Words of wisdom from an engineer and IT industry veteran.
GUEST COLUMN | by Charlie Sander
School districts are among the leading adopters of cloud collaboration technology. Google Workspace, Microsoft 365, video conferencing platforms, and other cloud apps are helping keep schools connected and operating as COVID guidelines make learning complicated.
These same technologies are also shedding light on K-12’s student data privacy and security shortcomings.
‘…cloud apps are helping keep schools connected and operating as COVID guidelines make learning complicated. These same technologies are also shedding light on K-12’s student data privacy and security shortcomings.’
Cybersecurity incidents, such as the recent ransomware attack on the largest school district in New Mexico, continue causing school cancellations and wreaking havoc on district’s systems. But they also highlight the inextricable link between data security and student data privacy.
This is because they often also result in the exfiltration of sensitive student data, which can be used for identity theft and financial fraud. This can cause future harm to students, who may not know that they’ve been a victim of identity theft for years.
The number of cyber incidents impacting school districts continues to trend upward. It’s clear that there is an awareness issue among district administrators. A recent report from ManagedMethods and EdWeek Research Center found over 90% of school districts operate in a cloud environment, but nearly 25% do not know if they have a security system in place to protect those environments.
It’s time we get serious about securing student data in order to protect their privacy.
Is Data Privacy Being Taken As Seriously As It Should?
You cannot have student data privacy without data security. Many school districts concentrate on protecting student data from unauthorized use by vendors and advertisers, which isn’t inherently a bad thing. However, the security aspects of data privacy are not being addressed, which is what I aim to cover here.
It’s impossible to ensure the data of a student is safe if the data stored is vulnerable to a breach or accidental loss. The information your district holds about students can harm their privacy and wellbeing—if it ends up in the wrong hands.
ManagedMethods and EdWeek Research Center found that only a small percentage of district administrators are very concerned about data privacy. Of the hundreds of district administrators we surveyed, only 23% reported data breaches to be very concerning. Only 21% said they were very concerned about complying with government regulations like FERPA, COPPA and CIPA.
District administrators do not seem to be concerned because they are confident in the security measures they have in place. Yet, only 40% of administrators surveyed say they are not actively monitoring and recording who is accessing the files stored and shared in their district’s cloud environment.
I find these results alarming. They show why school districts continue to find themselves targets of cyberattacks. But, is any action being taken by administrators to be more secure?
The lack of data security is a serious threat to maintaining the privacy of student data. If only a small portion of administrators are taking it seriously, then data privacy will remain vulnerable. There are some steps you can take to get started right away with improving student data privacy protections.
Improving Data Privacy in Your Schools
As a technology administrator, start with a quick assessment of your cloud environment to see where improvements can be made:
1. Are data loss prevention policies in place to limit the access and sharing of personally identifiable data?
2. Is any personally identifiable information is being improperly shared with accounts that should not have access (e.g. personal accounts).
3. Are third-party applications connected to your domain? Malicious or not, apps can be granted permissions to improperly access account controls and sensitive data.
4. Is there unusual behavior happening across your district’s accounts. Are login attempts coming from suspicious locations? Have admin privileges changed? Are there spikes in student and staff email activity?
5. Are phishing links and malicious files being sent around internally? If so, you may have a compromised account.
To protect and maintain student data privacy, it takes your entire school district to be all-in on cybersecurity. As your use of cloud applications continues to increase, the time is now for all district administrators to take data privacy seriously.
Charlie Sander is CEO of ManagedMethods, a Boulder, Colorado-based data security and student safety platform for K-12 schools. With more than three decades of experience in the IT industry, Charlie has been an executive at some of the fastest-growing companies in business. He holds 10 patents and graduated from the Cockrell School of Engineering at the University of Texas at Austin with a BSEE degree.