Districts around the country are being targeted by sophisticated cybercrime operations that are using personally identifiable information (PII) to target schools and extract student data. Threats coming from Russia and from within our own country have compromised schools and districts throughout the U.S.
The Threat Landscape Has Grown Since the Pandemic
Districts were already well under way in digitizing records, but the pandemic accelerated the digitalization process, often in haphazard ways that did not account for the increased threat. Now that the biggest wave of the pandemic has subsided, schools must prioritize data security in order to thwart these attackers who have been taking advantage of the growing number of access points – student devices, teachers working on home computers, digitized records not properly secured behind firewalls.
“As schools fast-tracked the shift to remote learning, some computers handed to, and owned by, students lacked adequate security, said Nir Kshetri, a University of North Carolina-Greensboro management professor in an interview with Newsday.
How Cyber Criminals Use PII
There are many ways PII can be used to target schools as well as victimize students and compromise student data privacy.
- If a student device is not properly secured, hackers can access the device directly. From accessing private data to activating the webcam, this poses a serious threat to students.
- Information accessed from the device could be used to help the criminal introduce malware that not only compromises the student’s device but the school’s or family’s entire network.
- Because of the number of devices, a sophisticated hacker could conceivably use the devices to execute denial of service attacks at a district level.
What Schools Should Do Now to Protect Student Data
Schools must act. The threat is real and measurable. These steps can help secure PII and protect your student data:
NIST-Based Controls
Schools should employ a standard framework, such as NIST, to ensure they have adequate layers of protection, including detection monitoring, firewalls, email security, and anti-virus software.
24/7 Monitoring and Patch Management
For most districts, partnering with a managed service provider is the best way to accomplish this, as most schools do not have the budget to have a full IT staff.
Incident Response
Even with the best security, errors can occur. Having a comprehensive incident response – shutting down the network, having offsite data and recovery solutions in place, and mechanisms to notify the appropriate parties of a breach as quickly as possible can mitigate risk.
Ongoing Staff Training
Ongoing training to ensure staff is aware of and on the lookout for threats can help prevent unnecessary breaches.
What Educators Can Do to Protect Student Data
Educators are using technology in the classroom more than ever, and that puts them on the front line of protecting student data. Student data privacy is more than just a nice thing to do; both by federal and state mandate, it is the law. So what can educators do to make sure they are taking necessary precautions to protect themselves, their students, and their districts? These are the recommended best practices for educators:
Don’t Go Rogue
Even if your school district has yet to implement policies about downloading and using edtech that has not been properly vetted, it’s a good idea to avoid free tech. Free edtech can often be a doorway to data theft. The only edtech solutions that teachers should use in the classroom are ones that have been properly vetted by your district’s IT leaders.
Don’t Manually Upload Roster Data
Secondary to downloading and using rogue edtech, teachers are often prompted to upload student data manually. This can put the data almost immediately at risk. Instead, work with your district to ensure that any vendor you want to use for your classroom is properly vetted and connected through your single sign-on solution to ensure the secure transmission of necessary PII.
Be Open with Parents and Guardians
When you do implement edtech to use with your students, be sure your students’ parents and guardians are aware of the use of the program and what information about the students is being collected. Explain the benefit of using the solution and how it aligns with the students’ curriculum.
Advocate for EdTech You Find Useful
Sometimes districts choose edtech solutions based on cost per student or because it comes as part of a bundle. If it’s not useful for you, it’s important to provide feedback to your district and advocate for the solutions that render meaningful outcomes that can be measured by student progress and success. At the same time, if you know there is a tool that will work for your students, but it has not been accepted by the district, make a pitch to vet the solution.
The days of leaving student data privacy to the school IT team are gone. It will take everyone – student, parents, teachers, and administrators – to work together to protect student data.
The Costly Risk of Not Prioritizing Student Data Privacy
There are ethical and moral reasons to prioritize student data privacy. There are also compliance reasons – federally mandated requirements for handling student data – that make it imperative. But at the end of the day, districts who do not prioritize student data privacy do so at the risk of costing their districts and their communities an unfathomable amount of money. Already in 2023, school districts in Iowa and Massachusetts fell victim to cyberattacks.
Cost of Student Data Breaches
According to the GAO, “the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time could take anywhere from two to nine months. The financial impacts on schools can be broad. Officials reported monetary losses to school districts ranging from $50,000 to $1 million due to expenses caused by a cyber incident.” There were attacks on nearly 1,000 different schools impacting nearly a million students. Even more concerning is that hackers have begun to use tactics that further threaten the schools – even when they do pay a ransom to unencrypt the data, they are then further blackmailed into paying an additional ransom to prevent the data from being posted to the dark web. Beyond the monetary costs of these attacks are the costs of downtime. While the average school was only shut down for four days, the recovery process often takes a month or longer. In terms of a school year, a month is like an eternity. Those costs could rise further with expected litigation.
What’s Holding Districts Back from Better Cybersecurity?
In many cases, there is a perception that investing in cybersecurity is a budget breaker for districts. It can be overwhelming to know what cybersecurity measures are necessary and where to prioritize the investment. Even in larger districts with internal IT teams are often unsure how to proceed with developing a comprehensive plan to protect student data privacy or how to obtain the external resources they need to make it happen.
Cybersecurity Measures Cost Far Less than a Data Breach
Many of the steps schools must take to be more cybersecure cost far less than coping with a data breach that could result in ransoms, downtime, and legal issues. In fact, many of the steps districts can take to improve student data privacy are required to qualify for cybersecurity insurance.
SchoolDay Helps Protect K-12 School Districts
SchoolDay safeguards student privacy and educational data by providing a secure ecosystem orchestration platform for schools and classrooms. Serving over 36,000 schools, 3,000+ districts and colleges, and hundreds of EdTech vendors, SchoolDay champions open standards and secure data exchange, solidifying its role as a trusted leader in educational technology.
Threats against schools are painful and costly – and cybercriminals are only becoming more brazen in their willingness to attack schools. Be more proactive to make sure your district isn’t the next victim. SchoolDay is the open standards platform that securely integrates everything.
