseconds.

No school district can afford to ignore the cybersecurity risks they face. Unchecked cybersecurity risks can disrupt schools and the district’s business operations. There’s also a real risk of financial repercussions, harming students and employees, and degrading student data privacy. A cybersecurity attack can cost the district money, time, frustration, and often a reduction in the community’s faith in the district’s ability to protect their children.

Using the NIST Cybersecurity Framework, whether required by state regulations or not, provides a great guide to strengthen your district’s defenses. You can take the first step to applying elements of the framework to your G Suite and/or Office 365 environments by making sure your native security settings are properly configured. Download this 10-step checklist to get started!


eSchool News | FETC 2020 Recap: STEM, Safety, and Students Take Center Stage

by Eileen Belastock, eSchool News

Student engagement and empowerment were evident at FETC 2020 in Miami, FL. Topics ran the gamut from the latest tech tools and personalized learning strategies to funding, supporting, and sustaining district technology initiatives.

Student safety and student data privacy were on the mind of every CTO, IT professional, and district administrator at FETC 2020

cyber safety and student data privacy ManagedMethods approach

Sessions including “What Every District Leader Needs to Know about Cyber Security,” and “Cyber Security Measures and Assessments” highlighted critical strategies that every district should implement to combat cyber-attacks. The “How to Find Technology That Improves School Safety” panel focused on the do’s and don’ts when it comes to safety solutions.

Software companies such as Impero, Securly, Gaggle, GoGuardian, Mimecast, and ManagedMethods offered district tech leaders optimal student safety options ranging from protecting student data to protect students from self-harm, inappropriate content, and potential violence…




Is Cyber Insurance a Substitute for Cybersecurity?

When it comes to cybersecurity, an ounce of prevention is worth a pound of cure

According to research analyzing 2019 K-12 cybersecurity, school districts saw a 62% increase in attacks over 2018. Some IT leaders are taking the view that purchasing cyber insurance is a cost-effective and easy way to address the issue. But while investing in cyber insurance is an important part of a comprehensive cybersecurity strategy, it isn’t a substitute for cyber defense. Nor does it cover “good enough” compliance with most student data privacy laws.

What is Cyber Insurance?

Cyber insurance is sometimes called cyber risk insurance or cyber liability insurance coverage (CLIC). Its purpose is to help school districts mitigate risk by offsetting the costs of recovering from a cyberattack.

According to AT&T’s 2017 Global State of Cybersecurity report, over one-quarter (28%) of all organizations surveyed view cyber insurance as a substitute for cyber defense. Rather than as a part of a multilayered cybersecurity infrastructure and strategy.

It’s an unusual way to think of insurance.

For example, most companies carry property insurance, but they still make sure that their buildings are maintained in order to avoid electrical fires or other preventable threats. In any other case, people view insurance as a method for recovering from a disaster that occurred despite their best efforts to avoid it.

Advantages and Disadvantages of Cyber Insurance

While cyber insurance has benefits, there are things that it can’t do for your school district. It’s important to understand what a cyber insurance policy will and will not cover in order to understand the benefits as well as the disadvantages.

Currently, there are no standards for cyber insurance policies, but some common expenses that the policies cover include:

  • Investigation Expenses The insurance company needs to investigate to discover what happened, how to fix it, and how to prevent the same type of attack in the future. Third-party security firms, law enforcement, and the FBI may participate in the investigation process.
  • Monetary Losses The policy may cover losses caused by negligence, system downtime, and interruption. It may also reimburse for the costs of recovering data and controlling the crisis, which may include repairing damage to your reputation.
  • Notification and Credit Monitoring In most situations, you’ll be responsible for notifying the individuals a data breach affected. Some jurisdictions have laws requiring this notification. The policy may also cover the costs of credit monitoring for the affected individuals.
  • Legal Expenses The policy may cover legal fees incurred to deal with the release of private information and intellectual property, legal settlements, and fines from regulatory organizations. In some cases, the costs required to recover from extortion attacks such as ransomware may be covered.




The key disadvantage of cyber insurance is that policies are in their infancy. Purchasing cyber insurance requires in-depth analysis because the lack of standards makes coverage that typically varies by insurer and policy even more dissimilar. A cyber insurance policy may not cover the following situations that are common in K-12 environments.

