Between 2021 and 2022, 56 percent ^[1] of K-12 education organizations were hit by ransomware, a nearly 25 percent increase from the previous year. That’s a staggering number, and a clear indication that threats against schools are only getting worse.

While risk assessments are one of the best things a K-12 school can do to understand their cybersecurity vulnerabilities in order to be strategic about how to protect against them, this critical tool is often avoided. After all, they can be absolutely awful to perform, taking up valuable time, involving confusing jargon and often not even seeming to solve any problems.

If this sounds familiar, there’s some good news. Yes, risk assessments are far from sunshine and roses. But you can get through them with less friction and pain, and ultimately improve your security posture, if you adhere to the following guidelines.

1. Get Specific About Risks & Tolerance

I’ll just come out and say it: most risk assessments are way more cumbersome and time-consuming than they should be. If you’ve tried to go through the process before only to find it’s draining you of weeks or months of your time, you’re doing the wrong assessment. It’s also entirely possible that the assessment at hand is either written as a one-size fits all sort of deal, is too narrow (and not in a way that’s suited to you and your needs), or doesn’t seem to understand the unique nuances of working in an educational environment.

Your security priorities at a K-12 school will naturally differ from the security postures of government entities or other organizations. As such, your risk assessment should be different too, tailored to your particular situations, risks, data types and even vernacular.  As you begin to work through it, identify what aspects of cybersecurity are most important to you. For schools, this will usually be protecting student data. From there, you can determine your risk tolerance which will then inform your strategy and plans.

2. Simplify the Language

Riddle me this: IT professionals conduct risk assessments, but administrators are typically the ones who read them. This sets everyone up for a disconnect in language, general frustration and subpar outcomes.

---

Related:
Forget flat networks–tighten your security
^[2]4 ways to avoid cybersecurity snake oil ^[3]

---

After all, how the IT person speaks about security gaps is going to be very different than how a principal or superintendent would. If the person with the authority to approve security measures doesn’t understand them, they’re less likely to be approved. Communication matters, so make sure your risk assessment is being written by humans for humans and with language that matches a school setting – not a for-profit enterprise.

3. Loop in Others

Risk assessments must be thorough in order to be accurate, but this doesn’t mean that one person needs to shoulder the burden. In fact, the best assessments are done through teamwork. When you start an assessment, take the time to really think through who on your team is best qualified to answer a particular question or section. Delegate that part to them, along with a deadline of when you need it completed. Then, rinse and repeat for all other questions and sections. This will help expedite the completion of the assessment, and get you more comprehensive insights.

4. Understand How Compliance Fits into the Picture

As an educational institution, K-12 schools have to abide by particular rules. It’s likely that you’ve invested time and resources into becoming compliant with minimum standards ^[4]related to regulations such as FERPA, but it’s important to note that this doesn’t satisfy your cybersecurity requirements. Compliance and security are not one and the same. So, make sure that you attain compliance as necessary, but then take the time to improve your security posture outside of that compliance. It’s important to cover all your bases in order to protect your most sensitive data.

5. Define What’s Next

Finally, one of the most glaring issues with many risk assessments is that they end by pointing out a lot of security holes without offering guidance on prioritization or ways to fix them. Whoever conducts your risk assessment should share their findings and also take the time to provide a path forward for your school. They should keep in mind your biggest priorities, risk tolerance and available resources when helping you create a plan that is actionable and realistic.

When it comes to schools, cybersecurity is of utmost importance. Even though risk assessments have historically been terrible, they’re a highly valuable tool when administered properly. Make your school safer by conducting a risk assessment that has been designed for schools and that follows the tips outlined here. They still won’t be anyone’s idea of a good time, but they’ll be a lot more palatable – and help you protect your school and its sensitive data the way it deserves to be protected.

Keeping K-12 schools safe from cyberattacks has become a growing concern for educational institutions, especially as these attacks increase in sophistication and frequency nationwide. This past September, a school district in Detroit was hit with a cyberattack that closed its schools for two days ^[5]. The Los Angeles Unified School District, the second largest school district in the country, was also subject to an attack over Labor Day weekend ^[6], which shut off access to email and crippled the district’s website and critical systems.

These attacks have been a wake-up call to school districts about the risk of cybercrimes and the impacts they can have on operations. But why are cybercriminals drawn to them?

Why Schools Have Increasingly Become the Target for Cybercrime

From online learning portals to HR systems, much of school today takes place digitally. This makes connectivity essential to ensure technology is always working and critical operations aren’t interrupted. A modern school’s function hinges on having constant access to a network, making it a prime target for hackers to exploit any vulnerabilities within the network and issue a total system lockdown.

Another appealing trait of schools to cyber criminals is the wealth of data stored within internal databases. There, student and staff information, including their full names, birthdays, addresses and Social Security numbers, can be found and stolen for nefarious purposes, likely being sold on the dark web or encrypted for a ransom. 

While cyberattacks can put sensitive information at risk and bring school operations to a standstill, they can also be costly to remediate. According to a 2021 Comparitech study ^[7], ransomware attacks alone on U.S. schools and colleges cost $3.56 billion.

Keeping schools protected against cyber threats is essential now more than ever. Still, with only 14 percent of school districts describing themselves as “very prepared” to deal with a cyberattack ^[8], it’s clear that schools need to improve their defenses against cybersecurity issues that may arise, but how?

How to Ensure Your School is Protected

To combat the rising threat of cyberattacks on K-12 schools, districts should implement a proactive approach to cybersecurity. Waiting for an attack to happen can have devastating ramifications. Instead, schools must take action now.

Here are three strategies schools can adopt to help protect their digital learning environments:

Implement Automated DDoS Mitigation

Distributed denial of service (DDoS) attacks are the most common type of cyberattacks and the education sector continues to see more of these attacks than any other industry ^[9]. DDoS attacks occur when an attacker maliciously floods a victim’s internet circuit with fake or illegitimate traffic to prevent true user traffic from passing. Maintaining both a DDoS mitigation and a scrubbing solution is critical to fighting against theseDDoS attacks. These services can proactively scan and analyze a network for threats and remove malicious traffic in real time without disrupting other operations or internet connectivity, which allows schools to embrace a “set it and forget it” mindset. When DDoS mitigation is in the background, schools can resume operations without worrying about losing internet connectivity.

Isolate Potential Threats with Network Traffic Segmentation

The proliferation of cyber threats has made data security increasingly challenging, especially with the growth of remote learning. Smart network design and tools can help isolate security concerns as they arise and improve reporting and visibility across the district’s network. Segmenting network traffic minimizes network design while reducing the attack surface, enabling faster containment options.

