February 01, 2024
Appears in February 2024: School Administrator.
Industry veterans share practical thinking for catching up to the increasing incidence of attacks on public school districts
Cybersecurity remains an ever-present worry for K-12 schools and districts.
Recently, we helped a large school district in the Southeast improve its cybersecurity infrastructure to better protect and serve its students. Like many districts, this district expressed general concerns about cybersecurity. They weren’t sure about the best place to start but recognized the need to reduce risk.
Before the district could move forward, the staff first needed to understand the most critical vulnerabilities and what actions they already had taken.
System access is one of the first places school districts need to look when assessing their risks and needs. The district we worked with had multifactor authentication, or MFA, available through its software solution and simply needed to implement this function. MFA ensured that nobody with access to the systems was sharing passwords and prevented the leaking of passwords. This is the base-level support any school district should have and where this large district laid the foundation for a solid overall security strategy.
Many school districts make the mistake of limiting important security features such as MFA to only certain staff, such as IT or chief-level officers. The truth is that anyone in a district with access to applications and systems — educators, staff, directors and others — should be required to use MFA and other security features. This is especially true for payroll and purchasing staff, who have access to significant data and administrative controls and can be primary targets for potential attacks.
From there, the district moved to role-specific authorization, which allowed it to set specific permissions to users to better protect certain data. Finally, the district established a directory access protocol to make access more convenient and secure for all users.
For most districts, three vital features can improve security:
Multifactor authentication: The foundation for a solid cybersecurity strategy, MFA enhances cybersecurity by authenticating users via an authenticator app or email.
Role-specific authorization: Configurable user profiles within a software system can confine sensitive data access only to those who need it.
Lightweight directory access protocol: LDAP enables organizations to securely store and manage information and authenticate users against a centralized directory for access to third-party software solutions.
Schools and districts face historically high numbers of cyberattacks, ranging from malware attacks to data breaches and ransomware. Taking these first steps now is critical to ensuring operational stability and privacy for students, staff and families.
Researchers estimate that ransomware attacks cost education institutions more than $53 billion in downtime and compromised more than 6.7 million personal records between 2018 and 2023, according to Comparitech, a cybersecurity product review website. U.S. schools alone lost an estimated $35.1 billion. Cybersecurity firm Sophos reported a 56 percent year-over-year increase in K-12 ransomware attacks in 2023.
School systems hold valuable troves of data within their systems, and hackers target them because they’re traditionally less defended than data systems in finance, health care and other industries. K-12 districts generally are late adopters of technology, and some districts still have not moved to storing information on cloud-based systems. This shift from on-site servers that could be shut off from the internet to web-based servers is significant and opens districts to new levels of risk that they previously did not have to prepare for.
Consider if you had your passwords written in a notebook that only you had access to and kept hidden in a drawer. Now, think about transitioning those passwords to the notes app on a cellphone. The passwords on the phone are now much easier to steal than the notebook because they are being stored on a web-based server.
What’s more, cyber attackers can net large sums through ransomware as education systems can’t afford downtime and are easily tempted to pay a ransom.
When we first met with the Southeast district, they were not taking the basic cybersecurity measures, exposing themselves to greater risk for attacks. They also lacked training across the board on how to prepare for and reduce the risk of cybersecurity attacks, which meant educators, staff and families weren’t informed on how to keep data safe.
K-12 district technology teams typically are small, and funding doesn’t always match rising risk. A spring 2023 Whiteboard Advisors poll of K-12 tech professionals revealed that 42 percent say their state allocates a “small amount” or “very little” funding to address cybersecurity needs. Many districts across the U.S. have just five or fewer total informational technology employees serving thousands of staff, vendors, students and families, with no one specifically dedicated to cybersecurity.
For a smaller district with only one or two technology staff, outsourcing cybersecurity protocols such as training, monitoring and testing for phishing attack recognition can be helpful. This builds greater awareness among all those IT staff serve so that districts can be better protected.
Regardless of size, school districts can enhance their cybersecurity strategy using four strategies.