  • Breaches Caused by Vendors or Third-Party Providers This is a big issue in K-12. A variety of EdTech vendors could unintentionally allow cybercriminals to gain access to your school’s networks and systems.
  • Social Engineering Attacks Most policies will cover network attacks. But, social engineering attacks such as phishing, and advanced persistent threats (APTs) are becoming more common and can happen without being detected as an attack on the network.
  • Data Breaches Caused by Users Employees, students, and other internal users can cause data breaches either intentionally or unintentionally. In fact, people within the school community caused slightly over half of the data breaches in K-12 schools in 2018.
  • Advanced Persistent Threats An APT can be active for weeks, months, or years. If the policy includes coverage timeframes, it may not cover an APT.

Why You Need a Cybersecurity Defensive Strategy

All a cyber insurance policy will do is cover some of the financial losses after an attack has taken place. Also, a cybersecurity insurance policy can’t help you deal with the disruption an attack leaves in its wake. That disruption has closed schools and caused severe cases of bullying, identity theft, and even physical threats against students.

One of the most important reasons to invest in a cybersecurity defensive strategy is to comply with regulations. Federal and some state laws require that your school district secure a variety of data including social security numbers, W2 information, and health information.



If being compliant isn’t enough motivation, you know that a cyber insurance policy can’t prevent an attack. Implementing a K-12 cybersecurity infrastructure may seem like a daunting task—particularly for smaller districts. But it doesn’t have to be. Chances are, you already have some of the elements in place, such as a next gen firewall and a content filtering tool. If your district uses G Suite and/or Office 365, your next step should be to start looking into cloud security platforms.

No homeowner has ever said, “Oh, I don’t need to fix the dishwasher. If it floods the first floor, my insurance will fix it.” Like most insurance, K-12 leaders need to use cyber insurance to offset losses from events that they have already worked hard to prevent.


Cyber Safety and Student Data Privacy in K-12 Schools

Managing cyber safety and student privacy is becoming a tough balancing act for school districts

Everyone would like to protect children from the dangers on the internet, but it’s not an easy thing to do. As students are spending more time online, both at school and at home, managing cyber safety and student data privacy is becoming a difficult issue for district administrators, parents, students…and society.

Further, children’s experiences online are more apt to translate into physical, offline experiences. For example, in addition to in-person bullying, 47% of young people have been the recipients of bullying messages while online. For a child who is struggling with their self-worth, it seems that negative messages are everywhere, all the time. There’s no safe place for them.

People say things online that they might not say to another person when they’re face to face. Thoughts of violence or suicide can grow based on internet interactions and then translate into action in the physical world.

The cyber safety industry emerged as a response to these issues. But there is growing controversy surrounding the use of cyber safety programs, particularly those administered by schools. The big question is how to preserve student data privacy while trying to protect them while they’re online. Parents are also concerned about how constant surveillance will affect our children during their formative years.

Most cyber safety tools gather information about a student’s behavior, which raises questions about how that data is being stored and handled. Without privacy protections, things that a student does in grade school could have an impact on the rest of their life, including things like where they go to college and career opportunities.

Cyber Safety and Student Privacy in the News

The use of for-profit cyber safety companies in K-12 schools is causing controversy that has spilled over into the news. Companies such as Gaggle, GoGuardian, and Bark are players in the cyber safety marketplace. The scope of monitoring varies by company, but most track and store students’ browsing behavior online and actions in school apps and social media. Some even have people on-staff monitoring students’ activity.

Santa Fe High School uses Gaggle, which integrates with the two most popular software suites used in schools, G Suite and Microsoft 365. It monitors everything online, including social media, browsing history, email, homework documents, uploads, chats, pictures, and calendars. The company claims to be able to detect brewing violence and says that it saved hundreds of students from committing suicide in one school year. However, experts aren’t convinced this monitoring is effective or healthy.

The Woodbridge, New Jersey school board is using GoGuardian to promote school safety. The students there are so concerned about privacy that when they appeared at a board meeting to voice them. They shared their concerns with the board members and asked how the board could guarantee their privacy.

The Montgomery County School Board in Maryland and GoGuardian agreed to delete student records once a year after pressure from parents. The parents’ concern stemmed from situations like an innocent internet search leading to a site sponsored by the Ku Klux Klan. The parents didn’t want a record of that search haunting their children throughout life.

There is nothing inherently bad about any of these products. The concerns arise when questions about how the information they collect is stored and used are not sufficiently answered.

Is There a Happy Medium?


A perfect solution for protecting students from all the issues they’re facing doesn’t exist. Schools, parents, and society are struggling with the challenges that schools and children face in the modern world. But that doesn’t mean that the problem of cyber safety and student privacy is going to go away.

School districts and parents will try various solutions, probably based on the perspective and needs of local residents. Open communication between school officials, parents, and students is the best way to identify a course of action.