Leverage Unified Threat Management for Quick Access to All Security Solutions

Unified threat management is an approach that enables a single point of protection across security functions and ensures that all security solutions work together to protect against internal and external threats. With unified threat management, schools can use a co-management portal to simplify their security infrastructure, making it easier to detect threats at any touchpoint and deploy the proper solutions to combat.

The current education cybersecurity crisis is a problem plaguing K-12 school districts nationwide. It’s not a matter of if a school will be targeted, but when, meaning schools need to prepare now or face costly and irreparable impact. Employing a proactive security strategy can protect schools from cyberattacks and foster an environment where students and staff alike can thrive. 

Related:
4 ways to avoid cybersecurity snake oil
^[3]K-12 cybersecurity vendors: Is the threat already in your house? ^[10]

K-12 cybersecurity was thrust into the spotlight when the COVID-19 pandemic forced learning online. And since then, cybersecurity has been a top concern of IT leaders and administrators.

In this eSchool News webinar ^[11], you’ll learn about real-world threats affecting the K-12 cybersecurity space and education in general, the myths behind them, and five useful tips to further protect their organizations from attacks.

Key takeaways include:

• Understanding the threats and where they’re coming from
• How to prioritize mitigation efforts
• How and where to start

In this episode of Innovations in Education, sponsored by Promethean and Merlyn Mind and hosted by Kevin Hogan:

• 4 blended learning strategies for better student engagement
• Only out-of-the-box solutions will fix the real problems in schools
• The Promising Reality of AI ^[12]

Think cybersecurity won’t or can’t impact you?

Well, you would be wrong.

The number of cyberattacks only continue to grow. Virtually every business you can think of has been hit–cybercriminals have targeted the pipelines we rely on for oil and gas; the hospitals we turn to in times of need, even the social media companies where we connect.

Nowhere is this more true than in our schools.

Just this past September, the Los Angeles Unified School District (LAUSD), the second largest in the country, announced ^[13] it was the victim of a ransomware attack, with cybercriminals infecting the district’s computer networks, locking up files, and stealing data. In early October, the attackers followed through ^[14] on their threat to release the stolen data if a ransom was not paid.

LAUSD is far from the only district impacted. One cybersecurity firm reported that this was the 50^th attack on US schools this year. Ransomware attacks are particularly common cyberattacks in school districts because schools are chronically underfunded and understaffed to respond to cyber events.  Ransomware is designed to encrypt all systems and devices, ultimately forcing some services to shut down. The cost of paying the ransom may be cheaper than getting the system up and running again, so the payoff to criminals is almost certain, and the likelihood that attacks will continue is almost guaranteed.

This begs the question: what should school districts be doing to protect themselves?

It comes down to three steps: Protection, Detection, and Response:

Protection

The vast majority of breaches are crimes of opportunity, so closing defensive gaps and having the right solutions such as Multi-Factor Authentication (MFA), Email Security, and Endpoint Management solutions in place is the best first step. More importantly, keep all the technology you already use current.  Vendors will keep their solutions updated to respond as cybercriminals change their infiltration methods and become more sophisticated in their attacks. School districts should continuously invest to keep technology current. Delaying refreshes could leave them vulnerable.

Related:
How digital equity enhances cybersecurity in schools
^[15]4 ways to avoid cybersecurity snake oil ^[3]

They should also focus on services that are most critical. If there is an attack, which of these services needs to stay up and running? Consider bus scheduling, online or on-premise learning systems and payroll. Make sure these services and any systems that house personally identifiable information are protected with access controls like MFA, and limiting administrative access only to a small, well-trained, few.

Lastly, and this will be a frequent theme, cybersecurity isn’t any one person’s job, and school districts certainly don’t have to navigate this minefield alone. They should invest in year-round cybersecurity training for everyone: staff, students, parents, administrators, and technology support staff. In fact, organizations with strong people, processes, and technology see a 3.5 times performance increase in their detection and response outcomes ^[16]. To do this, they can partner with federal, state, and local governments to apply for funding to support cybersecurity efforts.

At the federal level, the Biden Administration signed the “K-12 Cybersecurity Act” last year. This law requires the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to team up with the Federal Bureau of Investigation (FBI) to investigate all attacks in K-12 schools. The bill also requires these agencies to produce comprehensive cybersecurity toolkits ^[17] in an effort to help educate school IT professionals, teachers, faculty, and students.

Detection

If an attack does break through protections, it should be detected and identified. Again, this doesn’t have to be done alone. The Center for Internet Security Multi-State Information Sharing and Analysis Center ^[18] is a great resource to receive real-time threat information. Data indicates that teams who use threat intelligence are twice as likely to report strong detection and response capabilities. After all,  it is a lot easier to detect a threat ^[16] if you know what you’re looking for. Teams also need security that is integrated throughout a school’s connected systems. You can’t respond to threats you can’t detect, so a good place to start is a strong extended detection and response (EDR) solution that enables teams to monitor and identify potential issues.

Response

School systems practice drills for physical campus threats, severe weather threats, and potential fire dangers. They should also be practicing for cyber incident responses using Incident Response playbooks. Strong data backup strategies can help minimize downtime from things like ransomware attacks, while having mobile device management (MDM) capabilities can enable schools to quarantine or completely wipe compromised devices.

A third time – just for good measure – school districts aren’t in this alone. Cyber insurers, the FBI, state response groups, and the private sector all have a role to play in supporting how school districts respond to cyber emergencies. The specific strategies employed will vary based on the capabilities and maturity of the school’s security program.

Creating a Plan

No industry is immune to the cybersecurity threats. Schools must protect student data and maintain critical services that serve a vulnerable population. Working with trusted security providers to create a plan that prevents, detects, and responds to cyberattacks is more important than ever.

Click Here to Learn How to Lower Cybersecurity Threats to Your School ^[19]

K-12 vendors are key components in all aspects of K-12 education. From operational needs such as attendance and payroll to learning applications for reading, science, and mathematics, vendors ensure school districts operate as efficiently and effectively as possible.

But K-12 vendors are also one of the greatest single sources of cybersecurity vulnerability for schools and districts. The U.S. Government Accountability Office asserted that “cyberattacks carried out directly against edtech vendors […] tend to have an especially severe impact on K-12 because they affect a large swath of students across multiple school districts at the same time.”

In fact, K12 SIX’s annual report asserted that 55 percent of reported school data breaches in 2021 were connected to incidents originating from district vendors.

