Cybersecurity is a challenge for K-12 schools.

Looking back at September 2022, there were more than 16 disclosed ransomware attacks – half of which were on academic institutions. In the following November, another ransomware attack, on Norman Public Schools, completely debilitated the district. Increasingly, K-12 schools and universities are becoming primary targets for cyber criminals. What can schools do to better protect themselves, their staff, and their students from these attacks?

Many schools don’t have enough staff to monitor their networks round the clock. Taking advantage of this gap in cybersecurity, hackers tend to launch attacks on schools over the weekends, when no one is keeping surveillance. By the time classes resume the following Monday, damages may be extensive. To help prevent or minimize the effect of cyberattacks, 24/7 monitoring and offsite backup are essential. Such cybersecurity measures are provided by a managed service provider (MSP) that has the tools, experience, and expertise to both analyze your infrastructure and ensure that you have the best solutions in place for your district.

Ongoing Employee Awareness Training

Even when schools partner with an MSP, school staff remain the single biggest threat to data protection. Ironically, the single biggest source of protection is that same staff. When your teachers and administrators are trained to recognize and report cyber threats, and when they can – without fear of reprisal – refuse to click links, open files, or issue payments based solely off an email request, they become your first line of defense.

Provide your teachers, office staff, and support staff with ongoing cybersecurity training and updates about the latest threats. Encourage them to stop and think before clicking. Allow them to refuse action if they sense a threat. An extra moment of caution is often all it takes to prevent an attack.

Utilize SchoolDay to Protect Your Student Data

The problem no one talks about – the risk of traditional rostering services duplicating PII to a thousand or more edtech vendors – is perhaps on the greatest risks that schools are facing. PII is proliferating at an exponential rate, and it has become more and more difficult for schools to know who has access to their data, where it is stored, and how it is protected. Taking into consideration traditional rostering, shadow IT, and school devices being used outside school networks, the risk continues to grow at an alarming rate.

There is an inevitable risk when K-12 schools contract with edtech vendors. For most edtech providers, the standard operating procedure for obtaining the data they need to work with a school is through rostering. But what is rostering?

Traditional rostering is a high-risk data exchange of a student’s personally identifiable information (PII) that is copied from the school’s roster to the edtech vendor’s database. The risk of having multiple copies of a roster on various servers or in the cloud is that every instance increases the likelihood of a data breach.

SchoolDay minimizes the attack surface area using cutting-edge technology to solve the problem that traditional rostering vendors have created. We don’t prevent schools from using edtech vendors; we simply provide a better means of sharing data with vendors and a way to visualize how the data is being used, with tools that allow schools to shut down unauthorized PII use.

How Can SchoolDay Help My School District Gain Control of PII?

Rather than provide roster data to each edtech vendor with whom you choose to work, SchoolDay allows districts to integrate their SIS and LMS one time only; schools can then benefit from one-click rostering with thousands of edtech applications. With SchoolDay, your district can provide a library of vetted edtech choices, instead of having teachers download rogue edtech directly from the internet and sharing student data. And with an IDM embedded in SchoolDay, school administrators don’t have to manually create, update, or delete accounts.

To test the efficacy of the SchoolDay, we conducted pilots with progressive edtech vendors that preferred to avoid dealing with student data, especially that of students under the age of 18, who are unable to consent to the use of their data. SchoolDay’s secure data exchange allows vendors to connect with the school without handling PII or being forced to use traditional rostering conventions. Student data is filtered out during the exchange process.

At the same time that vendors are trying to find ways to support districts without having to use PII,  schools want to remain cognizant of who has access to student data, where it’s going, and why. SchoolDay supports districts by providing them with PII monitoring tools, so that they can see which vendors or other third parties have their data, and whether vendors have been properly vetted.

Working Together for the Future of Secure Data Exchange

SchoolDay is collaborating with edtech vendors, schools, and 1EdTech to eliminate the need for individual data privacy agreements (DPAs) with every school, by standardizing and providing anonymized roster data.

Michael King, SchoolDay’s Chief Growth Officer said, “We want to be able to provide the tools to monitor what’s happening, and at the same time, provide a framework so that over time, we begin to reduce the amount of data that’s going to vendors.”

Rob Abel, CEO of 1EdTech Consortium, has been leading the charge for improved PII governance, providing ways for edtech vendors to demonstrate their commitment to, and protocols for, protecting PII. He addresses the evolution of the data ecosystem in schools and what must be done to better protect PII. Edtech vendors participating in 1EdTech’s certification are shown as trusted vendors in SchoolDay’s privacy console.

Using Standards to Create Better PII Governance

Abel explains:

The uptake of digital applications and platforms in education, especially in K-12, has led to a lot of complexity in the institutional, school district, or statewide ecosystem. We’re seeing a dramatic rise in the movement of data pertaining to students between applications. Some data is being collected by the applications themselves, but there is also a lot of data moving around because we have interoperability standards, such as OneRoster and LTI (Learning Tools Interoperability), which have become quite popular. So, it’s very, very important to understand how to use those standards correctly so that that data is protected.