Schools should also create and use a documented vendor policy that outlines data privacy, infrastructure security, and other requirements of any platform or contractor prior to entering a contract with them.

cyber safety and student data privacy ManagedMethods approachManagedMethods’ Approach to Cyber Safety and Student Data Privacy

ManagedMethods is a cloud data security platform first. This means that the platform focuses on securing the sensitive information stored in district G Suite and/or Office 365 from malicious attacks and accidental leaks.

But, since we cater specifically to the K-12 market, we’ve used our cloud monitoring and data loss prevention technology to develop some cyber safety capabilities into the product.

We’re helping those customers who want it configure our data loss prevention technology to monitor and flag text and images to identify potential cyberbullying, explicit content, and threats of violence or self-harm. But we only monitor school districts’ G Suite and/or Office 365 apps—including Gmail and Outlook 365, Drive and OneDrive, Shared Drives and SharePoint. We also monitor G Suite and Office 365 for additional apps connected to district environments through OAuth and give them a risk score, which allows system admins the ability to sanction, unsanction, and remove 3rd party apps from the environment.

Unlike cyber safety vendors like Gaggle and GoGuardian, we only monitor text and images in a school district’s G Suite or Office 365 accounts. We don’t monitor:

  • Student or staff personal Google or Microsoft accounts
  • Social media accounts and activity
  • Internet searches
  • Any content or behavior outside of the school district’s G Suite or Office 365 suites

Many cyber safety vendors store data on their systems, which leads to the fear that the data could be compromised, or even sold to third parties. The deep API monitoring we use to keep an eye on G Suite and Office 365 means that we don’t collect, store, or backup any data on anyone. The school district maintains control of all data because it’s stored in their apps.

Cybersecurity, Safety, and Student Data Privacy

We concentrate on securing school district data in the cloud because school districts are under attack. Student, staff, and district business data are considered “soft targets” by criminals, and are increasingly being targeted. We believe that the best way to ensure students (and parents and staff) don’t fall victim to identity theft and other safety issues is to secure their sensitive data. This is an issue that many people—including students and parents—are unaware of.

School districts are responsible for protecting their data to comply with student data privacy laws. But the reasons why student data privacy needs to be protected goes beyond compliance requirements.

It’s also important to secure student data for the safety of the child. When criminals gain access to student data, the students become vulnerable to physical attacks because the criminals know where they live, or financial attacks because criminals can ruin a credit history based on access to social security numbers.

Cybersecurity in K-12 schools is more important today than ever before. School districts rank number two, after municipal governments, as the industry sector most often targeted by cybercriminals. A look at 2019 K-12 Cybersecurity year in review shows shocking statistics such as a 256% increase in data breach incidents between December 1, 2018 and 2019. Overall, school districts are woefully underprepared for data security in the cloud.

Unfortunately, the questions remain. Do we focus on protecting school district systems, or allow companies trying to protect our kids to store information on their systems? Do we try to ensure safety while making students paranoid because they know someone is monitoring and recording their every move? Do we take the chance that a student can’t get into the college of their choice because of something they did as a child?

There’s no obvious solution to the challenge of balancing cyber safety and student data privacy, but It’s a balancing act we need to master.


How to Secure Student Data in G Suite & Office 365

How to Secure Student Data from Common Threats in the Cloud

Student data privacy is an important, and broad, topic for school districts. It ranges from protecting student data from improper use by companies to securing personally identifiable information from accidental exposure and cyber attacks. As you know, securing student data is a challenge, especially when that data is stored in cloud apps like G Suite and Office 365. There are four main threats to your student data in the cloud.

  1. Accidental exposure
  2. Phishing and malware
  3. Account takeovers
  4. Shadow EdTech

Protecting students from manipulation and identity theft are just two reasons why student data privacy is important. Contrary to popular belief, traditional cybersecurity infrastructure that relies on a firewall—even a next gen firewall—won’t provide the security you need to secure data stored in G Suite and Office 365. And content filtering certainly isn’t doing anything to protect data stored in your district’s cloud apps—that’s just not what it’s made for.


Here are tips on how to secure student data from these four big threats in G Suite and Office 365.

1. Secure Student Data from Accidental Exposure

No one in your district wants to expose sensitive data, but accidents are unavoidable. That makes data loss prevention an important topic. Accidental data exposure typically results when an employee sets document sharing settings improperly or accidentally emails information to the wrong people. For example, if a document setting allows sharing with the public, anyone can access it. If the document contains sensitive information, hackers can easily steal the data. Additionally, when a device is lost or stolen, data can quickly get into the wrong hands.

