Posts

Hybrid Learning CIPA Compliance in G Suite and Microsoft 365

Are your G Suite and Microsoft 365 cloud apps CIPA compliant?

You’re familiar with The Children’s Internet Protection Act (CIPA). But, like many IT leaders and managers, you may think of CIPA compliance in terms of blocking content from external sources, meaning other websites. Today, hybrid learning CIPA compliance has an expanded definition.

Now, you need to think about whether internal school cloud technology that includes email, file sharing, and chat apps are CIPA compliant as well.

CIPA Compliance and District Cloud Apps

School districts have been moving to the cloud for nearly a decade. But, the COVID-19 pandemic has motivated districts to go to part remote and part in-classroom teaching models, known as hybrid learning. As a result, the move to the cloud is accelerating as districts prepare for hybrid learning in the coming school year.

If you access E-Rate funding, hybrid learning CIPA compliance requires your district to adopt and implement policies addressing:

  • Minors accessing inappropriate content on the internet
  • Safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications
  • Restricting minors’ access to materials that could be harmful to them

For school districts using cloud apps like those provided by G Suite and Microsoft 365, these requirements absolutely cover communications and access to content on these school-provided applications.

It’s a very real problem. There are many documented cases of students sharing improper content, images, and videos via school Google Drives, and other cloud-based communication platforms. Students also often use Google Docs as “chat rooms” because content filtering doesn’t stop them, and most school districts don’t have the ability to monitor for these unauthorized chat rooms.

[FREE WEBINAR] Google Classroom and Beyond: Attendance, Safety, and Security in Hybrid Learning Environments. REGISTER >>

Historically, putting an internet-filtering appliance on the network has been the answer from a technology standpoint. Today, administrators need to understand how students’ increasing use of school technology affects their CIPA compliance standing.

Students use the internet to access school technology such as G Suite and Microsoft 365, which makes their use of those apps and the content shared within them subject to CIPA requirements. Traditional, network-based web content filters are unable to monitor behavior such as text and image content sharing within cloud applications.

Browser-level tools are available to plug the internet access monitoring gaps in hybrid learning. IT admins can install a filter on individual devices, typically using a Chrome extension. But how effective browser-level tools are depends on if your district has implemented a 1:1 vs. BYOD program—and to what degree your district has a bit of both going on, officially or not. For districts using the BYOD model, admins can’t reasonably install browser-level tools on all of the devices accessing the district’s systems.

2019 cyber safety and security - report infographic

This is no time to let Google chat safety and security or Google chat CIPA compliance slip through the cracks. District IT teams should be prioritizing controlling their own applications for explicit content, cyberbullying, and discrimination monitoring in both text and image content.

Hybrid Learning CIPA Compliance and Data Security

District IT teams often overlook data security when evaluating CIPA compliance because student safety issues overshadow it. But, there are more CIPA requirements for schools accessing E-Rate funding to implement policies addressing:

  • Unauthorized access, including hacking, and other unlawful activities by minors online
  • Unauthorized disclosure, use, and dissemination of any minor’s personal information

Web content filters—whether those filters are hosted on-prem, via extension, or in the cloud—just don’t cover these two areas. They merely block students from accessing websites that contain specific types of information. And the K-12 cybersecurity problem is getting worse.

[FREE WEBINAR] Google Classroom and Beyond: Attendance, Safety, and Security in Hybrid Learning Environments. REGISTER >>

Microsoft’s Global Threat Activity Tracker found that the education sector experienced 60% of the 8 million total malware encounters over the last 30 days. Hackers are specifically targeting school districts because they know that districts are even more vulnerable than ever. Why? Schools are easy targets because they still rely on outdated network security protections, including firewalls, at a time when most of their users are off the network and in the cloud.

Hybrid learning models are only going to make this security issue more complicated. In many cases, students and teachers will be leaving and returning to the network over and over again in the coming school year. This means that hybrid learning CIPA compliance requires a zero-trust security posture by district IT teams.

This posture includes the ability to control 3rd party apps, a need that has alarmed many district IT teams in the wake of spring’s remote learning migration.

Hybrid learning security and CIPA compliance require that you protect data when it is stored, accessed, and shared in district cloud applications. How will your district comply?

Most districts will see school back in session in just over a month. Those districts that are using this time to fortify their cloud application security, and cyber safety monitoring policies and tools, will be in the best position to protect students from both cyber safety risks and data security threats.

New call-to-action

1:1 vs. BYOD in Hybrid Learning Security

Whichever you choose, a zero-trust security model is critical for effective hybrid learning security

The challenges presented by the COVID-19 pandemic just keep on pouring in. Most districts are now concerned about how to provide devices for hybrid learning. According to our recent poll, over 60% of districts are planning for some level of hybrid learning in the coming school year. IT leaders in these districts are facing many issues, and whether to roll out a 1:1 vs. BYOD program is high on their lists.

Most of the information you’ll find about the pros and cons of 1:1 vs. BYOD focuses on considerations such as cost, maintenance, management, and equitable access. Few discuss the data security needs that need to be addressed. If your team is working on either making a 1:1 vs. BYOD decision, or you’ve already made the decision and you’re in the midst of rolling your program out, hybrid learning security considerations need to be flushed out for both 1:1 and BYOD scenarios.

State of K12 Cybersecurity Webinar Poll InfographicWhat is Hybrid Learning Security?

Securing school networks and data is a critical issue for all districts at all times. But in the upcoming hybrid learning environment that will be new to many school districts, data security will be a bit different than what most K-12 IT leaders and security admins are used to.

The shift to K-12 remote learning in the spring of 2020 led to plenty of cybersecurity challenges. For example, one of the hottest cybersecurity topics for district IT teams this summer is how to control 3rd party apps that were connected to their domains in the spring (and going forward). Now that hybrid learning is here, you’ll have students in the classroom at some times, and learning remotely at others. This hybrid learning model is going to present new security challenges.

The hybrid security environment is unique because students and teachers won’t just use the school building’s network. They’ll also use their home network. Any malware, spyware, etc. they pick up when their devices are not protected by the school’s network security could end up on your network when they return to the classroom.

The zero-trust security model has been popular among both small and large businesses for years, and it’s time for school districts to start implementing this type of cybersecurity infrastructure. It focuses on securing access to data, rather than only controlling access to networks. It also allows you to secure sensitive information no matter what device is being used or where users are when they access school cloud apps. It also provides an additional protective layer around sensitive data, should an attack breach your network.

“I’m not overly concerned about students and teachers using public or unmanaged networks for the simple fact that I treat all endpoints as hostile to begin with. Whether I own them or not, there is zero trust there.”
— Neal Richardson, Director of Technology @ Hillsboro-Deering School District
Quote from The State of K-12 Cybersecurity & Student Data Privacy Panel Discussion

[FREE WEBINAR] Google Classroom and Beyond: Attendance, Safety, and Security in Hybrid Learning Environments. REGISTER >>

Comparing 1:1 vs. BYOD in Hybrid Learning Security

The question for many district IT teams is: Which device model is best? From a hybrid learning security standpoint, there are pros and cons to both.

Securing 1:1 Devices

Though the upfront cost of a 1:1 program is higher than BYOD, it does make K-12 hybrid learning security quite a bit easier. District IT admins have more control over 1:1 devices in areas such as the types of security software used and device-level security settings and configurations.

They also have access to a greater number of device and extension-based content filters and student safety monitoring solutions that are available on the market to meet CIPA compliance requirements. There is also greater availability of device-based antivirus and remote access software that makes it easier to protect the devices and assist users if there’s a problem.

IT admins will still need to monitor and control access to accounts and files stored in their cloud applications, even with a 1:1 program. This is because device and extension-level security tools don’t have the capability to monitor activity happening within cloud applications, such as G Suite and Microsoft 365.