The future of education is in edtech. And the future of edtech is a collaborative effort to better secure student data, protect student data privacy at all costs, and to ensure that the industry moves forward safely with the appropriate cybersecurity measures, including a zero trust data exchange ecosystem.

Who Can You Trust to Handle Student Data?

Protecting data privacy is an ongoing challenge for school IT leaders, and as industry challenges emerge, we continue to focus on how school districts can effectively provision learning apps that access personally identifiable information (PII), as well as the fresh opportunities that exist for districts and edtech vendors to take a unified approach toward data anonymization.

Systemizing Trust

Abel continues:

We require a level of preparation and awareness in terms of the processes and the potential safeguards that are really difficult for even the best resourced school districts and suppliers to achieve. So, we have to work together to systemize trust. The one thing we have in education that’s really powerful is the ability to collaborate as colleagues and peers, especially when we have a mutual cause we’re collaborating around. What we’ve done is create something called trusted apps – a certification, which is really about transparency. It’s not a guarantee of anything, but these app providers come forward and indicate very clearly what is in their privacy policy and what is not. And, we have massive collaboration amongst the members that helps to utilize that information to make decisions about technology that makes their ecosystems more valuable, but less vulnerable. Some of that collaboration occurs in the standards themselves, making them more foolproof in terms of protecting student data.

The Cybersecurity Threat Landscape Has Grown Since the Pandemic

Schools around the country are falling victim to sophisticated cybercrime operations that are using personally identifiable information (PII) to target schools. Threats coming from Russia and from within our own country have compromised schools and districts throughout the U.S.

Districts were already well under way digitizing records, but the pandemic accelerated the process, often in haphazard ways that did not account for the increased threat. Now that the pandemic has subsided, schools must prioritize data security in order to thwart attackers who have been taking advantage of the growing number of access points: student devices, teachers working on home computers, and digitized records improperly secured behind firewalls.

“As schools fast-tracked the shift to remote learning, some computers handed to, and owned by, students lacked adequate security,” said Nir Kshetri, a University of North Carolina-Greensboro business and economics professor, in an interview with Newsday.

Data Is a Lucrative Business

According to the United States General Accounting Office (GAO), as of 2020, more than 1.2 million students were impacted by cyberattacks in schools. Since then, K-12 schools have become the number one target for cyber criminals. New technologies like AI, which cannot function without collecting data, put schools and the PII they are charged with protecting at risk. Data is not just useful for districts in their decision-making functions. Data has become an attractive and lucrative asset for threat actors who know how valuable that information can be on the dark web for phishing and for extracting ransoms, making better PII governance imperative.

How Cyber Criminals Use PII

There are many ways PII can be used to target schools, victimize students, and compromise student data privacy:

• If a student device is not properly secured, hackers can access the device directly. From accessing private data to activating the webcam, this poses a serious threat to students.
• Information accessed from a device could be used to help a criminal introduce malware that not only compromises the student’s device but also the school’s or family’s cybersecurity.
• Because of the number of devices used throughout a school, a sophisticated hacker could conceivably use the devices to execute denial of service attacks at a district level.

What Schools Should Do Now to Protect Their Districts

Schools must act. The cyber threat is real and measurable. Follow these steps to help secure PII and protect your student data:

• NIST-based controls: Schools should employ a standard framework, such as NIST, to ensure they have adequate layers of protection, including detection monitoring, firewalls, email security, and antivirus software.
• 24/7 monitoring and patch management: For most districts, partnering with a managed service provider (MSP) is the best way to accomplish this, as most schools do not have the budget to maintain a full IT staff.
• Incident response: Even with the best security, errors can occur. Having a comprehensive incident response plan – network shutdown procedures, offsite data and recovery solutions, and communication protocols – can mitigate risk.
• Ongoing staff training: Ongoing training to ensure that staff are aware of and on the lookout for threats can help prevent unnecessary breaches.

SchoolDay’s Trusted Digital Solution

SchoolDay empowers schools to centrally:

• Manage the exchange of student, staff, and parent data with vendors.
• Approve and publish apps to a district or school branded on-demand app store.
• Delegate to school staff and teachers the ability to activate apps on demand within their managed groups.

SchoolDay is a zero-trust data exchange platform that improves safety, privacy and security with advanced governance and privacy tools, which monitor and regulate the sharing of PII, including email accounts. The platform exchanges data with any edtech application, is easy to implement for schools and vendors, and eliminates the need to share school PII. SchoolDay’s zero-trusts data exchange is already being used in more than 30,000 schools nationwide and has integrated with hundreds of edtech vendors. We have a proven project management methodology to ensure a straightforward launch of SchoolDay in your district.

SchoolDay’s Monitoring Console Brings Clarity

SchoolDay includes PII monitoring dashboards and reports that empower school leaders to take action with our platform’s data governance console. Our console categorizes and prioritizes PII risks according to custom rules configured by your school district and makes it clear which vendors are 1EdTech approved. We offer a robust API framework for vendors to implement that allows them to create accounts for users, manage authentication and logins, create personalized experiences, communicate with users, and perform other more complex tasks, such as badging and credential reunification. We invite you to learn more.