For edtech, a 360-degree defense
When securing edtech infrastructure, district leaders must concentrate on six “layers”: physical, network, applications, content, endpoint and cloud/data centers, according to a 2017 report by the Council of the Great City Schools.
“More than ever, schools are a ‘wink-wink’ among the industry when it comes to cybersecurity vulnerability,” says Robert Dillon, director of innovative learning for the School District of University City in Missouri.
Today’s educators must balance student data privacy while building a culture of “education next,” adds Dillon, who presented on the need to “secure innovation” at the Future of Education Technology Conference in January 2018.
“More and more attacks are coming at K12, but that fear can drive us to make decisions that aren’t good for learning,” he says.
“If we added up all the unfunded mandates around cybersecurity, it would put schools out of business.” As old threats evolve and new ones emerge, district leaders must try to plug all cybersecurity vulnerabilities.
SIDEBAR: Covering all cyberbases
Below are several strategies CIOs and their teams can deploy to build a 360-degree defense.
Can I use this app?
Union County Public Schools’ vendor-provided edtech management system contains a search tool that lets teachers determine if they can use a digital resource with students. The display, which decodes hard-to-decipher terms of service agreements, includes a box that says whether the resource is approved, requires parental permission or doesn’t meet security requirements.
“Most teachers can’t spend the time digging through service agreements to figure that out, and this allows us to do it in a quick, simple way,” says Casey Rimmer, the North Carolina district’s innovation and edtech coordinator.
Union County’s determinations are based on the Children’s Online Privacy Protection Act and Family Educational Rights and Privacy Act.
District leaders should expect vendors to be more open about this information, she adds. Union County Public Schools, like a growing number of districts, now requires providers to sign user data agreements, which are uploaded to the management platform so contracts are always available and visible.
“The landscape of education and digital teaching and learning is vastly different than in the past,” she says. “We need to make sure our policies and practices are evolving just as rapidly.”
Did you click on the link?
For a comprehensive security plan to take hold effectively, districts must ensure that all staff, teachers and students are on board. When a teacher in the Metropolitan School District of Wayne Township in Indianapolis clicked on an email link from a dubious sender 18 months ago, ransomware locked down a server that’s connected to a district database that teachers use to create test bank questions.
Luckily, the district had a backup copy and wiped the infected database. After the breach, the district jumped into action with an anti-phishing campaign. A 2018-19 security awareness initiative will train teachers, students and staff on how to spot and avoid security vulnerabilities.
“Just like teaching students in a classroom, you need a multidisciplinary approach to teach the same material in multiple ways to everyone,” says Pete Just, the district’s chief operations and technology officer.
A few teachers at each school act as peer coaches who can answer questions and offer cybersecurity guidance to their colleagues.
The district also runs a phishing simulation that sends suspicious-looking emails to teachers and staff. Those who click the link receive a three-minute online training that shows the red flags of a scam. Later in the school year, the district runs the simulation again. At-risk employees who click receive a longer video and sometimes face-to-face training.
To promote October as National Cyber Security Awareness Month, the district also engages students and staff with fun reminders. This year, staff will put out air dancers—those wavy inflatable tubes—that say, “Have you changed your password during the last six months?” In upcoming months, the district will also force mandatory password changes.
“The key is to create awareness in highly visible ways that can be microlearning experiences,” Just says.
How old are your devices?
As part of a physical security plan, administrators should track their devices, making note of which servers, hardware and networks are outdated and could provide a weak point for hackers.
Staff should determine who owns the devices (such as the technology department or campus law enforcement), contact manufacturers for their security practices, and ensure that authentication and encryption protocols are in place.
“School districts often have old devices and servers, and it’s important to understand the vulnerability that creates and how to move away from those devices or to isolate them,” says Just.
Do you know where the holes are?
The Council of the Great City Schools report outlines several examples of how districts have linked physical security with end-user and cloud security. Broward County Public Schools in Florida requires single sign-on for many applications. Because passwords are a major vulnerability, the district tries to reduce the human factor in errors.
Similarly, to reduce cloud-based security issues, Fresno USD in California employs Active Directory Federation Services, which allows secure online transactions among partner organizations. With this approach, authentication uses login information at the district level and eliminates the need to create new credentials for users or share passwords with a third party.
Districts can also conduct penetration testing with a trusted outside vendor to find new software and hardware vulnerabilities that can’t be detected by internal scans. Wayne Township ran a penetration test at the beginning of August to find any gaps before students and teachers returned for the school year.
“Most of our staff in K12 didn’t grow up with cybersecurity awareness, and penetration testing helps us to plug the holes,” Just says. “It’s great to have the resources to depend on others who do this well and can help us stay secure.”
Carolyn Crist is a writer based in Athens, Georgia.