Keep in mind, too, that even if you decide on a 1:1 device plan, you’ll probably have some teachers, staff, and students who use their own device from time to time. For example, if a student forgets to bring their school-provided device home, they’ll undoubtedly end up using their own device for accessing remote classrooms and doing their homework. Therefore, your 1:1 hybrid learning security plan needs to be able to secure access to school cloud apps and information regardless of the device being used.

Securing BYOD Devices

BYOD programs seem more cost-effective for school districts because they can avoid upfront costs for acquiring the right number of devices. But a BYOD program comes with a long list of process, management, support and accessibility issues that may reduce the program’s cost-effectiveness over the long term.

For many districts, the Spring 2020 remote learning experience created a de facto BYOD program. Students and teachers, in many cases, needed to use their home computers to log in for remote learning. This is causing huge security problems for districts that don’t have cloud monitoring capabilities in place.

Districts opting for a BYOD program will be more reliant on cloud-based content filtering, access monitoring, and data security tools to keep their student, staff, and business data secure because they won’t have as much control over students’ personal devices. Cloud-based security also helps keep students safe and districts compliant with FERPA, HIPAA, CIPA and other regulations.

Cloud Security for 1:1 and BYOD Hybrid Learning

Regardless of which device model your district decides to use for hybrid learning, cloud application security is a critical element of building a zero-trust security posture. If your district is using G Suite and/or Microsoft 365 for the coming school year, that means your district is going to be storing a large amount of sensitive data in the cloud.

That means you need to incorporate cloud security tools into your cybersecurity infrastructure. It provides broad benefits for both 1:1 and BYOD initiatives for districts that are planning for hybrid learning in the fall. Cloud-based monitoring and management give IT admins the ability to maintain full visibility and control over data access and user behavior—whether students are logging in from home or the classroom. It also helps to keep your network free of cybercriminals or other “bad guys” when devices used at home reconnect to your network.

If your district is evaluating your own 1:1 vs. BYOD decision, you need to consider the unique security issues that hybrid learning presents.

New call-to-action

How to Control 3rd Party Apps in Hybrid Learning

The ability to control 3rd party apps access is a hot issue for K-12 IT admins planning for hybrid learning this year

Vendors flooded the K-12 market with remote learning resources such as free or reduced-price 3rd party apps when COVID-19 first shut down school buildings. Most of these Education Technology (EdTech) apps are offered on cloud-based SaaS architecture. If the SaaS isn’t engineered with security in mind, it can cause real security headaches. And, there are a variety of other security issues that make it necessary for school districts to control 3rd party apps.

What are 3rd Party Apps?

PCMag.com defines 3rd party apps as “An application that is provided by a vendor other than the manufacturer of the device.”

In education environments, most 3rd party apps are cloud apps that are connected to a Google or Microsoft domain using Open Authorization (OAuth). OAuth is popular because it saves users time when they login to their apps. For example, an app can let you log in using the credentials you use to login to Google. It cuts down on the number of logins a user needs to keep track of. It also allows the app access to different permissions, such as view, read, write, and/or send emails through Gmail.

There are tens of millions of apps available on Google and Apple app stores. The volume is undoubtedly one reason why even these two giants deal with malicious apps. For example, early in 2020, Google found fraudulent apps in their store that could cause significant problems for the owners of the 1.7 million devices that already had the apps installed.

3rd party apps are also available on many private websites. While most people know not to download apps that haven’t at least been vetted by Google and/or Apple, less tech-savvy adults and younger students who don’t know better could create real problems for IT admins. It’s important to include a warning against those types of apps during internet education for students, staff, and teachers. Better yet is to have a formal 3rd party app policy that includes a list of approved apps and a process for vetting new apps.

“Shadow” 3rd Party Apps

One of the biggest challenges district IT admins have is finding ways to control 3rd party apps that are part of the tidal wave of EdTech being connected to their district domains. This has always been a problem, but it particularly ballooned out of control since remote learning began last spring. Those admins understand first-hand the meaning of “shadow” 3rd party apps.

TechTarget defines a shadow app as “a software program that is not supported by an employee’s information technology department.” IT teams have an even bigger challenge because not only are teachers using shadow apps for EdTech, but students are busy connecting shadow apps to district systems as well.

OAuth risks were an issue long before COVID-19 required schools to switch to remote learning almost overnight. EdTech security risks include ransomware vulnerabilities, account takeover risks, and data security threats for school districts that aren’t monitoring and controlling app risk levels and activities.

Hybrid learning security increases the complexity of securing district data and information systems. IT teams need to start planning to monitor and control 3rd party apps that are creating these security risks in their environment.

[DEMO] ManagedMethods Makes Controlling 3rd Party Apps Easy for K-12 IT Teams! Learn More >>

 

How to Control 3rd Party Apps for Hybrid Learning

Our recent poll found that just over 60% of K-12 districts are planning for hybrid learning for the 2020/21 school year due to continued COVID-19 concerns. This means that students, teachers, and staff will be relying on cloud apps more than ever before. Controlling 3rd party apps, along with the variety of other K-12 cloud risks, is going to continue to be a challenge for many districts.

It’s true that Google and Microsoft provide some type of native support to control 3rd party apps. The problem is that these native solutions require expensive upgrades to get close to real control and they aren’t very user-friendly. Neither native solution provides an easy way to find and control 3rd party apps that shouldn’t be connected to your district’s domain. Nor do they allow you to automate 3rd party app management on a granular level. Controlling 3rd party apps is still a time-consuming and frustrating process.

Controlling 3rd Party Apps in Google Admin Console

Using Google’s App Access Control feature, you can:

  • restrict access to most G Suite services
  • leave G Suite services unrestricted
  • trust specified apps to access restricted G Suite services
  • trust all domain-owned apps

Using this tool, you can review the apps that your users have authorized. You can see the number of users accessing the app, which G Suite services each app is using, and whether the app is verified to access certain restricted data. You can then assign each app to a category, including Unrestricted, Restricted, and Restricted – High-Risk. You can also add and delete apps from a “trusted” list.

When an app is trusted, it can access all Google services, but you can also make a trusted app limited, which means it can only access unrestricted Google services. Any internal apps that you build for your district can be trusted as a group, or you can assign them to a “trust internal, domain owned apps” category individually.

Building a trusted app list is time-consuming and difficult to manage. And, once you enable the restricted function in Admin Console, the policy is applied globally to your entire domain. There is no flexibility to allow certain apps for different OUs.

> Learn how to control 3rd party apps in Google Admin Console

Controlling 3rd Party Apps in Office 365 Advanced Security Management

When a user tries to connect an app to Office 365, a prompt will appear asking them to approve the permissions for that app. However, since many users don’t read the permissions closely or don’t know which apps should be allowed access, Microsoft also provides an App Permissions feature that District IT can use to manage the apps’ access.

Using App Permissions, you can see which apps have access to Office 365 data, and the level of permission assigned. You can also see which users approved access to their accounts for each app. You can then approve the app or reverse its permissions, which will restrict its access to any users’ data. If you do deny an app permission to access Office 365 data, you can send a notice to the users who approved the app to notify them that the app is no longer available.

Again, accomplishing these tasks in your console is “clunky” at best. It doesn’t provide you granular control over approving, removing, sanctioning, and unsanctioning apps without the need for advanced coding and configurations.

> Learn how to control 3rd party apps in Office 365 Advanced Security Management

Isn’t It Ironic? You Can Use a 3rd Party App to Control Your 3rd Party Apps!

ManagedMethods is a platform developed specifically for K-12 cloud security and student safety. We help school districts remain compliant with federal regulations such as FERPA, COPPA, and CIPA. We also help districts comply with the litany of state laws that have passed in recent years (learn how we helped Hillsboro-Deering School District comply with NIST requirements).

ManagedMethods will help your IT department quickly and easily identify and control 3rd party apps in your domain.