How can you stay safe? Here are three ways you can better ensure your K-12 vendor selection leads to increased results rather than decreased cybersecurity.

1. Show Me Your Bona Fides

Is your vendor FERPA certified? The Family Educational Rights and Privacy Act ^[20] is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

What about COPPA certification? The Children’s Online Privacy Protection Act ^[21] places requirements on operators of websites or online services directed to children under 13 years of age, as well as requirements on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Related:
4 ways to avoid cybersecurity snake oil
^[3]How digital equity enhances cybersecurity in schools ^[15]

These two certifications prove that your vendor places high importance on keeping your student data safe. Additionally, requiring recommendations from customers with similar needs is always an excellent idea.

2. Sweat the Details

We see them every day: Privacy Policies and Terms of Service. And while downloading that new photo editing app for your smartphone often involves a skimming, if even that, of the Privacy and Terms of Service policies, these two documents are wildly critical for K-12 cybersecurity. Here is a non-comprehensive list of specifications to look for from the Privacy Policy and Terms of Service.

• Spell out the type of Personally Identifiable Information (PII) collected and what they do with it
• Delete all student data collected ANY TIME you wish
• Detail who at the organization can access student data and what that means
• Offer audit logs for when company staff members access school accounts and/or student data
• Commit to never share student information with third parties except as required to provide their service (including with advertisers)
• Show their plan in the case of a breach
• Display the granularity of its data encryption
• Provide the location(s) of where on earth the district’s data is stored
• Guarantee that the ownership of PII remains solely with the school district

3. Hope for Security, Plan for a Data Breach

While no K-12 school district expects to be hacked or incur a data breach, the odds of one occurring grow daily. No vendor can guarantee 100% security, but what they can do is detail what they do to actively test their defenses and respond in the event of a cybersecurity breach. A few actions to take:

• Examine the vendor’s incident response plan and ensure it is documented along with a discussion of key steps and with what cadence they are executed
• Require the vendor conduct a yearly pen test by a third party (“by a qualified third-party vendor” is common language)
• If the district cares, does data leave the State or the U.S.

In this episode of Innovations in Education ^[22], hosted by Kevin Hogan:

• Using data insight platforms to improve SEL strategies
• 5 tips to help students master foundational skills
• Teacher Shortages: Viable Solutions to Meet Immediate Needs ^[23]

Related:
Big thoughts in edtech
^[24]Sharing best practices ^[25]

In this episode of Innovations in Education ^[22], hosted by Kevin Hogan:

• 4 ways to design collaborative learning spaces
• Free internet could erase the digital divide
• STEM lessons straight from the classroom

Related:
Big thoughts in edtech
^[24]Sharing best practices ^[25]

Just when we thought the painful trend of ransomware attacks on public schools might be waning, news arrived of a massive incident. Over Labor Day weekend, the country’s largest school district, Los Angeles Unified, experienced a ransomware attack ^[26]. The district serves 600,000 students and described “significant disruptions affecting access to email, computer systems, and applications.”

There was good news, though. The district appeared to catch the attack early, shut its systems down and avoided more serious problems. A lot of the time these attacks result in the loss of social security numbers and all kinds of other data, amounting to a serious violation of children’s privacy. For such a large district, this could have been catastrophic. LAUSD’s impressive response likely resulted from some smart preparation.

LAUSD was unfortunately not the only school to be victimized this year, and in other cases, some of the consequences appear to have been more severe. Staff at Cedar Rapids, Iowa schools saw their personal information stolen ^[27] this summer, including Social Security numbers, driver’s license numbers, bank account numbers, and even medical history information.

The district is offering a free year’s worth of crediting monitoring services to affected employees. Another incident in Iowa ^[28] involved an extortion threat from attackers calling themselves Vice Society, saying they would upload stolen files if a ransom wasn’t paid – a common tactic of cyber criminals. It remains unknown whether the two incidents might be related.

Elsewhere, a school district in Texas ^[29] was forced to hold classes without access to the internet, following a ransomware attack. This included closing the campus to visitors because the screening system couldn’t be accessed.

Related:
Growing ransomware threats require maximum data protection
^[30]What teachers and parents should know about ransomware ^[31]

All of these attacks are part of a trend that has grown over the past few years. In 2021, there were 73 ^[32] publicly-reported instances of U.S. public K-12 school districts being victimized by ransomware, according to Emsisoft. But that relatively low-sounding number belies a much larger toll. Those districts comprised a total of 985 schools. And there are likely many incidents that don’t get publicly reported. Some districts appear to have avoided public disclosure ^[33] of attacks, and it’s generally believed the true number of incidents is significantly higher than what we know about.

Parents tell a similar story. Last fall, nearly 1 in 10 ^[34] surveyed parents said their child’s school has been hit by a ransomware attack during their student’s time there. Among the parents who said that their school had been attacked, 61 percent said their child had personal data stolen as a result. Three in four said their schools were forced to close for at least 1 day, with an average closure of 2.3 days. Nearly three-in-four parents said the school did pay a ransom, while the ransoms themselves were at least relatively modest; less than four percent said the school paid more than $1 million.

Schools don’t have to be hit directly in order to be affected. There have been dozens of incidents in 2022 involving other education-related organizations, with victims including universities, education management companies, and providers of tech tools used by schools. One such incident ^[35] last January brought down thousands of school websites when a web hosting company was attacked.

Fortunately, so far in 2022, the rate of attacks on public schools does at least appear to be tracking lower than in recent years. But it’s early in the school year, and there are steps everyone should be taking, in hopes that their school can respond as effectively as the one in Los Angeles.

First, parents should communicate to administrators that they are concerned about these incidents. The average cost of remediation is in the millions. That’s a lot of money for parents and taxpayers to be burdened with, especially when best practices are well-known. School IT administrators need to pay close attention to security alerts, such as those coming from CISA ^[36], and they should be keeping a close eye on outgoing network traffic to watch out for data exfiltration to the internet, as well as on lateral movements within their network. They should also utilize two-factor authentication, run regular data backups to systems that are not connected to the internet, and regularly apply security updates to their software as soon as they become available.

Ransomware gangs have become very effective at going after vulnerable targets, and there is so much involved with a typical school day that is now connected to the internet and must be protected. There are systems we may take for granted that are tied to such basic functions as bus scheduling, taking attendance, and so much more. A successful attack means students, teachers and even parents are not going to have a normal school day, and these disruptions can last for weeks or even months. Schools across the country are improving their defenses, but it’s on everyone to do their part to continue the push to fortify these vulnerable systems and keep ransomware attacks and the damage they do on a downward trend.