Strong IT leadership and personnel. An experienced technology leader can weigh in on best practices, considerations for new technology procurement or usage and pressing needs within the context of changing threats.
Of course, a strong IT leader needs a team. An agile IT team, provided with up-to-date professional learning opportunities, can actively ensure protocol adherence, provide critical training and support, and identify and isolate threats when they arise. A single person can’t do it all. Consider an IT leader’s requests for additional staff seriously in any K-12 budget discussions.
Cybersecurity best practices and standards. No matter where a district is today, it’s never too late to implement best practices and standards. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, or CISA, offers guidance in its 2023 publication, “Protecting Our Future: Partnering to Safeguard K-12 Organizations.” It provides actionable tips for any educational institution to create a solid data security foundation.
CISA recommendations include implementing MFA; prioritizing patch management; performing and testing backups; and creating a training and awareness campaign.
Training and awareness can make or break any cybersecurity initiative. While it can be challenging and time-consuming for IT teams in public schools, resources must be spent on ongoing cybersecurity training and check-ins with students, families and staff. This is especially true as threats continuously evolve.
Secure, integrated technology. People make up the heart and soul of any cybersecurity initiative, but technology is the backbone — the frame on which everyone’s best efforts stand against threats or fall. Hackers know how to exploit weaknesses, so reputable technology providers must constantly update their software with security features like MFA and website encryption. Additionally, cloud-based systems can offer reliable system maintenance and redundancy without taxing district staff.
Integrated software systems also help reduce risk. When data move within a single system, the data are not exposed via third-party app connections or e-mailed spreadsheets. Simplifying tech stacks can exponentially improve a district’s cybersecurity.
Avoid sending and storing sensitive information via e-mail. Use a web-based e-mail encryption solution, which enables secure sending and receiving of sensitive data and information. The recipient receives a link to view the message and attachments. They follow this link, log in and then safely view the details without a hacker’s prying eyes catching a glimpse.
Careful response planning. Planning for an attack or incident is a realistic part of any cybersecurity initiative. Even with the best defenses in place, a careless link click can spell disaster. The first step in such an event is not to panic.
Districts should have a business continuity plan, or BCP, ready to put in place. The Southeast district developed a BCP that will maintain smooth operations, minimize impact on student learning and ease families’ expectations should an attack occur on their district. The continuity protocol included a timetable for an incident investigation, how long the BCP should be used in various scenarios and clear communication measures throughout the process. The district implemented a strong cybersecurity program that resulted in greater awareness of security protocols and has so far reduced risk for the large district.
An Ongoing Partnership
Together, software providers and K-12 professionals can solidify a cybersecurity strategy that’s up to date, resilient and practical to implement and maintain. The Southeast district that implemented multifactor authentication is on track to exponentially improve its overall cybersecurity strategy.
No school or district needs to go it alone. Partnering with software vendors and security experts can help mitigates the risk and instill confidence going forward. n
Tim Chadwick is chief information security officer at LINQ in Wilmington, N.C. E-mail: firstname.lastname@example.org. Morrad Battah is a solutions consultant at LINQ in Wilmington, N.C.
By Amelia Vance
With collection and retention of student data by schools an issue of significant attention, a recent push is underway to restrict what schools collect about students.
AASA’s Student and Child Privacy Center conducted a series of interviews with school district staff and a parent advocate in October regarding what student data should be collected by schools and how those data should be managed. Several key takeaways emerged.
Recognize the potential harms of detailed permanent records.
A school’s accumulation of large amounts of data over time, without periodically reviewing and deleting data that are no longer necessary, may result in the creation of permanent records about students. Keeping detailed data over time runs the risk that the information could be misused or misinterpreted.
Bradley Shear, a parent in Montgomery County, Md., and a digital privacy lawyer, sees an urgent need for “the right to be forgotten,” particularly concerning minor missteps in a child’s past. Children should not be affected in their academic lives or career pursuits by the data collected on them in earlier years, he says. Instead, they should be able to explore freely without fear that their past activities on the internet might impact their future opportunities.