> Learn how to control 3rd party apps in ManagedMethods by requesting a demo

control 3rd party apps product demo

Discrimination Monitoring in Hybrid Learning Environments

As IT teams prepare for the coming school year, now is a good time to incorporate discrimination monitoring

The discussion about discrimination in the United States has moved onto center stage. Our country has been rocked by protests related to discriminatory police action. The Black Lives Matter movement is front and center. Everyone from protesters to police are “taking a knee” in support of justice for victims of discrimination.

In other news, the Supreme Court recently issued a landmark decision to protect the LGBTQ community from employment discrimination based on Title VII of the Civil Rights Act. The Court ruled that Title VII prohibits discrimination based on sex, and that firing an employee because of homosexuality or transgender status violates the Civil Rights Act.

What do these events mean for K-12 schools? Hopefully, not much they already welcome all students and treat them equally. But there is also evidence that this may not be true. Now is a perfect time to take an introspective look at school processes and procedures.

For IT leaders, that includes considering how school technology may be perpetuating discrimination, either latently or overtly. There are many manifestations of inequality in school technology, and we aren’t going to attempt to cover them all here—there are much better and more qualified experts on this subject.

We are going to talk about how K-12 IT teams can incorporate monitoring for discriminatory behavior in district cloud apps and why they might want to. If your school district is using G Suite or Microsoft 365 in the coming year, incorporating discrimination monitoring into your overall cyber safety monitoring may be a relatively easy step. Discrimination monitoring will help you avoid school technology from being used for discriminatory cyberbullying under the radar.

Discrimination Compliance in K-12 School Technology

K-12 schools that receive federal funds from the Department of Education (ED) must comply with the Civil Rights Act of 1964. The Civil Rights Act prohibits discrimination based on:

  • Race
  • Color
  • National Origin
  • Sex
  • Disability

The mission of the ED’s Office for Civil Rights is to “ensure equal access to education and to promote educational excellence through vigorous enforcement of civil rights in our nation’s schools.” Under Title VI of the Civil Rights Act, education programs and activities such as admissions, recruitment, financial aid, academic programs, student treatment and services, counseling and guidance, discipline, classroom assignment, grading, vocational education, recreation, physical education, athletics, housing and employment must operate in a non-discriminatory manner.

Further, The Department of Education published a fact sheet regarding COVID-19, remote learning, and protecting the civil rights of students in March 2020. The document outlines districts’ responsibilities to take appropriate action to reports of bullying and harassment of students based on disability, race, color, or national origin. With 60% of school districts planning for hybrid learning in the coming school year, administrators can expect even more bullying to take place online than ever before.

Promoting Good Digital Citizenship in Hybrid Learning

Discrimination monitoring can help districts improve their anti-bullying and digital citizenship programs for students. Being able to detect discriminatory text and behaviors in digital environments helps to inform administrators what they may need to focus the curriculum on.

Again, this is going to be particularly important as schools rely more on digital learning environments such as Google Classroom, Microsoft Teams, Schoology, and others. Cyberbullying was already an issue for many school districts when students were in class. As they spend more time online and become more used to communicating with each other on these platforms, there is a very real possibility that cyberbullying incidents will increase.

Monitoring for discrimination, cyberbullying, and other student safety issues will help districts adjust their programs to current needs and future trends to promote good digital citizenship in their students. This will not only improve students’ digital literacy skills, but will also help keep your schools an inclusive place to learn and grow—online, offline, and anywhere in between.

Reinforce Digital Citizenship Rules in the Physical World

Discrimination monitoring and, more specifically, the learning programs it can help enable will also help reinforce good citizenship in the “physical” world.

Besides regulatory compliance and digital citizenship, K-12 schools should incorporate discrimination monitoring to make sure that you’re protecting the health and wellbeing of your students. You certainly know that bullying of any type can cause stress, depression, social anxiety, violence towards others, and self-harm.

There are also negative results for the student doing the bullying. Whenever possible, it’s best to make these incidents a teachable moment for the person who is discriminating against others. This helps improve the student’s empathy and citizenship in ways that can impact them for the rest of their lives. Further, teachers and administrators don’t want to let a student’s misunderstanding or poor judgment follow them for the rest of their lives.

When students are good digital citizens, it will have an impact on how they interact with others in face-to-face situations. Teaching non-discrimination in digital communications and good digital citizenship will certainly lead to creating a more welcoming culture in schools and communities where everyone gets treated equally.

Discrimination Monitoring and Student Data Privacy

Monitoring students’ online behavior has become a contentious topic in recent years. Students and parents are concerned about for-profit companies building data profiles around individuals and if incidents will haunt a student’s future college and employment prospects. At the same time, school districts are under increasing pressure to protect students from violence, cyberbullying, sexual exploitation, and more.

Both concerns are valid, and districts and parents need to be able to work together to decide what is best for their specific schools and communities. Schools that opt to use student safety vendors that collect and store information on students need to do so with caution. Not only could those vendors be vulnerable to data breaches that expose student information, but the information could also be used for commercial purposes.

IT leaders and administrators need to make sure that they thoroughly vet any EdTech vendor’s privacy policy and terms of service. They should also make sure that vendors are student data privacy certified by third party organizations, such as iKeepSafe and the Student Privacy Pledge.

ManagedMethods uses APIs to monitor school cloud applications (mainly G Suite and Microsoft 365) for both cybersecurity risks and student safety signals. The platform is not a content filter, and it doesn’t collect or store any data. It simply sits within the cloud application and alerts administrators to potential issues based on role assignments. ManagedMethods can help districts take a step in the right direction with discrimination monitoring in hybrid learning environments without putting student information at risk.

discrimination monitoring product demo

The State of K-12 Cyber Safety & Security: Remote Learning Cybersecurity Lessons for Next School Year

Remote learning cybersecurity and operations continuity advice from K-12 IT leaders who lived through it with you

For the past several weeks, we’ve been taking a look at the state of K-12 cyber safety and security in the year 2020. Previously, in The State of K-12 Cyber Safety & Security blog series, we did a 2019 K-12 cybersecurity recap through a remote learning lens. Then, we discussed the impact that EdTech migration is having on security and student data privacy. Finally, we took a deep-dive into student data privacy in remote learning. This post represents our final installment in this series, which culminated last week with a live panel discussion.

We were joined by Doug Levin, founder of The K-12 Cybersecurity Resource Center and creator of the K-12 Cyber Incident Map to discuss the trends he’s seeing now, compared with his research over the past several years and in the context of 2019 cyber safety and security. We were also joined by Neal Richardson, Director of Technology at Hillsboro-Deering School District in New Hampshire, and Greg Hogan, Network Data & Security Coordinator at Bibb County School District in Georgia.

K-12 IT teams were put through the proverbial meat grinder this year to get entire school operations shifted to remote learning, often with just a day or two notice. As a result, K-12 remote learning cybersecurity tended to take a backseat to the immediate needs of equipping students and faculty with devices, internet connection, and tools required to continue learning.

We wanted to sit down with Neal and Greg to hear their remote learning stories, learn what cybersecurity strategies worked for them, what challenges they faced, and what successes and/or lessons learned they’re pulling forward into the next school year. Here, we’re sharing some of the key takeaways from our conversation. You can also listen to the full, recorded panel discussion here.

[FREE] K-12 IT Managers Discuss Cybersecurity & Student Data Privacy in Remote Learning. LEARN & SECURE >>

Remote Learning Cybersecurity Successes

Both Neal and Greg agreed that there were two keys to their districts’ success when it came to remote learning cybersecurity. The first was that they already had strong cybersecurity tools and processes in place before everyone dispersed. They attributed the second key to success to their respective district’s cloud-first strategy.

“Thankfully, our district had a lot of good security practices in place, including at a cloud level. Securing our data at a cloud level puts us at an advantage because we’re not relying on the internal network to keep things secure when everybody scattered,” explains Greg. “As we let devices back onto the network next school year, we feel pretty confident that they should be relatively clean because we have cloud monitoring in place. We’re an Office 365 environment and a ManagedMethods customer and we’re using those two solutions to help maintain some control off-site. So, if those devices do have something wrong with them, it’s being reported in real-time we’re able to address it and lock down the account if necessary.”