Google has incorporated a number of G Suite data loss prevention features into the Admin Console. Your role is to establish best practices using the tools Google provides, and make sure that cloud app security settings are properly configured.

Data loss prevention for Office 365 can be a bit less straightforward. Microsoft’s tools vary depending on the subscription level you maintain. Often, third-party tools are available that are less expensive, easier to use, and more flexible.

It’s important that you set up internal policies to govern document sharing. You’ll also need to educate your staff on the subject and set up automatic alerts when a policy is broken. Those alerts will remind users that they need to do something different to maintain security.

2. Phishing & Malware Protection

Phishing emails are still the biggest threat vector to any organization, and schools are no exception. Most ransomware, malware, or other type of cyber attack that happens today still begins with a phishing email. While advancements in phishing and malware threat protection technology are getting better at filtering these out of inboxes, criminals have an uncanny ability to stay one step ahead.

What many people don’t realize is that, when you’re working with cloud applications, hackers can get around traditional cybersecurity tools in different ways. For example, a seemingly legitimate email can easily get past the network perimeter because it looks like authorized activity. But, if that email distributes a document containing phishing or malware links, your data can be compromised.

Phishing and malware tools and technology are important, and must properly match your district’s IT infrastructure. But training and awareness is still the best way to secure student data and protect school information from these types of attacks. Train everyone in your district to think before they click, even if an email seems legitimate.

An excellent example of the need to think before you click was reported in 2017. Hackers distributed emails that contained a Google Doc link. There was no malware or fake website associated with the email for traditional cybersecurity tools to find. Anyone who clicked the link gave hackers access to their contact lists and control over their email account.

Make sure that the people in your district understand that even emails from trusted sources could be dangerous. Encourage them to think twice before they click.

3. Secure G Suite & Office 365 from Account Takeovers

Account takeovers are much more challenging to prevent and detect in cloud applications. Like phishing and malware attacks, when a hacker is inside your network perimeter, the activity looks legitimate to traditional cybersecurity tools. Once a hacker has taken over an account, they can gain access to sensitive information. They can also send lateral phishing emails to take over other accounts in the cloud.

A cloud security platform can help with account takeover prevention and detection. Not only will it protect your district’s Gmail and/or Outlook accounts from phishing and malware threats, it will also monitor for attacks hidden within trusted links, like shared docs and drives.


A good cloud security platform will also monitor your accounts for irregular behavior that could signal an account takeover attempt (or success). These behaviors might include login attempts from another country or an unfamiliar IP address. It’ll detect lateral phishing emails originating from within your district’s accounts, and lockdown sensitive documents from being improperly shared, emailed or downloaded.

4. Student Data Security and Shadow EdTech Risks

With the proliferation of EdTech applications, your IT department may not even be aware of all the apps that are connected to your district’s Google and Microsoft environments through OAuth. This is what we mean by “Shadow EdTech”.

OAuth makes it easy for users to login to applications. For example, they can login to an EdTech application using their existing school Google or Microsoft credentials. The user likes it because it limits the number of usernames and passwords they must keep track of.

But, when a teacher, student, or employee logs in to an EdTech application with OAuth, they can easily be sharing their school credentials with a hacker. This risk happens in one of two ways. Most commonly, the app developer means well, but has not sufficiently secured the app infrastructure from attack. So, if their application is compromised, it can also create openings to your district’s cloud environment and/or expose student data. Less common, but still a concern, are malicious SaaS apps that are created to look like a trusted app, a fun game, or a helpful tool but are used to take over the user’s Google or Microsoft account.

You can manage EdTech security risks and OAuth security risks (which are closely related) by using tools to monitor and flag risky applications. It’s also a good idea to create an app policy to govern new EdTech providers. In addition, create an internal policy to inform all teachers, students, and employees of approved EdTech providers, the process for evaluating new apps, and the risks of using providers that haven’t been vetted.

Student data privacy laws have not kept pace with the impressive digital transformation taking place in school districts today. Admin and faculty are on the cutting edge of embracing technology to improve classroom experiences and student outcomes. School districts are transitioning to cloud computing, mainly through the use of G Suite, Office 365, and other EdTech SaaS apps, at an impressive rate. But these cloud apps require security tools designed for the cloud.

Cloud data security tools provide 24x7x365 continuous monitoring, run periodic audit reports, and set up automatic data security remediation. Advanced cloud security will provide you with the tools you need to stop accidental data leaks, outwit hackers, and make your systems secure.


