FETC 2024: Cybersecurity Must Become a Group Project in K–12

As one of the biggest employers in most areas, the local school district has tons of data and is probably a cybercriminal’s favorite buffet to dine at. That is what a CDW education strategist and a retired school technology leader said in a cybersecurity session at the National Future of Education Technology Conference held recently in Orlando, Fla. The duo shared that, with K–12 schools overflowing with sensitive, personally identifiable information, all school personnel — not just technology experts — need to be vigilant to keep bad actors at bay.

In their FETC workshop, Wendy Jones, a former teacher and a CDW educational strategist, and Karen Fuller, a retired technology leader at Cypress-Fairbanks Independent School District in Texas and current technology director of innovation at iSphere, shared how everyone can improve cybersecurity.

Cybersecurity might seem scary, but getting hacked is scarier, Fuller said, adding that we are living in a time when no one can afford to be ignorant about cybersecurity.

Fuller and Jones pointed to a recent Sophos survey that ranked the education sector as having the highest rate of ransomware attacks and said school leaders have an obligation to offer regular and robust training to all staff. It is also the responsibility of every administrator, teacher and classroom aide to protect data privacy so that when a students graduates or a district employee applies for a loan, they won’t have a mark against them for something they didn’t do.

“We have more data in our school districts on students and probably staff than most any other industry,” Fuller said. “We’re ranked the lowest because we really don’t realize how much information we’re protecting.”

That is why it is so important to have mandatory cybersecurity training for everyone, Jones and Fuller said. Because cybersecurity as a topic can be intimidating to the average lay person, they said, effective training protocols should personalize how a breach could affect end users’ lives. Knowing that breaches could have an impact on personal credit cards or result in cancellation of bank cards can certainly bring the message home and encourage educators to more mindful of cybersecurity at school.

“People are the weakest link!” Jones said. “All the security layers in the world mean nothing if we don’t train our people. It’s like leaving the garage to your house open even if you have locks and security.”

Unfortunately, too many educational institutions readily distribute data with little regard to the long-term impact. To manage student data properly, schools need to enact security policies. The presenters recommended that each school or district have a data steward to stem the easy outflow of information.

For example, when teachers want to use a free app in their classrooms, they may be unintentionally sharing too much student information with the vendor. The app may be helpful, but the vendor may require too much PII. The data steward would be responsible for setting policies and processes, and for approving or rejecting distribution of certain data to various parties, whether that be to vendors or even to other teachers and school administrators.

In an era when third-party data risks are rising and vendor breaches could cause a ripple effect, it is essential that schools require vendors to sign a student data privacy pledge that complies with federal privacy laws. Many districts are turning to privacy organizations such as the Student Data Privacy Consortium for guidance and vendor templates.

Fuller shared an example from her time at Cypress-Fairbanks ISD, where her team refused to do business with a vendor who would not sign the district’s student data privacy pledge. The agreement would have required the vendor to modify its processes so that it would not collect excessive student information or intentionally expose student data.

The presenters recommended following the National Institute of Standards and Technology’s Cybersecurity Framework for more guidance on how best to implement policies.

To be compliant under federal or local laws or even receive funding, K–12 schools must follow certain regulations aimed at protecting student data privacy. Some of the more familiar ones are the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Rule, the Children’s Internet Protection Act and the Protection of Pupil Rights Amendment.

FERPA governs parents’ rights regarding who has access to their children’s records. The Children’s Internet Protection Act requires schools to install web filters when students are given access to the internet. The Children's Online Privacy Protection Rule restricts access to certain apps and programs to children under age 13 (and in some cases, under age 18). The Protection of Pupil Rights Amendment even restricts schools from collecting certain survey information from students without prior parental approval, no matter how innocuous it may seem. 

Some laws give parents access to their child’s login and passwords so they can monitor what the student is doing online.

“These are a lot to keep track of,” Jones said. “One of the easiest ways to remember all of those laws is to not give out data without getting approval from your data steward.”

Although operating system or other software updates can come at the most inopportune times, Fuller and Jones noted that making these updates, especially on personal devices, is one way that everyone can better protect their schools.

“The updates are for a good reason. Your vendors are running these updates because they realize that there’s a new threat out there, and when you update, you can prevent it from coming to your house or your neighborhood,” Jones said.

“If you don't patch those holes, just hold on to your horses — you’re going to get ransomware,” Fuller promised. “Something is going to slip through that one little hole that you forgot to patch.”

Jones added that the CDW team has found the most vulnerable machines are not the ones that students and staff use every day, but often those that have not been updated in years.

One way to intercept that, Fuller noted, is to deploy network access control across the district. NAC software would give IT the authority to vet network access for every piece of software or technology that attempts to connect to the network.

Some school technology experts think multifactor authentication is necessary only for employees who access sensitive financial data or student records. That leaves out the majority of users — and the youngest — in a school system.

Fuller likened not making MFA mandatory for all user groups to an incomplete termite extermination treatment that leaves your home still open to pests.

“If you’re not having a layered approach to cybersecurity, you’re opening yourself up,” she said.

“It’s getting a little scary out there,” she added, explaining that that it’s just too easy for siblings or others to access student devices that don’t require MFA. Plus, students must access a multitude of applications and therefore need that extra layer of protection.

Finally, if educators want to keep their school networks safe, they can’t do it alone, Fuller and Jones said. They recommended that districts look into several resources, including EdSurge and ASCD for support with digital pedagogy.

They also recommended pairing the NIST Cybersecurity Framework with the CoSN’s Trusted Learning Environment Seal, which addresses the personnel side of leadership, business practices, professional development and more to help of keep schools safe.

Another resource, the K12 SIX Essentials Series, takes a free, comprehensive look at cybersecurity in K–12.

Story by Taashi Rowe, the managing editor for EdTech: Focus on K-12 magazine.