If your school is hit with a ransomware attack, administrators are advised to contact the FBI, rather than paying the attackers. New decryptors are often made available and posted on NoMoreRansom.org ^[37], which also has additional guidance ^[38] for IT officials to mitigate risk.

If you heard about the attack on the Los Angeles Unified School District in early October, you probably heard that 400,000 ^[39] students’ private data was put at risk and that the hackers demanded a ransom ^[40]. When speaking about the attack, the police chief made a point of saying that cyberattacks are “the number one threat to our safety” and that everyone is vulnerable. Even so, the education sector seems to have an especially large target on its back, with LAUSD being the 50th ^[41] education entity to be hit with ransomware in 2022. If you want to avoid being next, there are a few key steps to take – including getting rid of flat networks. The status quo has to go.

Are You Prepared to Pay the Costs of Convenience?

All too often, schools blend their guest and student networks together. Such a move flies in the face of every single, basic security recommendation ever made, so why do they do it? Convenience. Yes, it’s more convenient but that’s because it’s insecure.

If your network is flat because of convenience, then ask yourself: Are you prepared to pay the costs of that convenience? The costs of an attack like the one at LAUSD are many, ranging from student safety to financial, operational, reputational, and more. 

A Properly Segmented Network is a Must

If someone doesn’t know much about computer networks, they won’t know that a flat network is bad. Similarly, anyone without knowledge about security won’t know the importance of network segmentation. Still, ignorance doesn’t excuse inaction. A properly segmented network reduces the speed at which a cyber criminal can move across your network, making it a key priority.

In order to segment your network, you need to develop a route, which involves creating an access control list. This is the point at which many schools and districts balk. They don’t want to have an access control list, so they end up having no idea who’s coming and going. Once again, it’s more convenient. But it’s dramatically less secure.

Related:
Free internet could erase the digital divide
^[42]K-12 IT teams need to rethink their approach to cloud storage costs and security ^[43]

To avoid being in this position, take the time now to focus on improving your network segmentation (by separating them into appropriate VLANs with access control rules and proper port control) and firewall geo-blocking. If you don’t have an information security professional on staff who knows how to do this, enlist the help of a third-party expert.

Time is of the Essence

A properly configured network that’s adequately monitored can alert you to any suspicious cyber activity early enough to intervene and significantly reduce and/or prevent a ransomware attack from taking hold of your data. This is important to note, because some people mistakenly assume attacks happen in an instant or a matter of hours. The average time to detect and contain a breac ^[44]h ^[44] is 287 days. That’s 100 more days than the average school year of 180 instructional days.  And the bad news – that’s if you have a properly configured network that can help you identify threats, not a flat network that further hides attacks.

Close the Back Door

All cyberattacks require a round trip through the firewall, so think of it like this: when you have a flat network, it’s like you have a thousand security guards at the front door to make sure nobody can come in (keep in mind, though, that these are untrained security guards and half of them are asleep). What about the back door? Absolutely no one is paying attention to anyone coming and going. This is another critical piece of the security puzzle. Administrators must remember that your ingress is just as important as your egress. In other words, it’s just as crucial that you know what’s leaving your firewall as it is to stop things from coming into it.

Reevaluating Your Third-Party Relationships

Working with an external security advisor is a smart and responsible measure for districts and schools to take. But not all of these relationships are created equally. For example, some districts rely on a third-party but have zero internal knowledge themselves. This might be all fine and well when things are going smoothly, but what if disaster strikes and you can’t reach your partner? In such a case, seconds matter. You don’t have time to waste.

So, whether you’re responsible for managing the network or you do it in partnership with a third party, it’s critical that there are at least two people within your organization who have an appropriate level of knowledge of the network and are readily available should they be called upon. This is important because the vast majority of cyberattacks happen during off hours when fewer people are watching for them. For schools, this could be in the evenings, weekends, or over extended holiday breaks. Because of this, you need to have two plans – one for a middle of the night attack and one for securing help over a holiday weekend.

Be Sure About What You’re Getting

Many school networks were built on grant money, or through donations, with no support budget built in. So, a school might receive an equipment donation, which they’re more than eager to snap up. But, if it doesn’t come with ample budget for support, it could end up doing more harm than good from a security perspective. If you’re being offered something for free (or without ongoing budget for support and maintenance), take the time to gain appropriate knowledge about it and ensure you have enough resources to support it moving forward.

When it comes down to it, an attack like the one at LAUSD doesn’t need to be successful. Your school and entire district can gain a lot of ground on the preventive front by going back to basics. Forget flat networks, instead setting up your network to segment and protect your data. This doesn’t have to be super complex or expensive; it just needs to be done thoughtfully. Once you do, your security will be tightened up and you’ll be able to breathe more easily.

In this episode of Innovations in Education ^[22], hosted by Kevin Hogan:

• How edtech is embedded in Society 5.0
• How digital equity enhances cybersecurity in schools
• Blended and hybrid learning–the future of education ^[45]

Local leaders must play a critical role in closing the digital divide for 18 million American households that have access to the internet but can’t afford to connect, according to a new report.

The urgent prompt comes from EducationSuperHighway, a national nonprofit with a mission to close the broadband affordability gap. The organization released its second No Home Left Offline ^[46] report on the action needed to accelerate Affordable Connectivity Program (ACP) adoption.

The ACP is a $14.2 billion federal broadband benefit funded by the Infrastructure Investment and Jobs Act (IIJA) that provides eligible households with a monthly discount of up to $30 per month (up to $75 per month for households on qualifying Tribal lands) and a one-time $100 discount toward a laptop, desktop computer, or tablet. 51.6 million households, including 17.7 million unconnected households, are eligible for the ACP, yet only 13 million (25% of those eligible) have enrolled.

Over the past year, closing the broadband affordability gap has become a national priority. The report finds that our nation’s Internet Service Providers have stepped up, and 74% of ACP-eligible households are covered by an Internet Service Provider (ISP) offering a high-speed internet plan for $30 per month or less, making the plan free with the ACP benefit.