Greg and the IT team at Bibb County have the district set up almost entirely in the cloud. This removes the need to allow students access to the internal network through VPNs, which can create cybersecurity issues. He also recommends using ClassLink, which they use to manage Single Sign-On for students, faculty, and staff accessing their various cloud-based edtech apps.

Neal also has his entire district in the cloud, mainly using G Suite for Education. “We’re 100% in the cloud, and I see no good reason to allow anyone back into my network.”

Neal is a big proponent of using a zero-trust security model and has structured his district’s cybersecurity infrastructure based on it. This security posture was a real advantage when his district’s schools closed with just one day notice. Being located in a geographically hilly area, there are many students and faculty who simply don’t get internet access to their homes—regardless of income level.

That meant that those students and teachers had to find places outside their homes to access remote classes and learning material. They had people parked in school parking lots, where they could access the building’s WiFi. They also had people using public networks in library, McDonald’s, and Dunkin’ Donuts parking lots. Does Neal have concerns about people using public networks?

“No. For the simple fact that I treat all my endpoints as hostile to begin with. Whether I own them or not I, there is zero trust there,” explains Neal.

Neal also attributes his district’s remote learning cybersecurity success to the recent state regulations requiring schools to be compliant with parts of the NIST cybersecurity framework. One benefit was that Neal dealt with far less 3rd party apps getting connected to his district’s domain and other EdTech security risks during the remote learning resources free-for-all.

“A part of the NIST requirements includes a data privacy agreement that we need to get signed before we can deploy any software. This means that the software vendor also needs to be compliant with that same subset of NIST 171 as we are, which limits what software is used on the devices,” Neal explained. “What it didn’t limit was every software vendor in the world throwing up their stuff saying, ‘everyone’s got free access until July. Come try it!’ That flooded us with questions from faculty and staff who thought that if it’s free, they can just use it…right? Well, no, we have a process and we need to get it vetted to ensure that it’s safe and secure and that it meets our standards before we can roll it out.”

[FREE] K-12 IT Managers Discuss Cybersecurity & Student Data Privacy in Remote Learning. LEARN & SECURE >>

remote learning cybersecurity - planned learning model 2020-21Next School Year: Hybrid, Remote, or In-Class Learning?

Live polling during the panel discussion found that 60.26% of K-12 IT leaders are planning for some sort of hybrid learning model for the next school year. 1.28% are planning for remote learning, 6.41% indicated in-class learning, and 32.05% said they were still undecided or not sure.

It’s particularly interesting to see the high rate of K-12 IT teams that are still undecided or unsure about their plan at the end of June. Hopefully, these teams are planning for multiple contingencies, versus not doing much in terms of planning yet. Districts will so themselves—and their students—a great disservice by not using this down-time to get processes and tools in place to make the next school year as productive as possible.

The debate around what would be acceptable for students in the next school year is hot, with pros and cons on both sides of the argument. Many people are still uncomfortable with returning to the classroom. And, with COVID-19 cases currently spiking again, it’s difficult to dismiss these concerns. There are also those that are big proponents of the hybrid learning model, arguing that it will better prepare students for life in college and/or the modern workforce.

But there are down-falls to remote and hybrid learning compared to in-class. The lack of personal and social development is a concern that should not be overlooked. Students will also have a more difficult time connecting with teachers and coaches in a meaningful way. These are people that have such strong, positive influences on social, emotional, and academic development in students. There are also concerns about how distracting hybrid learning might be for students and teachers alike, and how expensive it will be for cash-strapped schools that are already looking at probable further budget cuts.

The reality is that, even if schools are generally open to in-class learning, there will be some population of students (as well as, potentially, faculty and staff) who can’t re-enter the general population when classes resume. There are those people who are at high-risk for various health reasons. Many schools may also find themselves working with parents who just don’t feel comfortable sending their kids to school yet, regardless of what local officials are saying. Flexibility and creativity will be key in the coming year.

Remote Learning Silver Linings

During our panel discussion, we asked Neal and Greg about what they saw as silver linings in this otherwise lousy, chaotic scenario. Both agreed that one of the silver linings is simply the fact that we—as in the entire K-12 community—could do it. They also both expressed a sense of pride and gratitude for the IT teams they’re part of.

“We’re a small team, there’s two of us, and it demonstrated to our staff—the teaching staff, the administrators, the students—that this IT department can scale and meet their challenges. Whatever gets thrown at them, they don’t have to panic because IT is here to support you,” says Neal. “And I’m seeing that trend across K12 collectively. The entire IT space in K12 has risen to this challenge. It’s been incredible to see and hear the stories about the measures that we’re going through to ensure that students are getting educated.”

Neal also highlighted something that perhaps not many IT leaders are thinking about right now, which is the fact that every district should now have a functioning and tested Continuity of Operations Plan.

“Before, everyone was hesitant to document a plan if something like this were to happen. Well, guess what: it happened. Now, we just need to go back and write down what we did and we have a plan going forward if we need it again.”

Greg added that he saw the way that it forced them to try new things as a silver lining for Bibb County and for districts across the nation.

“Before we were kind of scared to try some things because we were afraid it would be too disruptive. Well, there’s nothing more disruptive than a pandemic,” says Greg. “So, now it allows us to kind of step outside the box and to think outside the box. We’re trying things that we wouldn’t normally try for fear of failure or being disruptive. In doing that, it allowed us to discover new ways of doing things and to get creative. And now we’re able to look at applying that creative mindset to next year. To me, that is a great silver lining and it’s a learning experience.”

K-12 IT teams were already largely overwhelmed, underdeveloped, and underfunded before COVID-19 threw districts into this extreme uncertainty. The coming school year will continue to challenge IT teams and K-12 districts as a whole. Cybersecurity, whether for remote, hybrid, and/or in-class learning is a necessity for all districts.

The 2020 CoSN K-12 IT Leadership Report found that cybersecurity is a top priority for K-12 IT leaders. Yet, 18% indicated that they have a full-time employee dedicated to cybersecurity, while 10% of survey respondents have an ad hoc approach to cybersecurity that does not have anyone assigned to this critical function. Further, 60% of districts allocate less than 10% of their technology budget to cybersecurity.

Remote learning cybersecurity isn’t going to make matters easier in the coming school year. IT teams will be challenged with a duality of issues impacting both their network and their cloud-based systems. Those that evolve their cybersecurity posture to meet the technology uses of their users will be in the best position to keep student and staff data secure. Those that do not will be more likely to end up on Doug’s K-12 Cyber Incident Map.

webinar registration state of k-12 cybersecurity

The State of K-12 Cyber Safety & Security: Student Data Privacy in Remote Learning

Student data privacy in remote learning situations requires specific considerations that district IT teams must address for the coming school year

Districts are struggling to address the unique challenges presented by student data privacy in today’s remote learning environments. A white paper by McGraw-Hill Education defines student data privacy as, “…the use, collection, handling and governance of students’ personally identifiable information (PII).” The white paper identifies specific types of information including:

  • Name and address
  • Student ID
  • Login information
  • Academic, health, and disciplinary records
  • Demographics and birthdate

This type of information is interesting to a variety of users, some criminal, and others (unfortunately) not so much. The issue of why student data privacy is important can generally be boiled down to two reasons. First, so children don’t become victims of identity theft, sextortion, and other types of cybercrime. Hackers can use PII singly or in combination to identify, find, and contact students.

The second reason is so that companies can’t use the information to build profiles on children throughout their lives, impacting their ability to go to college, get a good job, get good credit, etc. There’s also concern that companies will use student data to influence their purchasing decisions, among other things.

School district leaders are understandably concerned about protecting student data to keep their students safe from a variety of dangers. Two dangers stand out among the rest.

