While K-12 leaders grappled with immediate priorities such as how to deliver high-quality instruction remotely, how to reach and engage every student online, and how to answer stakeholders’ technical questions, it would have been easy for leaders to overlook cyber security — or at least not give this issue the full attention it deserved.
Learning and working remotely raises a few different cyber security challenges, Levin says, depending on how a school system has set up its IT infrastructure. “A lot of this depends on what tools schools were using and how prepared they were to go fully virtual,” he explains.
If school and district personnel have been logging in from home to applications hosted locally on school district servers, those connections need to be secure so that hackers can’t gain entry into district networks. “In the best of circumstances, schools have deployed virtual private networks [VPNs] to protect these connections and ensure that only authorized users could access local servers,” Levin says.
School employees using RDP connections to log in to local district servers from home is the scenario the FBI warned about in June. The agency observed that “cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic, because they represent an opportunistic target as more of these institutions transition to distance learning,” ZDNet reports.
A growing number of school systems are using cloud-based applications instead of hosting software on local servers. In these cases, students and employees have been accessing software directly from the cloud instead of logging in to district servers. “In general, their security posture remains largely unchanged,” Levin says.
However, in the rush to pivot to remote learning nearly overnight, many schools and individual teachers “have chosen to use new apps and services they have not fully tested or vetted,” he says. These cloud-based apps and services might not be very secure and may be susceptible to breaches.
That’s partly what happened with Zoom earlier this spring. “We have a new word in our vocabulary, Zoom-bombing, that didn’t exist before COVID,” Levin says. “The challenge there was that the user authentication that allowed the meeting host to control who could get in and share information was not designed with the needs of K-12 in mind. That created all sorts of problems,” until the programmers behind the application improved Zoom’s authentication protocols.
Three tips for success
As K-12 leaders prepare for a new school year, Levin offers the following cyber security advice:
Before reconnecting devices to your network, thoroughly scan them and remove any malware.
School IT personnel tend to trust the devices that are on their network, Levin says, noting: “Their security posture is more focused on preventing external hackers from trying to get in.” In this case, he says, “I think it would be very wise for school districts not to trust these devices that are coming back onto networks after many months. Make sure they’re clean before reconnecting them.”
Take a step back and carefully evaluate the applications you’re using.
If students and staff will be learning and working remotely again this year, make sure their devices are equipped with malware protection. Also, carefully evaluate the apps and services that teachers, staff, and students will be using to make sure they are secure, and provide a list of acceptable apps that stakeholders should use.
“There has been a lot of attention on student data privacy, but it’s important that people don’t conflate privacy and security,” Levin says. “The review process that schools use certainly has to focus on student data privacy, but schools should also be looking for evidence of good cyber security practices. If there’s a security breach, will the vendor tell the school? Have they undergone a security audit? Are they in compliance with industry-leading standards?”
Levin recommends that K-12 leaders use this list of questions from the Electronic Frontier Foundation to evaluate the security of application providers.
Teach students and staff how — and why — to use cyber security best practices.
“Provide advice on how remote learners and workers can practice good cyber hygiene, such as segregating personal work from schoolwork on their device and using unique passwords for each application,” Levin says. “Students and staff should also know how to recognize phishing scams and how to report them when they see them.”
- School social workers fill critical gaps in student care - March 21, 2023
- 5 ways to make way for science in an ELA and math world - March 20, 2023
- Addressing the digital divide’s effects on education and the workforce - March 20, 2023