Despite 12.9 million ACP-eligible, unconnected households having the opportunity to take advantage of free internet, the report outlines the complex awareness, trust, and enrollment barriers that prevent households in the nation’s most under-resourced communities from enrolling. It also announces new data, tools, and best practices to help states and cities overcome them. Key report highlights include:

• 51.6 million U.S. households are eligible for the ACP, yet only 13 million households (25% of those eligible) have enrolled.
• The ACP has the potential to connect 17.7 million households that are ACP-eligible and unconnected.
• The ACP enrollment process is a significant challenge for eligible households using the National Verifier. 45% of applications are rejected, and many more fail to complete the 30-45 minute enrollment process.
• Cities in every state are proving that we can do dramatically better. The national best practice for ACP adoption is 61%, and large cities, such as Buffalo, Cincinnati, Cleveland, Milwaukee, Detroit, and Tulsa, have already achieved adoption rates of over 45%.
• 74% of ACP-eligible households are covered by an ISP offering a “free with ACP” plan (i.e., high-speed internet plans for no more than $30 per month). That amounts to 37.9 million eligible households, including 12.9 million that are unconnected.
• Two-thirds of eligible households are already beneficiaries of one or more government benefit programs that automatically qualify them for the ACP, giving states a targeted channel to raise ACP awareness and help participants enroll. 

Related:
5 ways the homework gap is worse for students of color
^[47]The U.S. needs billions to close the digital divide ^[48]

State and City Leaders Play A Critical Role

Highlighting commitments from a bipartisan group of 25 ^[49] governors ^[49] who are making ACP adoption a priority in their states, EducationSuperHighway points to the critical role state and local leaders can play given their deep understanding of their communities, strong connection to residents, and ability to effectively engage trusted messengers and community influencers. They recommend state and local leaders take immediate action to launch ACP awareness campaigns and develop ACP enrollment support strategies that leverage Digital Equity Act funds to enable outreach to and support for unconnected households by community-based organizations and trusted institutions.

“No Home Left Offline starts with ensuring every eligible American household knows about the Affordable Connectivity Program, can easily enroll, and then sign up for high-speed internet service,” said Evan Marwell, CEO of EducationSuperHighway. “We applaud the bold leadership of those governors who are making ACP adoption a priority for their states and are ready to support local leaders in removing the barriers that keep millions unconnected.”

To support local leaders in this work, EducationSuperHighway has released an ACP Enrollment Dashboard ^[46], providing states and cities with the most up-to-date data on their number of ACP-eligible households, the number that have enrolled, and the number that still lack a high-speed home connection. The dashboard equips state and city planners to effectively target new federal broadband funding to support ACP awareness and adoption efforts. It also shows the progress needed to bring every state to the national best practice adoption rate of 61% of eligible households.

New Tools to Accelerate Affordable Connectivity Program Adoption

Alongside the report, EducationSuperHighway has also announced best practices to help cities launch awareness campaigns to ensure their residents know about the ACP and enrollment support tools that help households get through a challenging sign-up process that rejects 45% of applicants.Their Affordable Connectivity Program Adoption Toolkit for Local Leaders ^[50] is a step-by-step guide that contains outreach templates, training materials, and best practices to help leaders get the word out to eligible households.

They have also launched GetACP.org ^[51], a virtual mobile assistant that simplifies the ACP enrollment process by providing real-time support to help eligible households determine the easiest way to qualify. The mobile website is available in four languages and helps applicants overcome critical barriers in the enrollment process by helping them identify the documents needed when applying and find “free with ACP” broadband plans available at their address.

Without high-speed Internet access at home, Americans can’t send their children to school, work remotely, or access healthcare, job training, the social safety net, or critical government services. Achieving national best practice ACP adoption rates can significantly accelerate closing the broadband affordability gap, connecting two-thirds of the 18 million households that have access to the internet but can’t afford to connect. 

This press release originally appeared online.

Cybersecurity is a priority concern for most people accessing the internet. Unfortunately, students aren’t thinking about cyberattacks when they access sites for curriculum, research, and entertainment from their 1:1 devices–devices that are now so prevalent since the pandemic.

Schools’ exposure to cyberattacks has also greatly increased due to expanded remote and hyperflex learning.

Join eSchool News and a panel of experts ^[52] to learn the latest strategies and tools schools are using to help keep student data safe and ensure students’ digital access is secure.

Key takeaways:

• Learn the latest techniques to secure district systems
• Discover best practices for educating students and families on proper digital etiquette
• Ask cybersecurity experts about your data protection concerns

The new school year is upon us, and IT teams are ramping up strategic tech investments and systems to help ensure a smooth year ahead. For many of these IT teams, challenges around cybersecurity are top of mind, with recent research ^[53] revealing over half of lower education organizations were hit by ransomware in the past year. On top of this, concerns remain ^[54] around cloud costs, including new limits on free ^[55] cloud storage, leaving some wondering what they’re supposed to do and having to pay up.

In light of these shifts and growing risks, K-12 IT teams need to rethink their approach to cloud storage costs and security. We recently experienced challenges at Hotchkiss School with our past cloud providers in this regard. We could not obtain the amount of secure storage we needed due to not only data consumption and performance challenges, but also because of their egress fees. In order to modernize and innovate, education decision-makers will need to embrace hybrid or multi-cloud storage options that keep their data secure by moving away from mainstream, high-cost cloud providers.

Further, to meet growing demands on schools’ IT departments, IT leaders will need to adopt a flexible cloud mindset that enables them to effectively and securely store and leverage the growing deluge of data they are inundated with – everything from student health care data to device and research data. Let’s dive into how a high performance, multi-cloud approach can help K-12 schools check the following major pain points off their list.

Data loss from ransomware attacks & other cyber risks  

Security is top of mind in every industry, especially in education where it’s important to keep our students’ and faculty information safe. In the face of growing security threats, protecting sensitive information by effectively backing up data to the cloud has never been more critical, and IT teams must operate not under the assumption of “if” an attack will occur, but rather “when.” This is especially important for schools that also rely on Microsoft Office 365 or other cloud-based SaaS applications for data storage. They must take additional backup measures as Microsoft does not guarantee that they will restore data if it is lost. In fact, Office 365 has remained the top target ^[56] for SaaS attacks this past year.

While many IT teams may initially want to resort to the more traditional legacy approach of backing up their data on-premises, this strategy is less secure as it essentially acts as just one copy of data that can be easily targeted and destroyed. It also has limits as to how much information can be stored, which schools can quickly outgrow and need to pay in time and resources to maintain and scale. Cloud storage provides a more secure, easier-to-use, and cost-effective backup option.

