In the spirit of spring cleaning, we’re helping you clean up your school district’s cloud environment. And one of the messiest items on the agenda? Third-party cloud applications.
To help you understand the role vendors—and, specifically, the cloud apps they provide—play in your school district, we’ll guide you through everything there is to know about third-party applications, including why they’re important, how using them without a third-party app security policy can be risky, and what you can do to keep them in check.
Before you start breaking out the broom and sweeping away any third-party threats, you’ll need to know exactly why they require cleaning in the first place.
You might be wondering: What are third-party applications? Simply put, a third-party app is any cloud service provided to you by an outside vendor, such as Google Workspace or Microsoft 365. At the onset of the pandemic and the necessity for hybrid learning that followed, many school districts accelerated their journey to the cloud.
In fact, according to Edweek Research Center, more than 90% of K-12 schools are already operating in the cloud, with 93% using Google Workspace, Microsoft 365, or some combination of them both. Given the incredible cost-effective, operational, and educational benefits of the cloud, it’s no wonder that so many schools made the leap. And that doesn’t include the plethora of additional cloud-based SaaS applications being used in school districts today, including instruction, human resources, building operations, and finance tools.
But in the process of that leap, most districts skipped investing in third-party app security. Only 20% of school cybersecurity budgets are being allocated to protecting data in cloud storage.
Here’s why that’s a major problem: Third-party applications are storing a lot of your sensitive data. When you deploy a cloud application, you’re entrusting that vendor to keep your data under lock and key. If their defenses are weak or their data handling procedures are sloppy, your sensitive material could be leaked or stolen by malicious hackers.
And even worse? When their security fails, it’s your district that’s held accountable by law. The Family Educational Rights and Privacy Act (FERPA) requires you to use “reasonable methods” to protect student data from accidental and intentional data loss.
Of course, noncompliance is just the tip of the iceberg: Risky third-party applications could have real-life consequences for your students, staff, and their families, too. That’s why it’s important to identify your cloud vulnerabilities and the ways they can be used to access confidential information.
It’s no secret that cybersecurity is a hot-button issue in 2022, but you may be surprised to learn that it’s especially problematic in education.
According to Microsoft’s tracker of global threat activity, education is far and away the most targeted industry of the past 30 days. Of the nearly 8.6 million devices that have encountered viruses, malware, and other cyber risks, education has contributed to over 83% of them.
That’s more than 7 million educational devices that have come in contact with a threat of some kind in the past month alone. That staggering number begs the question: Where are these attacks coming from?
One of the first places you should look is the cloud. According to Verizon’s 2021 Data Breach Investigations Report, “Compromised external cloud assets were more common than on-premises assets in both incidents and breaches.” Unsecure third-party apps have the potential to expose your district in a number of ways:
As cyber criminals grow more sophisticated, it’s likely they’ll use a combination of all three. But on top of these malicious cyberthreats, there’s also the risk of human error:
Between hackers and human error, your district is under a lot of pressure to keep data safe in the cloud. In combination, that task is almost insurmountable. Luckily, cloud-based data loss prevention (DLP) can take the weight off your shoulders.
Cloud DLP takes a strategic and automated approach to securing data stored in your cloud environment. With a cloud-based DLP solution, you can mitigate both internal and external third-party risks.
You can think of cloud DLP as an effective force multiplier. Why? Because you can’t be in two places at once, but a DLP solution can. In other words, it monitors your cloud infrastructure for any activity that might put the district or students at risk, whether it be improper file sharing, inappropriate content, or signs of self-harm, cyberbullying, and violence.
As for third-party applications, DLP will secure your tech stack in a few key ways:
By now you might already be clutching your metaphorical broom and getting ready to sweep your risky third-party apps into the digital dustpan. Before taking out the trash, here are a few tips that may help you improve your district’s third-party app security and keep your cloud environment clean for many seasons to come:
Auditing your cloud applications that already exist in your environment is the best way to get ahead of the curve and put a stop to any security gaps that are currently being exploited.
In a recent webinar, Marlo Gaddis, chief technology officer at the Wake County Public School System, told us that free edtech tools are only as free as a puppy.
“You know when you get a free puppy the work isn’t over,” she said. “It’s just begun.”
School budgets can be tight and tedious to workaround, but there’s no cost greater than jeopardizing your student data. Set off on the right foot and seek out quality third-party vendors with a proven history of certified security, even if they cost you a small piece of the budget.
Create a checklist of items you need from a third-party provider before agreeing to their service. Relevant items might include their terms of use, data protection policies, history of data security, and whether or not they fit your compliance requirements.
Refer to FERPA recommendations and create a formal policy for how you’ll agree to share data with third-party applications. Most importantly, share this information with parents, staff members, and students for full transparency.
Be sure that students and staff members aren’t attaching their school accounts to unauthorized third-party applications, services, and other unsanctioned websites.
Do what your school district does best and start teaching everyone – students and staff – the basics of data protection. Risk management isn’t the responsibility of just one small security team — it takes everyone making an effort. With everyone on the same page, you’ll be much better off in the long run.
Cloud data loss prevention software can be an extension of your district’s security team by automating the detection and remediation portions of your third-party app security. It empowers you to monitor your cloud apps, automate remediation, and squeeze an additional layer of security between your students and the prying eyes of the outside world.