K-12 data security breaches have more than doubled from 2016 to 2017. Doug Levin, president of Ed Tech Strategies, a Virginia-based research and counsel consultancy, stated in an interview that this increase is due to “more awareness of nefarious cyber activities; more schools using more hackable technologies; more schools going 1-to-1 and relying on digital tools; and bad actors who continue to look for soft targets such as students and school staff.” Some K-12 schools have faced terrible, even violent, threats, extortion, and blackmail demands.
A data breach can mean that hackers have access to valuable and private student data, including schedules, addresses, phone numbers, Social Security numbers, birth dates, academic performance reports, and medical and disciplinary records.
How schools and districts can better protect their data
- Plan ahead for the worst case scenario, and have a strategy, a comprehensive cybersecurity plan, in place for minimizing risk and damage.
- Create a team of IT and communications experts who will be ready to respond to a crisis and physically deal with a data breach. These individuals should be aware of legal implications of lost data, as well as the basics of communicating with students, the public, stakeholders, service providers, and others.
- Teach students, who sometimes hack into their own school’s systems, the ethical and legal implications of cyber crime.
- Provide teacher training on cybersecurity. Negligence can jeopardize data just as badly as malicious hackers can. EdSurge writes that “hacks may be technical by nature, but proper employee training is key to prevention ... ‘Most incidents occur from human mistakes,’ says Lynzi Ziegenhagen, CEO of Schoolzilla.” For example, one security researcher discovered that a company had accidentally exposed sensitive user information to the public by deleting a configuration setting.
- Investigate the strength of your own security, and make a list of what could potentially be lost in the event of a data breach. Know what data you collect and why, where it is, and what protections surround it. Administrators should know the basics, while IT experts should know all of the fine details and should even conduct regular and thorough risk assessments. This allows your district or school to assess potential risks clearly, before disaster strikes.
- Follow the advice of your IT experts with practices such as regularly backing up data, reducing access, establishing difficult passwords, encrypting data, etc.
- Be transparent with your staff and community about data collection to avoid PR confusion.
- Establish lawyers, outside IT counsel, cybersecurity experts, a data forensics team, and/or PR professionals as existing contacts that you could reach out to in the midst of a crisis, in case your team struggles to agree on the next step.
- Have a shared list of personal resources regarding data safety for your school and district. For example, check out California Cyberhub, an educational cybersecurity organization that offers educational resources, event calendars, news and planning resources.
- Familiarize yourself with FERPASherpa.org’s Educator’s Guide to Student Privacy, written by teachers for teachers, and with California’s laws on districts’ requirements to notify students, parents, and employees when the security of personal information is compromised.
Often, the difficult reality is that a larger percentage of a district or school’s budget needs to go toward cybersecurity in order to establish adequate data protection. The more people are able to access your data, the more money and attention needs to go toward protecting it. Jason Glassberg, Co-Founder of Casaba Security, wrote for the Huffington Post that “Although this won’t be easy, schools have to invest in modern cybersecurity. A good benchmark is to spend no less than 2.5 percent of the annual budget on IT security improvements and modernization, although more is always better.”
For on-the-ground, hands on expertise and advice on cybersecurity and leadership issues, join ACSA, CUE, and the Technology Information Center for Administrative Leadership (TICAL) at the April 14, 2018 Leadership 3.0 Symposium in San Francisco. Created for administrators by administrators, the Lead 3 symposium offers excellent networking opportunities, leadership training, and technology tips on today’s most relevant and important education topics.