The (practically) overnight migration to K-12 remote learning and working due to COVID-19 made cloud security and student data privacy issues more apparent. But the truth is that the problems were already there, lurking behind a false sense of security provided by firewalls and content filters.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

That is why we’re taking this look at the state of K-12 cyber safety and security through a remote learning lens, and hosting a panel discussion with Doug Levin at The K-12 Cybersecurity Resource Center and two K-12 IT professionals who are working through these—and many other challenges—that tech pros are facing today.

Why Student Data Privacy Matters

Cyber safety and student data privacy is not just a school issue. It affects parents, students, and society. School districts see two critical reasons to protect student data. All school districts must comply with student data privacy regulations, and they must also protect students’ health and wellbeing.

Student Data Privacy Compliance

Student data privacy laws are in place to try to protect our children, but a confusing jumble of regulations is often the result. The Federal government and individual states have passed regulations governing the collection, storage, and use of student data. For example, schools need to comply with the following Federal regulations:

  • Family Educational Rights and Privacy Act (FERPA)
  • Protection of Pupil Rights Amendment (PPRA)
  • Children’s Online Privacy Protection Act (COPPA)

Additionally, 49 states have passed 400 pieces of legislation to address state-specific issues between 2013 and 2016. The combination of Federal and state regulations often launches district IT teams into a challenging juggling act. Now there’s the issue of student data privacy in remote learning that is making the compliance landscape even more complex.

Protecting Students’ Health and Wellbeing

Children are among the most vulnerable to internet scams. Since school districts store an extensive amount of student data, they are a prime target for cybercriminals according to 2019 cyber safety and security research.

When hackers steal student data, it can result in harm to students from threats to their safety, student identity theft, and a variety of other scams that threaten our children’s health and wellbeing.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

What Makes Student Data Privacy in Remote Learning Different?

The rush to offer remote learning as the COVID-19 pandemic closed schools resulted in a remarkable edtech migration. School districts across the country did an amazing job of going from classroom to remote teaching approaches. However, that transition created a number of issues when it comes to data security and student data privacy. Because district staff had to, understandably, focus on remote learning enablement, accessibility, and support, few were able to stop and think through how to secure student data in this environment.

Unvetted EdTech Threats

One of the most critical threats is that almost overnight teachers, students, and staff began using a wide variety of remote learning resources, sometimes including risky EdTech. Unfortunately, in most cases, district IT teams didn’t have the chance to vet those resources for security and student data privacy compliance properly.

As a result, remote learning security risks are finding their way into district G Suite and Microsoft 365 environments. These risks increase your district’s vulnerability to ransomware, account takeovers, and data security issues. And, once that happens, threats to students’ health and wellbeing increases along with the likelihood that your district isn’t complying with privacy legislation.

Lack of Visibility and Control Over Cloud Applications

Most district IT teams work to protect the district’s network by focusing on firewalls and content filters. But, they don’t have visibility and control over applications that operate outside the district’s network. That raises another critical problem now that remote learning has increased the number of students, teachers, and staff using cloud-based systems such as G Suite and Microsoft 365.

You can’t protect those cloud-based systems using traditional network security tools—particularly in remote learning situations when they’re being accessed from outside of the school network. District IT leaders and admins are working to address the unique data security and student data privacy challenges that remote learning on a large scale has presented.

Join us for a free webinar to participate in a panel discussion with two respected K-12 District IT leaders and the founder of The K-12 Cybersecurity Resource Center discuss the lessons that they’ve learned in making the transition to remote learning and how they’re planning for different contingencies in the 2020/21 school year.

webinar registration state of k-12 cybersecurity

The State of K-12 Cyber Safety & Security: 2019 Recap Through a Remote Learning Lens

A look at the state of K-12 cyber safety & security in 2019 and today

2020 is shaping up to be a doozy of a year for everyone. K-12 school districts, in particular, are going through a lot. From COVID-19 to remote learning to impending budget cuts, teachers, staff, student, and parents are finding ways to adapt to the times.

Through it all, much of everyone’s focus is on enabling learning continuity and accessibility. This focus is necessary, and with good reason, to achieve the mission of our school system and continue to work to prepare students for adulthood.

Out of this necessity, some of the focus on the less direct impacts on student achievement results have fallen by the wayside. Among them are the needs to secure sensitive information districts store and the need to monitor for cyber safety signals in school technology. In the crisis-induced shift to K-12 remote learning, many IT managers discovered that they lacked the visibility and control to manage cyber safety and security risks in a distributed cloud environment.

The problem has been there all along. COVID-19 made it obvious.

Decisions had to be made within the constraints of time and financial resources, and most of the resources went toward enabling as many students as possible in an astronomically short period of time. In accomplishing this, districts did an extraordinary job. But now, IT teams are taking this moment to begin looking at the long-term technology needs of their students, faculty, and staff through the lens of a potential hybrid learning environment. They’re taking the summer months to adjust to projects that will help their district monitor for student safety, secure sensitive information, and fulfill compliance requirements no matter where people are accessing school technology from.

To help K-12 IT teams in their planning, we’re taking a moment to look at the state of K-12 cyber safety and security in a series of blog posts, culminating in a live webinar on June 25. The goal is to help district IT leaders make sense of it all, learn from each other, and prepare for the 2020/21 school year as best they can.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

2019 cyber safety and security - report infographic2019 Cyber Safety and Security: Recap

The K-12 Cybersecurity Resource Center has been collecting publicly-disclosed cybersecurity incident data in the K-12 education industry since January 2016. The aim of this work is to draw attention to the emerging cybersecurity threats facing U.S. schools and to help inform district leaders and policymakers.

In February 2020, The K-12 Cybersecurity Resource Center released its annual The State of K-12 Cybersecurity report. Included in the report is a concerning, and disappointing, 3x increase in data incidents reported in 2019 compared to the year before. Here are some of the key findings.

K-12 Cybersecurity Incidents

The K-12 Cybersecurity Resource Center identified 348 publicly disclosed school incidents in 2019. As previously mentioned, that number is almost three times as many incidents as were publicly disclosed in 2018.

It’s important to note that many districts don’t report many cybersecurity incidents due to the sensitive nature of the data involved. So, while we can’t identify the exact number of incidents that took place in 2019, we do know that the number is significantly higher than 348. Types of cybersecurity incidents that impacted K-12 schools in 2019 include:

  • Student and staff data breaches
  • Ransomware and other malware outbreaks
  • Phishing attacks and other social engineering scams
  • Denial-of-service attacks

Unauthorized disclosure or breach of data incidents accounted for 60% of all cybersecurity incidents in 2019. Those data breaches primarily involved the unauthorized disclosure of student data. This is a continued trend from 2018, when data breaches were also the most common type of incident K-12 schools experienced.

Classifying incidents is a continuing challenge. In 2019, only 8% of attacks were classified as phishing attacks. However, cybercriminals leverage previously leaked credentials and contact information to wage successful attacks that include data breaches, malware, and ransomware attacks. These attacks have resulted in the theft of millions of taxpayer dollars.

K-12 Cybersecurity Lessons for 2020 and Beyond

The K-12 Cybersecurity Resource Center suggests a number of things that district leaders can do to improve their risk resistance in 2020 and beyond.