Related:
Building community-wide support for IT transformation
^[57]5 tools every school tech director should use ^[58]

Many cloud storage providers offer some key backup features that can help better mitigate the effects of data leaks and ransomware attacks including object-level immutability that prevents anyone from tampering with, modifying or deleting data for a set period of time, keeping files safe against disruption. The cloud also allows for backup diversification to help prevent schools from storing all of their data in one place to be targeted. A multi-cloud approach enables educational institutions to follow a ‘3-2-1’ backup strategy, otherwise known as keeping three copies of data, with two on different media formats and one off-site, that helps prevent hackers from accessing all storage locations and enables companies to continue functioning during an attack and restore operations quickly. At Hotchkiss, we’ve found these backup strategies to be vital to ensuring our data security, and leveraging these kinds of additional safety features will become even more critical for educational institutions as security threats grow.

Digital transformation

Schools around the world were forced to quickly digitally transform to support both remote and hybrid learning due to COVID-19, but with limited resources and IT budgets. While many have returned to in-person learning, budget and resource challenges persist while school districts attempt to get local municipalities to approve budget increases to cover increased costs for technologies.

It’s never been more critical for IT teams to move away from relying on costly on-premises options, or those that carry expensive tiers and additional charges for egress and API requests to support their technologies. In order for schools to successfully continue their digital transformation initiatives and innovate on a budget, they must adopt a more simple, cost-effective and high-performing storage solution that can better support their growing reliance on technology at a lesser cost.

Surveillance storage challenges

Earlier this year, West Virginia legislature passed ^[59] a bill to increase video surveillance requirements for special education classrooms. This is one of the latest incidents of heightened surveillance demands for schools around the country, requiring them to store and produce surveillance footage for certain set time periods at a moment’s notice.   

This poses an issue for the education industry. The vast amounts of data being generated through these surveillance systems promise to completely overwhelm many schools’ existing on-premise storage systems, creating storage bottlenecks and preventing administrators from being able to quickly access the data when needed. By moving to a flexible, hybrid cloud approach that can scale with their growing surveillance data volumes, Hotchkiss and other schools can cost-effectively extend the value from any of their existing storage solutions while keeping this critical surveillance data securely at the edge for easy storage and access.

K-12 schools have undergone an especially complicated transition over the past three years. This period exposed the need for more technological innovation and IT infrastructure changes in school systems, starting with the cloud, to help address data security and storage challenges. At the Hotchkiss school, it was no different. Overwhelmed by the amount of data created on our busy campus, we recently turned to Wasabi to build a low-cost, high-performance and secure storage solution that fully protects our environment. For an industry seeing exploding data volumes and security threats while faced with limited resources, the time is now for IT teams to find a reliable and secure cloud solution that will protect their school’s most valuable asset – data. 

Digital equity in the classroom goes far beyond the need to deliver internet connectivity and devices. All students need and deserve a safe, reliable, and adaptable edtech ecosystem to support and nurture their learning experience.  

Behind the obvious laptops and countless other tech tools used by everyone in today’s schools sits what could arguably be labeled the least discussed aspect of K-12 technology: the vast software systems that nearly all schools use to store and update student data – including their identifying information. Everyone using these systems is impacted by the way in which users are required to log in, as well as interact with, cybersecurity precautions. It’s not energizing to discuss or even manage – but deploying it correctly can make all the difference for countless students. 

Just as all students aren’t the same, their needs for entering and using these systems may vary greatly. Thus, if a district uses the same access process for all, the chance that gaps in digital equity exist is nearly certain. A fifth grader with special needs may face access and access confirmation processes that take away from instruction time in each class throughout the day. Furthermore, imagine facing those same hurdles every day and every year throughout a K-12 education.  

Keeping in mind the sheer vulnerability of today’s internet connected devices and cloud-based apps, there’s a clear need for a resilient mixture of flexibility and protection that can prevent gaps in digital equity that have nothing to do with internet access, but rather, its actual use. 

A Learning Environment that Safeguards and Adapts to the Individual 

Establishing digital identities and then managing access in a secure, yet scalable and flexible way enables schools to safely and more easily cater to most unique needs. Unfortunately, many of the older legacy identity and access management systems (IAMs) were not designed to help combat the complex cyberthreats districts face today. That inevitably eats into instruction time and causes delays and inefficiencies impacting millions of students across the country.

Related:
3 ways the E-rate program helps level up learning
^[60]Growing ransomware threats require maximum data protection ^[30]

Today’s more advanced IAM platforms can significantly reduce delays and help prevent data theft at the same time. Some of the most powerful and efficient benefits of a properly deployed IAM include: 

• Multi-Factor Authentication – Approves or denies access rights and tailors authentication methods used based on risk level.  
• Privileged Access Management – Reduces the risk of a security breach with comprehensive privileged access controls that decreases the number of users with multiple accounts. 
• Automated Deprovisioning – Eliminates the risk of human error by automating user accounts and lifecycle management of all users including students, staff, and vendors. 

By creating a digital identity for each person within the organization, it’s possible to consistently put students at the center of a school’s technology strategy. These digital identities help patterns to be noticed, including when changes should be made based on behavioral, demographic, academic and lifestyle information that’s stored. With direct access to this data, educators can create personalized learning environments that are tailored to the needs of each individual student 

Minimizing the Load on Edtech and IT Teams 

Achieving comprehensive IAM success definitely isn’t easy, as it may simply be a new concept for IT administrators who have worked with legacy systems for years. However, the beauty of digital identities is that it not only helps ensure digital equity, but it also helps those same IT administrators to more easily scale and better serve both educators and students.  

Classroom digital resources can also connect to a single portal that IT controls, with users accessing everything they need through, for example, one username and password. Furthermore, IT teams can benefit from promoting security risk management as everyone’s responsibility. By being actively trained regarding possible vulnerabilities, students can become more “security aware” in their password strength and how to safeguard their unique digital footprints.     

In the end, these foundational IAM “gateways” to a school’s systems are much more than a checkbox on an IT checklist–they serve as a notable enabler for so much in the education ecosystem. Indeed, digital equity can be better achieved by marrying flexibility with cybersecurity. After all, IAMs are the sentinel that enables access in the first place – and it’s easy to overlook the impact (both positive and negative) that they can have on millions of students, teachers, and administrators. 

 

In this episode of Innovations in Education ^[22], hosted by Kevin Hogan:

• 3 reasons instructional audio is a must-have in classrooms
• 4 tips for using data to differentiate instruction
• Modernization of K-12 Financial Operations: Increase Transparency, Improve Control and Compliance, Mitigate Fraud ^[61]

When I conduct training for school employees, I like to start my presentations speaking in a “normal” voice. About halfway in, I turn on the instructional audio solution that is set up in the room.

