That’s partly what happened with Zoom earlier this spring. “We have a new word in our vocabulary, Zoom-bombing, that didn’t exist before COVID,” Levin says. “The challenge there was that the user authentication that allowed the meeting host to control who could get in and share information was not designed with the needs of K-12 in mind. That created all sorts of problems,” until the programmers behind the application improved Zoom’s authentication protocols.
Three tips for success
As K-12 leaders prepare for a new school year, Levin offers the following cyber security advice:
Before reconnecting devices to your network, thoroughly scan them and remove any malware.
School IT personnel tend to trust the devices that are on their network, Levin says, noting: “Their security posture is more focused on preventing external hackers from trying to get in.” In this case, he says, “I think it would be very wise for school districts not to trust these devices that are coming back onto networks after many months. Make sure they’re clean before reconnecting them.”
Take a step back and carefully evaluate the applications you’re using.
If students and staff will be learning and working remotely again this year, make sure their devices are equipped with malware protection. Also, carefully evaluate the apps and services that teachers, staff, and students will be using to make sure they are secure, and provide a list of acceptable apps that stakeholders should use.
“There has been a lot of attention on student data privacy, but it’s important that people don’t conflate privacy and security,” Levin says. “The review process that schools use certainly has to focus on student data privacy, but schools should also be looking for evidence of good cyber security practices. If there’s a security breach, will the vendor tell the school? Have they undergone a security audit? Are they in compliance with industry-leading standards?”
Levin recommends that K-12 leaders use this list of questions from the Electronic Frontier Foundation to evaluate the security of application providers.
Teach students and staff how — and why — to use cyber security best practices.
“Provide advice on how remote learners and workers can practice good cyber hygiene, such as segregating personal work from schoolwork on their device and using unique passwords for each application,” Levin says. “Students and staff should also know how to recognize phishing scams and how to report them when they see them.”