“People change over time,” Shear points out, “[and] we shouldn’t discriminate against kids just for exploring and learning.”
Define the lifespan of data.
Technology enables massive quantities of data collection. As schools embrace comprehensive child development approaches, such as social-emotional learning, the need for collecting, using and storing more sensitive data has escalated. Under the Family Educational Rights and Privacy Act, all of this information, no matter its sensitivity or the purpose for which it was collected, is treated the same.
Steve Smith, founder of the Student Data Privacy Consortium, emphasizes the importance of defining the lifespan of different types of data — a task that isn’t as straightforward as it might seem.
“Who’s going to define what data should stay for how long? There was a reason for collecting the data in the first place. At what point is it no longer needed as the student moves through the school system?” says Smith, who this month becomes executive director of the non-profit Access 4 Learning Community, after 15 years as chief information officer with Cambridge Public Schools in Massachusetts.
Support would be helpful.
The current procedure for data deletion is rather haphazard, requiring parental notification and compliance with a plethora of sometimes outdated laws. Eric Levy, senior database administrator in Cambridge Public Schools, points to the evolving legislation and the intricate regulatory environment, with each state enforcing its own data retention rules and requirements.
Technical limitations, such as differentiating between temporary and permanent records in student information systems, or SISs, further complicates the excising of student information.
“There’s a need for clearer guidelines and cooperative solutions from SISs,” he says, acknowledging the potential benefits of systems that automatically prompt data deletion based on predefined timelines and reduce the administrative burden on schools. The issue also extends to data backup and historical analysis, complicating matters further.
“Comprehensive documentation, clarity in laws, and supportive technology could be the game-changers,” Levy adds.
Create a parent handbook.
One of Levy’s innovative ideas would increase transparency and build trust through creation and distribution of a parent handbook. This resource could provide parents with insight into what data the school collects and why, while empowering parents to monitor and hold the school accountable.
Levy sees a handbook on practical issues to be a beneficial tool in bridging the gap between schools and parents. In Cambridge, a handbook’s development underscores the district’s commitment to upholding student privacy and ensuring data are collected and used responsibly. Such guidance emphasizes the significance of consent-based data collection and secure-sharing protocols.
AMELIA VANCE is chief counsel of AASA’s Student and Child Privacy Center. KATHERINE KALPOS and MORGAN SEXTON of the Student and Child Privacy Center contributed to this article.
Data can be at its most vulnerable when it’s transmitted online. You can prevent cyberattacks by following these best practices.
- Send encrypted e-mails. Use a web-based e-mail solution that sends recipients a secure link so they can view messages and attachments after user authentication.
- Upgrade website security. Introduced in 2018, TLS 1.3 encryption provides superior data protection compared to the current baseline standard.
- Use a secure file transfer protocol. This protocol encrypts the connection between the client and the server. Rely on it instead of traditional file transfer protocol.
- Configure secure app connections. Application programming interface connects multiple applications to share data. When configured correctly, it ensures secure data exchange between systems.
— Tim Chadwick
A cybersecurity incident quickly can halt school district operations and cause immense stress. However, taking the right actions quickly can help minimize impact, expedite a return to normal operations and strengthen the school district against future cyberattacks.
- Don’t panic. Gather the facts, then follow your incident response plan.
- Review your business continuity plan, or BCP. When the incident response team goes into action, assess operational needs and determine how long you plan to rely on procedures tied to your continuity plan.
- Communicate clearly. With incident response underway and your BCP in place, communicate the situation to all staff, students and families. Give time estimates for response actions and clearly explain any known impact of the cyberattack.
- Investigate the impact. After initially communicating the incident, start digging deeper to understand the full impact and take any available actions to contain the attack.
- Deliver timely updates. Build trust and promote patience by keeping everyone in the loop with regular public updates. Post messages on the school district’s website, send secure e-mail or in-app messages and/or send text alerts about any new developments.
- Learn to prevent future incidents. Come away from a cyber incident stronger by learning from the event. Document and archive details, including how the cyberattack occurred, the bad actor’s methods and all actions taken in response.
— Tim Chadwick