I love the “wow factor” as teachers hear firsthand what a difference instructional audio makes. This reveal proves the technology’s effectiveness as they all understand how a similar setup could help in their classrooms.

Most teachers, principals, and paraprofessionals instinctively know that instructional audio helps amplify their voices, allowing their instruction and directions to reach every student, but instructional audio offers much more than that.

Here are three key reasons why instructional audio is crucial for today’s classroom.

1. It’s Not Just Amplification

Instructional audio provides even distribution of sound, not just amplification. This means that no matter where students are in the room, they can hear their teacher clearly. Often, teachers boast of their “teacher voice,” but speaking louder doesn’t always mean clearer. For certain words, such as ones that include an F or TH sound, speaking louder can have the opposite effect, making these words harder for students to understand.

There is a benefit for teachers, too. Teachers who speak loudly to be heard report being more tired and that can lead to more teacher absenteeism, according to one study ^[62]. Teacher absences are not only costly for schools, but also disrupt students’ learning.

2. All Students Benefit

Instructional audio is proven to offer benefits not only to students who are hard of hearing. Decades of research, including the federal Mainstream Amplification Resource Room Study ^[63], known as the MARRS Project, prove that instructional audio helps those with learning differences, those in the back of the classroom and non-native English speakers.

Related:
How I build relationships with students using instructional audio
^[64]Can audiobooks be the great equalizer for students with learning differences? ^[65]

For example, for younger students learning to read, hearing specific sounds and words is vital. While learning to read, students are hearing and learning definitions, pronunciations and more, often for the first time. Instructional audio ensures clear communication between those younger students and their teachers.

Instructional audio also increases collaboration and communication between older students and teachers.  Whether students are in the back of the classroom or have a naturally quiet voice, instructional audio makes sure students are heard, encouraging authentic discussion and conversation in the classroom.

3. The Classroom Structure has Changed

Think about the changes that occurred within your classroom in the last five years. As an experienced audiologist who has worked with several schools, I have noticed that today’s classroom has shifted with less of a teacher standing at the front of a room lecturing to more collaborative, small-group instruction. While I believe this change benefits students, it also raises the needs for instructional audio solutions, as groups often work in different parts of a classroom or even in hallways. With instructional audio, a teacher can be working with one group of students, while listening to other groups around the room. Using instructional audio, the teacher not only can guide and reinforce and redirect when needed, they gain real-time insights into how students are learning.

Learning spaces without instructional audio rarely provide the adequate environment for intelligibility despite students spending an average of three-quarters of class time listening. Often, when groups of students are working in different corners of a room, it can be as hard for students to hear as it is for you in a crowded restaurant. There is too much ambient noise present for any student, even those with no hearing challenges, to not strain to clearly understand their teacher or each other. Inevitably, this leads to a loss in concentration, less effective instruction and can even ignite behavior problems.

After a long stint in Albuquerque Public Schools ^[66], I moved to the smaller Rio Rancho Public Schools ^[67] in New Mexico. At Rio Rancho, we recognize the link between our use of Lightspeed’s instructional audio solutions ^[68] and students’ academic gains. In fact, the MARRS Project showed that for K–6 students, there was a 43 percent reduction in special education referrals for students learning in amplified classrooms.

As an audiologist who has a passion for making education more accessible, I hope that not only more schools and districts see the benefit of instructional audio, but that more teachers use instructional audio to their advantage. I think by recognizing instructional audio’s evolving role and uses in the classroom, teachers will find more engaged students, less disruptive behavior and more energy for themselves at the end of each school day.

In this episode of Innovations in Education ^[22], hosted by Kevin Hogan:

• Teachers using technology report stronger connections, community with students
• 5 tips to build community-wide support for IT transformation
• Digital Safety for Students: Keeping Student Data Private and Access Secure ^[52]

Technology’s role has been elevated to an integral strategic function in today’s school districts. But getting everyone to understand the value of digital transformation can be challenging and test the persuasion and people skills of even the most seasoned IT leaders.

Here are some strategies IT teams can use to help build a supportive culture for ongoing technology investments.

Set Up Direct Lines of Communication

Less than 30 days into my role at Judson ISD, our district was hit with a devastating ransomware attack that led to a total network takedown. While there were many lessons learned from that experience, one of the silver linings was how it brought to light across the district how critical our technology systems are.

This realization served as a catalyst for our IT team to develop direct lines of communication with every department.

Now, each department in the district has a dedicated IT staff member who manages their technology, system, and platform needs. This structure helps bridge any communication gaps between teams and creates trust that IT is there to support each department and their goals.

Develop Your Business Case

It’s not a question of “if” but “when” – cyberattacks or some other event will impact your district sooner or later. And the older your equipment, the more vulnerable it is to negative events that will impact student learning and staff productivity.

The key is to be as proactive as you can in shoring up critical infrastructure. But many IT leaders struggle when faced with pushback about the need for technology investments or requests for increased funds. In these instances, leaders need to present a solid business case factoring in the total costs and impact to the district should the system or network fail.

Related:
5 safeguarding tips for schools this year
^[69]5 ways to make your IT department more efficient ^[70]

In addition to hardware and equipment costs, be sure to include direct and indirect costs such as loss in staff time and productivity, any disruptions to student learning, critical data or system loss, reputational damage to the district, etc. All these financial implications help build a compelling case about how failing to update systems is incredibly risky and costly in the long run.

Paint a Picture in Real Terms

It’s easy to get caught up in technical nuances when discussing district needs, but many community members don’t understand the depths of technology infrastructure. This requires us to step out of our tech bubbles and change the way we communicate. Tailor conversations to non-technical audiences by painting a picture of how technology investments – and lack thereof – can and will affect staff, students, parents, and the community at large. Ask yourself, “How can I relate this to an everyday person? If I was a teacher or parent, how would this impact me?”

For example, Judson ISD is in the middle of upgrading our camera systems to increase campus security; however, many of our older schools have switches – that power our cameras – installed in classroom cabinets that are simply plugged into the wall and easily accessible. Some individuals may not view that as a problem or liability, so I have to outline the ramifications of one individual unplugging a cabinet in order to demonstrate the need. Additionally, upgrading cameras requires more switches to handle the increased power supply and more cloud storage to store each camera’s data for 6 months. Citing real-world examples of how vulnerabilities can be easily exploited helps stakeholders understand the project’s full scope and foster buy-in.

Plan for Future Growth Sustainably

Like many school districts across the country, Judson ISD is growing rapidly. Over the past two years, we’ve gained almost 3,000 new students. With that kind of growth, planning for the future is paramount. If you don’t develop a plan for what growth looks like at your district, then your systems simply won’t be able to keep up and will become quickly outdated.