  1. Invest more in IT security capability tailored to school districts. Placing a Chief Information Security Officer in every school district isn’t feasible, but districts can provide school IT staff with training and ongoing development such as the Certified Information Systems Security Professional (CISSP) certification. Districts can also benefit from central support at the regional, state, or national levels. For example, there are managed security service providers who specialize in providing customized solutions for K-12 leaders who could be a central source of support.
  2. Enact regulations to require baseline practices. Right now, school districts and their vendors aren’t held accountable under federal or many state laws for implementing even the most basic cybersecurity systems, or for reporting incidents. Besides that, districts don’t all follow one standard set of best practices against which they could be measured. It’s critical to establish clear expectations for all districts and vendors and to provide resources to help districts comply. In many states, there is a change in the wind when it comes to securing district data and reporting on incidents. There has been some level of federal activity in this area as well.
  3. Support K-12 cybersecurity information sharing and research. Formal sharing among school district IT leaders can help schools prioritize cybersecurity projects, respond to emerging threats, and develop a set of best practices. Research on the challenges school districts face and the most cost-effective solutions is necessary to define those risks and solutions accurately.
  4. Invest in K-12 specific cybersecurity tools. Cybersecurity vendors need to develop products specifically for K-12 education. Those products need to take into account unique requirements, budget restrictions, and the sometimes limited level of cybersecurity expertise that district IT staff possess.

Doug Levin, Founder and President of The K-12 Cybersecurity Resource Center, creator of the K-12 Cybersecurity Incident Map, and author of the annual State of K-12 Cybersecurity report, will be the main presenter during our June 25 webinar: The State of K-12 Cybersecurity & Student Data Privacy. He’ll also be joined by two K-12 IT professionals for a panel discussion focused on trends, lessons learned, and planning for next school year.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

2019 Cyber Safety and Security: The State of IT Leadership

The Consortium for School Networking (CoSN) is a well-known professional association for technology leaders in school systems nationwide. Their new report, The State of Ed Tech Leadership in 2020 provides many insights about how leaders in education are using technology and the challenges they face.

Cybersecurity is the number one priority for tech leaders in education for the third straight year. Other survey results show that 90% of districts have resources to monitor network security, and 69% say that their network security is proactive or very proactive. It’s also good to see that 77% of districts provide cybersecurity training to their IT staff. These are all encouraging improvements from previous years’ surveys.

On the other hand, it seems that cybersecurity risks are generally underestimated. For example, phishing attacks reached its highest level in the last three years, but only 49% of respondents rated it as a medium/high or high risk.

Only 5% of respondents think student data is at high risk, even though Levin’s data from The K-12 Cybersecurity Resource Center found that 60% of all cybersecurity incidents in 2019 involved unauthorized disclosure or breach of data. This tells us that, while 69% of IT leaders say their approach to network security is either proactive or very proactive, they need to do a better job of aligning perceived risk with actual threats and incidents.

Budget is a high hurdle for basically every school district. Particularly when it comes to investment in cybersecurity. While IT leaders identify cybersecurity as their number one priority, 60% of districts allocate less than 10% of their technology budget to it. This misalignment must be remedied if IT and administration leaders expect to be able to protect stakeholder identities, secure learning continuity, and defend taxpayer funds.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

Another apparent area of confusion has to do with the cybersecurity impact of using cloud-based learning management systems (LMS) like Google Classroom and Microsoft Teams. The report indicates that 97% of schools are using LMS, but only 3% are using cloud-based cybersecurity technology. This gap is a big part of the reason why IT teams suddenly realized they were flying blind when entire districts shifted to remote learning. Without traffic traveling through building networks, system admins suddenly realized how much of a security and compliance gap their lack of cloud monitoring created.

COVID-19 Cyber Safety and Security Insights

All of the information regarding 2019 cyber safety and security discussed above was collected before the COVID-19 crisis shut down school buildings and districts transitioned to remote learning. So, where are we today? For the most part, it’s a bit too early to tell. But, there are some informative observations.

  • Cybersecurity attacks are ongoing. As of May 13, 2020, there were 84 publically disclosed attacks in K-12 school districts in 2020. It’s too early to tell if this year will see more incidents than there were in 2019, but the smart money says there will be an increase.
  • The COVID-19 crisis has slowed reporting and cybersecurity focus. IT teams are busy with implementing remote learning needs like devices, accessibility, and new learning apps. They’re not spending much of their time on cybersecurity. It’s most likely that incidents are going either unreported or (worse) unnoticed.
  • K-12 IT teams don’t have proper cloud security tools in place. Cloud security is critical to monitor for and detect cyber incidents in district cloud apps, like G Suite for Education and Microsoft 365. Most districts are still only using network-based firewalls, rather than focusing on a multi-layered cybersecurity infrastructure that includes cloud security monitoring. This issue is a likely contributor to the lack of 2020 cyber incident data.
  • Many K-12 IT leaders are now dreading the return to the classroom. When classrooms reopen, IT teams fear the tsunami of malware-infected personal or school-issued devices that may gain access to their network.

So far, we’ve mostly talked about the cybersecurity risks of remote learning in a COVID-19 world. But there are also student cyber safety incidents that have increased during this time. Many schools are dealing with the fallout of early Zoombombing incidents. Others have experienced cyber safety problems with Google Chat, Meet, Classrooms, and other communication and collaboration tools.

The social isolation of remote learning affects students that were already dealing with depression, anxiety, self-harm, thoughts of suicide, and/or abuse. Social tensions are also increasing incidents of cyberbullying and discriminatory behavior.

Looking at 2019 cyber safety and security through the lens of today, you see a problem that is increasing and will likely continue to do so. You also see that while in 2019 IT leaders indicated that cybersecurity was their number one priority, they’re not putting much of their budget toward addressing that priority, and in many cases, they’re underestimating the risks cyber attacks represent.

School district IT leaders will need to resolve some of the inconsistencies in how they handle cyber safety and security to protect their communities, especially in their summer projects and 2020/21 planning.

webinar registration state of k-12 cybersecurity

Spring 2020 Product Updates: ManagedMethods Updates & New Features

ManagedMethods rolls out new cyber safety & security monitoring capabilities, anti-phishing protection, and advanced reports & auditing

Like most of the rest of the world, our product development team set up shop in their own home offices back in early March. But that doesn’t mean they’ve been taking a vacation! On the contrary, the ManagedMethods product development and engineering team have been hard at work developing tools that help K-12 IT teams keep their data security and student safety during this remote learning experience. The bulk of the updates are aimed at improving our capabilities in G Suite for Education security by adding Google Meet and Chat monitoring features. We’ve also added a number of new features based on the feedback of our many K-12 customers.

We are pleased to share our latest ManagedMethods product updates, which today include:

  1. NEW! Google Meet auditing capabilities
  2. NEW! Google Chat monitoring capabilities
  3. NEW! Coronavirus-specific anti-phishing protection
  4. NEW! Advanced admin reports

 

1. Google Meet Auditing

Many schools were already using Google Meet video conferencing for classroom learning and administrative meeting alike. But the move to remote learning in response to COVID-19 social distancing efforts caused Meet use by K-12 school districts to skyrocket.

Districts quickly came to realize that, while Google Meet is a great tool for continuing education even in a time of crisis, there are concerning security and student safety gaps.

Learning about these issues from our customers, our product development team quickly shifted efforts to develop advanced Google Meet auditing capabilities in ManagedMethods. Most district IT teams will likely be familiar with monitoring Google Meet using the Meet Quality Tool by Google. But the Quality Tool’s main purpose is for technical troubleshooting.

ManagedMethods uses Google APIs to take Google Meet auditing a few steps further to enhance what Google provides in their reports—and to integrate Google Meet safety and security management with the rest of the Google for Education environment. This means that district IT security and student safety teams can begin to get a fuller picture throughout their entire G Suite domain much easier and faster than with native Google tools alone.

NEW Google Meet auditing capabilities include:

  • The ability to pull a full audit of all Google Meet sessions in your domain
  • Easy reporting of all participants
  • Quickly identify all meetings with outside domain participants
  • Identify and filter Meets and participants by Organizational Unit (OU), so you can see which happened with and without a teacher present, and how long the meeting lasted after the teacher left
  • Use Meet participant login and logout data to take attendance
  • And more!

