Historically, school districts have turned to content filtering to protect students from harmful and inappropriate content when using the internet. Unfortunately, content filtering is not enough to secure our nation’s schools from the sharp increase in cyberattacks today.
According to an October 2022 Government Accountability Office report, K-12 school districts in the U.S. are struggling with cybersecurity. The report found schools have reported significant educational impact due to ransomware attacks and other cybersecurity incidents. It also confirms that officials from state and local entities reported the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months.
A report from Comparitech aligns with those findings. Their study examined cyberattacks across U.S. educational institutions and discovered more than 1,300 breaches since 2005 accounting for more than 24 million records lost. At Miami-Dade County Public Schools, the fourth-largest district in the US, a denial-of-service attack could not be identified and mitigated using traditional content filtering methods, resulting in a district-wide network outage. Investigators, including the FBI, the US Secret Service, and the Florida Department of Law Enforcement concluded a teenager and several foreign actors had hacked the Miami-Dade system.
How to evaluate content filters
Cybersecurity experts agree that filtering online activity is only the beginning of the journey to protect students, teachers, and staff. Lenny Schad, former CIO of Houston ISD and now District Administration’s chief information and innovation officer, explains, “The alarming increase in cyberattacks affecting our nation’s schools should be enough to compel IT directors, chief information officers, and chief information security officers to rethink their current state.”
FETC 2023
The Future of Education Technology® Conference takes place live and in-person Jan. 23-26, 2023, in New Orleans. Register now!
Steps are being taken to address the growing trend of cyberattacks impacting K-12. For example, the Government Accountability Office’s report has urged the US secretary of education to develop metrics for obtaining feedback to measure the effectiveness of K-12 cybersecurity-related products and services, available to school districts.
“Districts can act now to ensure the focus moves beyond content filtering to include procuring enterprise solutions trusted to deliver cybersecurity across the most highly regulated sectors, including K-12,” explains Schad, who is also the principal education advisor at iboss cybersecurity. “Currently, most content filter vendors do not adhere to enterprise standards and regulations required by highly regulated sectors including banking, retail, healthcare, and federal. In fact, most K-12 content filter vendors rely on third-party cloud providers to deliver their service; they do not maintain their own cloud infrastructure.”
According to a report by K12 SIX, there were at least 166 reported cyber incidents in schools in 2021, with more than half of those attributed to vulnerabilities introduced by third-party contractors. Schad maintains, “There are fundamental criteria that districts should consider when purchasing any content filter product or service. Beyond filtering, the vendor must demonstrate an enterprise level of capability to protect students, district resources and staff.”
Schad offers the following key considerations when evaluating content filter vendors:
- The vendor should have a proven history of delivering cybersecurity services to highly regulated industries, including banking, healthcare, retail, and federal
- The vendor must maintain their own cloud (containerized) infrastructure versus purchasing cloud capacity through third-party providers like Google, Azure, or Amazon
- The vendor must offer advanced threat capabilities beyond content filtering and reporting, including:
- Ability to secure access to third-party cloud apps
- Malware prevention
- Ransomware detection and prevention
- Single-tenant data plane with dedicated static IpsPhishing Prevention
- Zero trust resource access policies
- Asset and device posture checks
- Browser isolation
- Global enterprise containerized cloud fabric
- Meet industry-standard compliance and certifications
- AICPA SOC-1
- AICPA SOC-2
- FedRAMP
- ISSO 9001
- ISSO 2701
“If vendors do not comply with these basic industry requirements, there is a particularly good chance the districts using the service are at elevated risk,” Schad explains.
Education is a rich target
More participation by school boards and leadership to help address cybersecurity risks is also needed. In a recent report by Project Tomorrow only 12% of school technology leaders said they believed their districts’ board members were fully aware of the digital threats their schools face. The same research reported that only 22% of those surveyed believe school administrators would rank cybersecurity as a “high concern.”
Microsoft Security Threat Intelligence data has confirmed that the education sector is a top target for cybercriminals.
Based on insights from various leading organizations and thought leaders, it’s clear that the education sector is a rich target for cybercriminals. These experts also agree that school district IT leaders should re-evaluate their content filter vendors to ensure they measure up to enterprise standards and the growing cyber-attacks targeting the U.S. K-12 sector.
Richard Quinones is the senior vice president of state, local government and education at iboss and a former K-12 CTO and CIO. Lenny Schad is District Administration’s chief information and innovation officer.
More from DA: Here is where you can discover hundreds of edtech innovations in one place