On top of this, funding sustainability is critical and can’t be overlooked. Many districts use bond funds to replace systems, which can be very effective, but they need to have a plan to sustain and maintain those systems long-term. Every system comes with a cost, so developing a plan to spread those management, maintenance, and optimization costs out over time is very important. If we’re going to ask for taxpayer dollars for IT investments, it’s our duty to be responsible and spend wisely.

One way we’ve been able to cost-effectively optimize and scale our services is through key partnerships with providers like ENA. Our hosted voice platform has enabled us to provide more advanced phone features to staff, increase system flexibility and expandability across campuses, and reduce maintenance costs for the district. 

Reduce Technology Footprint in the Classroom

One misconception about IT is that we believe more technology is always the answer. I often find more technology can mean more problems. Instead of tackling every issue with a new device or app, look for ways to strategically reduce the technology footprint on campuses and in classrooms while delivering the same or better results. As an IT team, we are constantly asking ourselves, how can we empower teachers and students with the best learning environments possible using fewer devices?

For example, outfitting every teacher with an overhead projector, smartboard, desktop computer, laptop, iPad, and more, can run you $10k-$15k per classroom. But with one interactive panel, a teacher is fully equipped to deliver high-quality classroom instruction and many of those previous devices become redundant. This philosophy not only leads to better allocation of funding, but it also reduces IT workload and the number of devices staff need to learn to operate – making everyone’s jobs and lives easier.

Teaching methods have changed dramatically over the last few years, leading to numerous electronic resources entering the classroom. This makes school IT a formidable challenge—security experts have to juggle budget constraints with heavy traffic on the network due to a huge number of connected devices.

There is no stopping the use of technology to enhance student engagement and learning. Therefore, cybersecurity concerns are increasing along with K–12 schools’ dependence on technology.

While no network is impervious to assaults, a reliable and effective network security solution is crucial for safeguarding student data and decreasing districts’ vulnerability to data theft and sabotage.

The tools you select, and their respective performance levels, should be determined by your tech team’s budget and capabilities. Let’s outline the five tools that school tech departments need to be using.

Infrastructure and Configuration

Staying on top of network controls, flow, and operations is essential because unpatched network firmware is a common source of attacks. Network configuration helps set up and maintain networking devices, firmware, and software to block new exploits and fix bugs.

According to a recent Microsoft analysis, over the past two years, at least one attempted firmware assault ^[71] has been made against 80 percent of organizations in the UK, US, Germany, Japan, and China.

Network Configuration Management (NCM) tools can help keep track of network devices by monitoring for unauthorized configuration changes and distributing firmware updates. Additionally, network administrators with better network visibility and control over the change workflow through NCM tools can both undo mistakes and prevent them.

Network Monitoring

Network monitoring tools analyze performance metrics and alert admins to anomalies. There are various brands that offer an overview of performance metrics such as latency, bandwidth usage, responsiveness, and network-based applications and devices.

You can enforce an acceptable use policy for all devices on your network and create automatic security by installing monitoring tools, such as firewalls and content filters.

Related:
3 tips to balance the back-to-analog edtech transition
^[72]5 safeguarding tips for schools this year ^[69]

Network monitoring tools track network device availability and bandwidth use to detect bottlenecks and anomalous activity. Network monitoring tools also monitor DNS, SQL, mail, FTP, and virtual server uptime, identifying the cause of any downtime or other network performance issues. Lastly, they can be used to filter web content, monitor internet surfing activities, and view your website’s availability.

Endpoint Management

Endpoint management tools provide real-time visibility into the various devices that have access to your network, allowing you to deploy patches, perform maintenance, and run virus scans.

There are two main types of endpoint management tools: United Endpoint Management (UEM) and Remote Monitoring and Management (RMM). The former centralizes security, patching, and performance monitoring for all mobile and desktop devices. The latter remotely gathers data on endpoints and allows admins to carry out tasks, scripts, and patching remotely.

IT workers can use a multi-platform endpoint management system to manage all devices from a single programmable panel, providing essential features such as patch management and threat detection.

Endpoint management has become crucial for school districts in recent years. Just like their business counterparts, most districts provide devices to their staff and faculty. Further, district and school tech teams that have rolled out 1:1 programs for students are managing exponentially more devices (or, in this context, endpoints) than they ever have in the past.

Identity and Access Authentication

Identity and access authentication tools help streamline the management of user accounts, including access privileges or permissions. These determine which resources individual accounts, groups, and organizational units can access in your information infrastructure.

Key features of this authentication include a database of user identities and their access privileges, tools for granting, monitoring, editing, and revoking privileges, as well as audit logging of access history.

Commonly-used identity and access authentication methods in education include multi-factor authentication (MFA) and single sign-on (SSO).

For a long time, education leaders were resistant to MFA controls. However, it is considered to be among the most simple and effective control against cybercriminal attacks, including ransomware. In fact, beginning in 2021, most cyber insurance providers serving education now require MFA controls for coverage. Without it, premiums increase significantly. That change alone has had the most influence on ending the MFA debate in education.

Cloud Security

Technically, your cloud domain is outside of your network perimeter. However, cloud security is critical to include on this list because a common misconception is that network management and security tools are sufficient to protect data and user accounts in the cloud.

Most K-12 school districts use at least one of the big cloud tech companies such as Google Workspace, Microsoft 365, Zoom, or AWS. Further, 90 percent of school districts ^[73] are using cloud applications for various purposes beyond classroom learning, such as human resources and financial information.

Cloud security protects a district’s data stored in the cloud by preventing unauthorized access,

quarantining malware and phishing, and automating data loss prevention from malicious and accidental exposure. When selecting the right cloud security tool, IT professionals should look for centralized visibility, control of cloud domains, and data loss prevention automation. You should also look for a tool that provides the ability to customize configuration because no two districts are identical.

“Defense-in-depth” is an important concept in cybersecurity that advocates for a multi-layered approach to protect, detect, and respond to risks. This combination of tools should provide the framework for an IT director at a school to protect all relevant stakeholders. But having a strategy about how to use them is also vital. Schools must have replacement cycles so, when security technology and network equipment expires, the updates are planned for in advance and have funding allocated. Lastly, benchmarks and goals for these systems give staff a great overview. For example, built-in dashboards can provide metrics that inform tech admins as to whether incidents are spiking, the types of incidents that are occurring, or whether they need to try a different set of tools.