Using ManagedMethods’ new Google Meet auditing tool allows our customers to dig deeper into who is attending and filter those meetings that are attended only by people of a specific OU, those that were attended by an outside domain, etc. Currently, admins can filter, group, and analyze data based on a wide variety of information including:

  • Date
  • Organizational Unit
  • Organizer Email
  • Participant Identifier & Name
  • Participants Outside Domain
  • Meet Duration
  • Client Type
  • Product Type (Google Meet vs. Classic Hangout Meet)
  • Meeting Link
  • Screencast Sent and/or Received (Yes or No)
  • Video Sent and/or Received (Yes or No)
  • IP Address, City and Country
  • Event Type, Name and Description
[FREE WEBINAR DEMO] Cyber Safety & Security in Google Meet & Chat. Learn More & Register NOW >>

MM Product Update - Google Chat Monitoring

 

2. Google Chat Monitoring

Similar to the ability to audit district Google Meets, Chat is another Google app that teachers, students, and staff are using more than before to communicate with each other during their remote learning and working experience.

Unlike Google Meet, Chat is text-based and therefore makes flagging specific risk categories a bit easier to develop and automate for our customers. Using ManagedMethods, district IT and student safety teams can now identify cybersecurity risks and student safety signals in Google Chat—along with Gmail, Drive, Shared Drives, Docs, Slides, and Sheets.

Google Chat Monitoring and Cybersecurity

As students, teachers, and staff continue to use Google Chat to communicate, the potential for data security risks increase. This is true for a couple of reasons.

First, most districts don’t have the cybersecurity technology to identify data loss risks in Chat specifically. Most are still reliant on network security tools like firewalls and web content filters, most of which only work with the district network. With Chat being used at home and (often) on non-school owned devices, your district’s firewall and content filter are likely mostly useless in securing data and protecting student data privacy.

Second, IT teams don’t have the visibility and control over data sharing in Google Chat to prevent data loss and protect student data privacy. If they can’t see what is going on, they can’t identify when there is an issue. This is a problem consistent across K-12’s move to cloud computing over the past several years. The problem has always been there, but now it’s more apparent.

Google Chat Monitoring and Cyber Safety

Students using Google Chat can also represent significant cyber safety and CIPA compliance issues. District-provided Google Chat apps allow students to communicate with each other in even easier ways than they did before. And, again IT and/or student safety teams simply don’t have the visibility into the behavior going on within the app to be able to do anything about it.

When it comes to cyber safety, there are a number of signals that could signify a problem. Whether it’s a case of cyberbullying, sharing explicit content, or self-harm thoughts or actions, time is of the essence.

ManagedMethods can provide districts with the ability to detect these student safety signals quickly and easily across the entire Google for Education domain—from any location, on any device—without impeding the student’s privacy outside of school technology use.

[FREE WEBINAR DEMO] Cyber Safety & Security in Google Meet & Chat. Learn More & Register NOW >>

NEW Google Chat monitoring capabilities include:

  • Automatically detect student cyber safety signals in Google Chat, along with Gmail, Drive, Shared Drives, Docs, Slides, and Sheets from one dashboard
  • Automatically detect data loss risks, such as the sharing of social security numbers, private student information, financial information, and more in Google Chat, along with Gmail, Drive,
  • Shared Drives, Docs, Slides, and Sheets from one dashboard
  • Monitor district FERPA, COPPA, and CIPA compliance across your entire G Suite for Education domain
  • And more!

 

3. Enhanced Anti-Phishing Protection Against Coronavirus Scams

Researchers and experts are detecting increased phishing attacks, most directly related to the coronavirus crisis. Feelings of fear and/or anxiety combined with being physically isolated creates a common psychological change that can make people more vulnerable to these types of scams. While companies and federal anti-cybercrime teams have made decent headway in cracking down on these over the past month or so, they’re still out there.

Our anti-phishing team worked with the Department of Homeland Security guidance to develop advanced, rules-based anti-phishing protections directly into the product. Deployment of this update allows ManagedMethods customers to automatically remove coronavirus-specific phishing scams from their domain’s inboxes, shared drives, and more. Combined with our existing cloud-based phishing & malware threat protection for G Suite and Microsoft 365, K-12 IT teams can rest a little easier knowing they have cloud-layered K-12 cybersecurity on their side.

 

4. NEW Admin Reports

We’ve added two new, powerful reports to our admin tools that help district IT leaders identify specific risks and compliance in their Google and/or Microsoft 365 domains.

End Point Device Report creates a report of all devices accessing your district’s Google domain. This report can help IT teams in a number of ways, depending on the technology protocols in your district. For example, it can show if many users are accessing their accounts using personal/non-managed devices. This is important information to know for your cybersecurity auditing and improvement.

2-Factor Authentication Report shows you who has activated 2FA, and who has not. If your district requires 2FA for your users and/or specific OUs, you will be able to quickly identify who is not in compliance with your requirement and get them on track.

These ManagedMethods product updates, along with the much-loved existing tools and capabilities make ManagedMethods a favorite among K-12 IT teams using G Suite and/or Microsoft 365 for Education. ManagedMethods is the only cloud-based cyber safety and data security tool built specifically for the unique needs of K-12 school districts. If you would like to learn more, you can start by scheduling a personalized product demo. Or, you can join us this week for a live webinar demonstration of our NEW Google Meet and Chat monitoring capabilities.

Monitoring Google Meet Chat Webinar - CTA XXL

How To Manage Remote Learning Security Risks Caused by EdTech

The surge in EdTech during the COVID-19 crisis is creating remote learning security risks that aren’t often well understood

Remote learning security risks are on everyone’s mind today. Since the coronavirus pandemic has closed schools, K-12 remote learning is the new reality in many places around the globe. Teachers are getting very creative in the ways that they are helping students continue to learn during this difficult time. Vendors are also providing schools with discounted or free access to remote learning resources.

As a result, the use of EdTech applications has increased significantly. Along with that comes an increase in the security risks faced by K-12 IT staff. It’s important that IT leaders understand and manage these risks to avoid cybersecurity attacks, accidental data loss, and other compliance issues during this unprecedented time.

A Review of EdTech Security Risks

Remote learning security risks with EdTech include vulnerability to ransomware, account takeovers, and data security issues. Many district IT teams know about a range of SaaS EdTech applications that their community uses, but the EdTech security risks increase with “shadow” EdTech.

Shadow EdTech describes applications that are connecting to district Google and/or Microsoft environments without any IT vetting or management. These were already notoriously difficult to identify before the shut-downs began. With everyone now working remotely, and with so many free offerings, it’s almost certain that you don’t know about all the applications your district’s community is connecting to your environment through OAuth.

This allows unrelated servers to authenticate access to data using an access token without needing access to the single sign-on credentials. The result is that OAuth risks are undoubtedly increasing along with the increased use of EdTech applications.

OAuth risks generally land into two different categories: malicious/intentional and accidental due to poor infrastructure security. Neither of these two reasons make risking data security and student data privacy OK from an ethical or compliance point of view. Either create serious account takeover risks that district IT teams need to protect their systems against.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

5 Steps for Managing Remote Learning Security Risks Caused by EdTech SaaS

No one wants to compound the effects of the coronavirus pandemic with those of a serious cybersecurity attack. Using a remote learning checklist and completing these five steps will help you avoid getting into that situation.

1. Run a security audit

This cloud application security audit includes a checklist that you can use to spot cloud security issues you need to address. It will also give you the opportunity to identify the applications your community is using and the risk profile for each.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

If you use G Suite and/or Microsoft 365, cloud application security isn’t just a “nice to have”—it’s a requirement.

Without it, you can’t monitor or control activities that go on within those applications. Hackers love exploiting this gap in your cybersecurity infrastructure. Including cloud security in your tech stack and protecting against that type of attack is even more important as remote learning and working security risks increase.

2. Create or Update Your Approved SaaS Vendor List

Teachers and district staff don’t really know whether the SaaS applications they find for remote learning are safe or not. Further, as many teachers, staff, and students are using their own (unmanaged) devices, many will authorize an app using their school credentials, whether on purpose or not. In most cases, your users simply don’t realize that SaaS EdTech can cause these remote learning cybersecurity risks.