The Trouble with Student Data Privacy Laws

Student data privacy laws try to protect our children, but confusion still reigns

School districts know that educational institutions are key targets for cybercriminals. It would help if there was a clear strategy for protecting our children. However, between the Federal government and state legislatures, student data privacy laws consist of a jumble of regulations. The lack of consistent strategy makes it much more difficult to protect student data.

The Family Educational Rights and Privacy Act (FERPA)

FERPA is the only federal regulation that covers both student data privacy and security issues. President Ford signed FERPA into law in 1974. The purpose of the Act is to protect the confidentiality of student records.

The Act wasn’t originally a law unto itself. It is commonly called the Buckley Amendment because it was originally offered as an amendment to the Elementary and Secondary Education Act of 1965. As a result of how FERPA evolved, there were no legislative committee reviews or public hearings on the topic of student privacy.

Congress and the Department of Education (ED) amended FERPA nine times in its history. Many people believe that ED has weakened what started out as a strong privacy law. Many parents agree and want the states to provide more regulation on the topic.



The Status of State Student Data Privacy Laws

As of August 2019, there were 126 state laws covering student data privacy. This indicates that most states are trying to patch the gaps in FERPA by passing student data privacy laws. But it also creates confusion about the best strategies to follow to ensure that privacy.

The Parent Coalition for Student Privacy and the Network for Public Education recently released a report that grades each state on their privacy laws. The report gives points in the five core principles created by the Parent Coalition for Student Privacy, along with two additional categories that were added later. Those categories are:

  • Transparency
  • Parental and student rights
  • Limitations on commercial use of data
  • Data security requirements
  • Oversight, enforcement, and penalties for violations
  • Parties covered and regulated
  • Other

Unfortunately, this report card showed significant shortfalls in what the states are doing. For example, no state received an “A” grade. Four states received a grade in the “B” range, and 11 states received a grade of “F” because they have no student data privacy laws. The state of Louisiana, which has passed seven laws between 2014 and 2018, received a “C-“ grade.

According to stakeholders in the area of student data privacy, there’s still a long way to go before the states protect student privacy to the degree necessary in each of the identified categories.

Some States are Moving in the Right Direction

There are some notable state laws that are moving legislation in the right direction. Here are some examples.

Texas Student Data Privacy Laws

Senate Bill 820 is notable because it details requirements for a school district’s cybersecurity framework. The framework must meet requirements set by the Department of Information Resources and secure the district’s infrastructure against attacks. It must also include a program to plan for cybersecurity risk assessment and mitigation.


In addition, the superintendent of each district must designate a cybersecurity coordinator to maintain contact between the district and the education agency. The coordinator must report any unsuccessful or successful cyberattacks to the education agency.

California Student Privacy Laws

California passed six bills related to student data privacy between 2014 and 2018. Those bills:

  • Restrict the use of student data to administering public services or programs
  • Mandate provisions in a Local Educational Agency (LEA)’s contracts to cover how LEA or the vendor will secure student data
  • Mandate that school districts use student identification numbers rather than social security numbers in whole or in part
  • Prohibit operators of websites or online services from using information about elementary or secondary school students except in stated circumstances

New Hampshire Student Privacy Laws

New Hampshire passed 10 student data privacy laws between 2014 and 2018. Those bills cover a range of topics including:

  • Requiring the LEA to create data security and breach notification policies, and to publish an annual breach report
  • Prohibiting any school or LEA from providing student PII to testing entities except in named circumstances
  • Giving a student or a parent the right to have all student data destroyed after the student’s graduation

Utah Student Privacy Laws

Utah passed 10 student data privacy laws between 2015 and 2019. Those bills cover a range of topics including:

  • Requiring the LEA to make recommendations to the Legislature about updating student data privacy laws
  • Requiring the LEA or school to notify parents of a data breach involving student PII
  • Repealing provisions that allowed the LEA to share data with the Utah Registry of Autism and Developmental Disabilities, and the State Board of Education to share data with the State Board of Regents.

There’s no doubt that the Federal government and the states will continue to struggle with the issue of student data privacy laws, encouraged by parent groups and security experts. Because the question of why student data privacy matters is about more than just legal compliance. The impact of student data being used for a variety of reasons—whether by criminals, companies, or bullies—has long-lasting and potentially devastating effects on the child and their family.

In the end, everyone wants to fix the trouble with student data privacy laws. If you’re struggling with security in your district, you can use our Cloud Application Security Checklist as one tool for improving your data security for your students, parents, and your schools.