School administrators need to protect students’ data, comply with government-issued mandates, and deliver exceptional educational experiences – all on shoestring budgets. Virtru’s Rob McDonald shares his perspective on these challenges and offers three ways to prioritize data protection.
School IT administrators have always lived by a simple mandate: deliver reliable services and solutions that help teachers and students excel. But that singular mission is getting more complicated as cyber attacks ramp up and state and federal governments issue mandates of their own to protect students’ data.
Federal programs like the Family Educational Rights and Privacy Act (FERPA) include very prescriptive language for appropriately managing and protecting test scores, grades, health information, and more. Meanwhile, state laws, such as New York’s State Education Law Section 2-D (EdLaw 2-D) and Minnesota’s Student Data Privacy law, give specific guidance on what schools must do to protect students’ information and rights to data privacy.
These are necessary regulations that can help protect sensitive student information during a time when schools find themselves at the top of many cyber attackers’ lists of targets. According to a report issued by the K12 Security Information ExchangeOpens a new window , in 2021, there were 166 incidents affecting schools in 162 school districts across 38 states. It was enough to prompt one school superintendent quoted in the report to say, “At the end of the day, it’s taking away from our kids, and to me, that’s just a disgusting way to try to get money.â€
The challenge is that, in most cases, the regulations are being issued without the provision of funds required to implement the guidelines the government agencies have laid out. As such, school IT administrators are essentially being asked to do more, perhaps not with less, but with current funds – which, in some cases, are barely enough to cover everyday IT expenditures. That makes a difficult and complex challenge even more daunting.
As with other challenges, the best way to tackle them is to break them down into manageable pieces and then prioritize them. With that in mind, here are three tactics IT administrators should prioritize to protect their schools without expending a lot of money or resources. These are not the only three tactics, but one of the most important foundations of building a security program is to start today!
See More: BYOD: A Threat to Data Security and Privacy Protection?
Focus on Protecting the Data Itself
Data is the common denominator underlying all cybersecurity threats. The entire organization remains at risk if data is not protected, from the faculty to the students.
That’s why FERPA calls for the strict protection of students’ personally identifiable information (PII) – but there are exceptions for certain types of information sharing. Students’ education records can be shared if there is a “legitimate educational interest†resulting from the sharing of such information. That means, in certain circumstances, schools can share student data with, for example, a third-party provider supplying the school with an educational resource.
Whatever happens, after the provider receives that information is anyone’s guess. Plus, the data is also often not well protected while it’s being shared and is potentially vulnerable to infiltration as it’s transmitted.
To protect data at rest and in flight, administrators should target their security efforts on what really matters: the data itself. Instead of spending funds investing in additional firewalls (for example), they can take a more targeted approach and ensure that all student-related data is encrypted. That goes for everything, from information shared with parents via email messages to testing data, healthcare records, and more.
Securing the data itself will ensure that the transmitted information is well protected and only accessible to those authorized to access it, wherever the data resides. That could be a parent or teacher – not a bad actor with the intent to harm.
Practice Strong Asset Management
Today, there are hundreds of thousands of educational apps available in various app stores. Many of them are of suspect quality and could pose cybersecurity risks.Â
While keeping an inventory of every application available to students is impossible, it’s important for IT administrators to periodically assess all of the applications that are being used on their networks. Some of those could be lower-quality apps that students downloaded on their personal devices, which are connected to a school’s network.Â
Regular asset management is critical to ensure that the applications students are using are school-approved, protected, and updated with the latest security patches. Applications that are unsanctioned or have been flagged as security risks should immediately be segregated from the network, removed, and blocked from use.Â
Asset management is also helpful in identifying legacy applications the school may not need or use anymore but may still be paying for. Eliminating these applications can improve security while eliminating unnecessary expenditures that could be unknowingly eating into a school’s already-limited budget.
Invest in Vulnerability Scanning
Vulnerability scanning goes hand-in-hand with asset management. Scanning can automatically identify possible vulnerabilities and security gaps that could result in data leakage. It can also identify unpatched assets that could be enticing entry points for hackers. At a minimum, this helps you develop a roadmap of activities that help reduce your overall security risk.
While some government-issued regulations do not specifically call for vulnerability scanning as part of their compliance requirements, regular scanning can help schools become compliant. The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, for example, requires organizations to perform routine security assessments, which could include taking steps to ensure that the applications they’re using are vulnerability-free.
Help on the Way
These recommendations are all cost-effective yet very important methods for protecting schools from potential cyber threats. They are the bare minimum that IT administrators should be implementing to keep their educational systems running and student data secure.
Still, each does come with a cost attached. Schools will need to consider those costs as they stretch their budgets for cybersecurity solutions to add to their toolboxes.
Fortunately, help is on the way in the form of the Department of Homeland Security’s State and Local Cybersecurity Grant ProgramOpens a new window . The program will distribute $1 billion over the next four years to eligible state and local governments, providing some funding relief for cybersecurity programs. That money could be used to help schools improve their cybersecurity postures in meaningful ways, alleviating much of the monetary burden associated with data protection.
It could not have come at a better time. Cyberattacks are more sophisticated, and government mandates will continue to evolve and require more from school IT administrators. We’ve seen this happen in other industries – healthcare and financial services are two prime examples – so we know it will happen in education.Â
The key is for IT professionals to leverage the grant money the best they can. That means focusing on the practices that will give them the best bang for their cybersecurity bucks while allowing them to provide teachers and students with the support they need for the best possible learning experience.
What other strategies can you think of to enhance student data security and learning experience? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .
Image Source: Shutterstock