To combat that problem, create a reference list of vetted and approved apps that they can check to see if the app is OK to use. This will help your users decide when to try a new application, and at least create some awareness around the data privacy and security risks.

It’s also a good idea to update the list as you conduct security audits. Using the right cloud security tool, you will be able to see what apps your teachers, staff, and students are using. You can then sanction or un-sanction these apps based on their risk profile (and the appropriateness of the apps being connected to a district account). Using this information helps keep the list of approved apps updated and relevant.

Similarly, and likely in the same document or other resource, you can create a list of unsanctioned/risky apps that are not allowed or have not yet been vetted. If you can impress upon your users how important it is to stay away from potentially dangerous applications, they may even start to contact you before they start using a new teaching aid!

3. Create an App Security Review Workflow

It’s a good idea to create a process for your teachers and staff to use to request a security review on applications that aren’t on your list described above. They may ask your advice without a process, but you can’t really count on that.

One idea is to create a Google Form (or other type of online form) that asks for at least the name of the application and the link where it can be found. After you’ve had a chance to do a student data privacy and security review, you can either approve or reject the application (and incorporate that information into your approved/disapproved app document for others to reference).

If you haven’t yet created a SaaS vendor list, using your approval form workflow would be a good place to start. Ask your users to list all of the SaaS apps they’re currently using. You can then do security reviews on those applications, and then generate a list of approved and rejected SaaS vendors and applications for distribution.

4. Set Up 24/7 Monitoring

Set your systems up with 24/7 monitors that will spot new SaaS applications as they connect. You can do a security review on any apps you’ve not already analyzed and update your approved/rejected list. If you discover an application you need to reject, you can remove the application from your environment and send a notice out to potential users along with the updated list.

If you’re using a cloud security application, you can also create policies around your app review to automatically monitor for and sanction or unsanction apps as they are connected to your environment.

5. Automate SaaS Connection Monitoring & Management

Naturally, the best way to keep your district’s data safe is to automate the monitoring process. An OAuth EdTech security platform can be configured to automatically perform sanctioning and unsanctioning. It can also remove unsanctioned applications from your Google and/or Microsoft 365 environments.

If you’re thinking that your next-gen firewall and/or web content filter has you covered when it comes to EdTech SaaS security, you are unfortunately wrong. If you think that all of this is the responsibility of Google, Microsoft, or whatever other SaaS vendor your district is using, you are also wrong.

But you are definitely not alone. A 2019 K-12 cybersecurity report from CoSN found that, while 100% of surveyed school districts use a firewall and a web content filter, only 3% use cloud security technology to monitor and secure their G Suite and Microsoft 365 environments. At the same time, millions of students, faculty, and staff are using these cloud applications every day to store, access, and share sensitive data (these numbers have reportedly doubled in the past month with the move to remote learning).

At the same time, a study from the K-12 Cybersecurity Resource Center found that the number of K-12 data security incidents tripled in 2019 compared to 2018!

To help keep K-12 school district’s cloud applications secured from EdTech and other data security risks through this coronavirus crisis, ManagedMethods is offering free access to our cloud security & student safety monitoring platform through May 31. This offer is exclusively for public and private K-12 schools and districts. ManagedMethods activates in minutes and requires no agents, proxies, or extensions.

webinar registration state of k-12 cybersecurity

How Hackers Take Advantage of Crises—and How Your District Can Protect Itself

The coronavirus is giving hackers a golden opportunity. Here’s how to stop it.

Experts are tracking a huge increase in cyberattacks since the COVID-19 outbreak. For example, Barracuda Networks detected a 667% increase in the number of phishing emails. It’s a shame that hackers are using the coronavirus to try to trick people working from home into giving the hackers access to business networks. These people have dropped their guard during this crisis and hackers are very good at using fear and disinformation to make phishing attacks even more successful.

Systems are especially vulnerable at this time because many IT employees aren’t at work, or by necessity, they have focused their attention on supporting other technology needs. This is particularly true for K-12 IT teams who are now working to support the remote learning needs of their students and faculty. Already understaffed and underfunded, school district IT find themselves at a critical disadvantage to criminals.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

3 Ways Hackers Can Take Advantage of a Crisis

Hackers are experts at exploiting uncertainty, fear, and doubt. The existing coronavirus pandemic is a perfect opportunity for hackers. Mistrust and misinformation is already grabbing attention around the world. Hackers can take advantage of that problem by creating “scareware” that targets people at their most vulnerable.

1. Shock and fear

Cybersecurity is often the last thing on someone’s mind, well, ever. But particularly during a crisis. The strain of staying at home while wanting to stay informed can make other concerns insignificant. Hackers are sending phishing emails that seem to provide information from the CDC, school districts, and other official sources that people open without thinking.

2. Isolation

People who are working remotely are not only stressed by the crisis, but they’re isolated from coworkers and the people who could normally reinforce good cyber hygiene. This becomes an even bigger problem when people are using their own unmanaged devices to access school networks. They can create big problems if they download information to their own computers or phones where hackers can easily find it.

3. New technology

Hackers use the latest technology to do things like hide malware in video or audio links. It’s also very easy for a cybercriminal to create a fake website by cloning legitimate news websites, for example. The person landing on those fake sites will unintentionally download malware while trying to stay informed. Cybercriminals are perfecting their impersonation tactics. For example, a cybercrime forum is already advertising a COVID-19 phishing email kit.

4 Ways to Protect District Information Systems

The good news is that there are things you can do to help keep your student, faculty, and district data safe during this crisis.

1. Establish and reinforce policies and employee training

Now is the time when you can help teachers and students involved in remote learning to take a deep breath and think about how to protect themselves. You can use direct communication to warn your school community about the approaches hackers are using, and educate them on what to look for. Teachers can reinforce the issue during remote class sessions and encourage students to pass the information along to their parents.

Revisit your remote learning security checklist and make sure you have everything in place to secure the use of your district’s cloud applications, such as G Suite and Microsoft 365.

2. Establish a Virtual Private Network (VPN)

At this critical time, the need for a VPN is even more important to protect your district data with a secure district network and internet connection. You need to make sure to patch your VPN servers regularly to avoid attacks that are increasing against unpatched systems. Hackers can also launch DDoS attacks on VPN services to overwhelm those systems and bring operations to a halt.

If you have a VPN, you will need to scan your logs to determine if hackers have compromised your VPN accounts. It’s fairly easy to detect if the use patterns have suddenly spiked.

3. Monitor account login and activity

When many people are logging into your systems remotely, you can increase security by monitoring login activity to spot account takeover attacks. Look for things such as many unsuccessful login attempts, multi-factor authentication checks that failed, and successful logins from suspicious locations. If you have no students overseas, for example, any login from outside of the U.S. should raise a red flag.

[FREE WEBINAR] The State of K-12 Cybersecurity & Student Data Privacy: Trends, Lessons Learned and Planning for Next School Year. LEARN MORE & REGISTER >>

4. Recheck cloud app security settings

NIST and other experts recommend that you check cloud application security settings on a regular basis. If you haven’t done so recently, this would be an excellent time to run through a cloud application security audit. For example, if you haven’t implemented multi-factor authentication, you’ll want to do that to help secure cloud access during this crisis.

The coronavirus crisis has brought out the best in most of us. Unfortunately, it has also brought out the worst in cybercrime. School districts need to make sure they are fortifying their cybersecurity infrastructure during this uncertain and transitional time.

ManagedMethods wants to help district IT teams make sure their district data is secure. We’re offering school districts that use Google G Suite and/or Microsoft 365 free access to our cybersecurity and student safety monitoring platform through May 31. Learn more and request your free access today to get the most benefit out of this offer.

webinar registration state of k-12 cybersecurity

Portfolio Items