District staff and IT leaders have been turning to videoconferencing and cloud collaboration platforms to keep learning streamlined remotely. Many ed-tech vendors are also offering their products and other resources for free to help support school districts.
But what this rapid transition to remote learning is showing is that the K-12 education industry was not ready—from a technology, cybersecurity and student privacy perspective.
With remote learning underway, now is the time for IT teams to shift their focus to the cybersecurity and data privacy needs that may have fallen through the cracks during the initial chaos. District IT staff is adjusting to this new “normal” and focusing more on the applications, and the data stored inside them, rather than solely on outdated network security and content filtering.
Students and staff are now accessing their Google and/or Microsoft education accounts from locations outside of school networks. They are also using new cloud-based ed-tech apps, enabled by OAuth, for a variety of learning and student management purposes.
As we have seen from previous cybersecurity and recent “Zoombombing” incidents, these new technologies are exposing district information systems to data security and privacy risks.
Student data privacy laws still apply when a district transitions to remote learning, and keeping track of data becomes more difficult when students and staff access everything remotely.
A lot of districts aren’t capable, for a variety of reasons, of going 1-to-1, and students may not have adequate internet access at home. For remote learning to happen for these districts, students and staff are using their own devices. The problem is that these personal devices don’t have the traditional cybersecurity safeguards—such as firewalls and content filters—and aren’t effective in keeping sensitive district data secure in a cloud-based, remote learning environment.
As a result, districts are rethinking their cybersecurity strategies to look at the applications and data themselves—regardless of device or location—for signs of potential cyber incidents, in addition to what has always been monitored.
Student privacy and safety
Student data privacy laws still apply when a district transitions to remote learning, and keeping track of data becomes more difficult when students and staff access everything remotely. Now, districts are focusing more on data-loss prevention, a strategy to ensure that the sensitive information of students and staff is protected and doesn’t inadvertently leave the network or get accessed by an unauthorized user.
Teachers are relying on Google Meet and Zoom, for instance, to conduct online classes. However, at the same time, students are using the chat features of Meet and Zoom, in addition to Google Docs. Districts are monitoring these platforms for risky behavior and student safety signals, including cyberbullying, threats of violence and even domestic abuse in both text and image content.
Under FERPA, online learning spaces must be secure and closed to unauthorized access—even from parents. The same goes for communicating with students about grades and other personal information. Right now, most districts aren’t able to monitor their Google and Microsoft school accounts to see who has access to what files or with whom students and staff have been sharing documents externally, and to cut off any external access that may have been granted to stay FERPA compliant.
Monitoring activity on school accounts during this remote learning experiment has been a challenge—including logins to Google or Microsoft education accounts for homework and logins to Zoom, Google Meet or Microsoft Teams for online classes. Districts are struggling to see who is logging in to these accounts and meetings, what they are uploading and sharing in meeting chats, and where they are logging in from to help prevent unauthorized access.
Remote classrooms and workforces mean districts are more prone to a cyberattack. It is difficult for IT teams to detect such an attack when everyone is accessing data remotely from different IP addresses. And it’s not only online classes that need to be monitored. IT teams are watching all district account logins for anomalous behavior that may indicate an account takeover attack. Such behavior can include multiple unsuccessful logins; failed multifactor authentication checks; or successful logins from an unapproved location, such as another country.
The K-12 landscape is rapidly changing, and districts are shifting their focus to securing the new remote learning environments being created. Traditional cybersecurity measures such as firewalls, content filters and endpoint security are still necessary. But because of recent events, K-12 education is more aware of the data being created and stored in Google and Microsoft—from anywhere, on any device—and taking measures to best protect students and staff in these apps as part of their new “normal” cybersecurity infrastructure.
Charlie Sander is CEO of ManagedMethods.
DA’s coronavirus page offers complete coverage of the impacts on K-12.