Featured

The cybersecurity risks to the education sector in the U.S. was made evident by 2019 cybersecurity incidents in Alabama, Arizona, New York and others. This is capture in a report issued by the company ManagedMethods (a 365 cybersecurity provider for K-12 districts).

The report contains information, such as the regions of the U.S. that experienced the most cybersecurity incidents, the frequency of attacks made against districts of all sizes, what size and locale of school district is most likely to experience a cyber incident and more other cybersecurity issues.

To gain an insight into the findings, Digital Journal spoke with Charlie Sander, ManagedMethods CEO.

Digital Journal: How important is technology for education?

Charlie Sander: Technology is very important for education, especially with today’s student demographic. Both K-12 and college students grew up with the Internet and cell phones in the house — it’s critical that schools and universities have technology incorporated into their curriculum in order to give students the resources needed for the best education possible.

For K-12 school districts in particular, we’re now beginning to see districts transition to what you would call a 1:1 program. Meaning that every student is given a school device to do all coursework digitally, typically with a Google for Education or Microsoft 365 Education account provided by the district. This allows schools to use cloud computing to boost productivity, collaboration and classroom benefits, for both students and staff. It’s evident that technology has made it much more efficient for teachers to teach, and students to learn, which is what is most important.

DJ: How does technology specifically aid the student experience?

Sander: With technology, students have access to hundreds – if not thousands – of education tools in the palms of their hand. Laptop computers, or tablets, have all but replaced pen and paper in schools. Technology allows schools to use virtual classrooms, online courses, interactive learning and other types of media that make learning for students an engaging experience. And it can be done from anywhere, any time, if and when needed.

Due to unfortunate circumstances at the moment, we’re seeing technology’s importance in real-time due to COVID-19. Schools and universities are now moving to distance learning, and technology will help keep students and teachers on track with their curriculum as much as possible to ensure necessary coursework is completed. While it’s more preferable to be learning and teaching in the same room, technology allows education institutions the ability to do so from afar.

DJ: Which types of technology do students most like to engage with?

Sander:There are a lot of technologies students like to engage with, having grown up with technology readily available in their homes from a young age. Besides the Internet as a whole, social media platforms and messaging apps are what students most like to engage with. In the classroom, we typically see students engaging with learning management systems (LMS), collaboration technologies such as Google Docs, and email to communicate with teachers and classmates, and submit assignments. The education industry and K-12 schools are increasingly adopting new technology such as virtual reality and programs like eSports to further enhance learning, and make technology more engaging in the classroom.

DJ: Do teaching staff have the right skills to use and promote technology?

Sander:I think there is an interesting dynamic going on in schools in terms of technology today. Technological advances have sped up so much, that we’re seeing a mixture of digital “migrants” and digital “natives” in schools. Many teachers now didn’t grow up with technology—or some were in school in the very beginning of the digital revolution. But students in K-12 have, for the most part, grown up immersed in technology. Their digital and physical worlds are really converged. There’s no separation.

Teachers are a dedicated folk who, by their very nature, are life-long learners. They’ve done so much to catch up with students’ technological abilities, and they do have the skills needed to use and promote the technology used by students. I think one of the exciting things about this dynamic is that it helps encourage a “flipped classroom”, where students are empowered to teach as well as learn. This helps students build a variety of critical life skills.

Further, more schools today are teaching students digital citizenship, which is the responsible use of technology by anyone who uses computers, the Internet, and digital devices to engage with society on any level. Teachers—along with parents, of course—are the ones who are best-equipped with the skills needed to show young students how to use technology in society correctly, as well as what not to do.

When talking about technology in a cybersecurity sense, that’s where it takes the entire school district — teachers, administrators, IT staff, and parents — to promote best practices so that districts don’t fall victim to a cyber incident. A majority of the K-12 cybersecurity incidents in the news are due to a data breach or unauthorized disclosure, which most of the time is accidentally caused by a student or staff member who hasn’t had the appropriate cybersecurity awareness training.

DJ: What cybersecurity risks are there in relation to school-based technology?

Sander:Perhaps the biggest cybersecurity risk for schools today is the simple fact that most district IT teams are underdeveloped, underfunded, under staffed, and simply don’t have the means to keep up with cyber criminals. Not to mention manage hundreds or thousands of endpoints, software, appliances, and compliance regulations.

The EdTech industry has exploded in just a few years, and it is projected to grow to $341 billion by 2025. This means that schools are rapidly adopting technology and more educational data is being created and stored in the cloud than ever before. While this is great for productivity and collaboration purposes, the massive amounts of sensitive data schools—and EdTech vendors—are storing makes them attractive targets for a cyberattack.

There are a lot of concerns about the infrastructure security of many of these apps. Some EdTech companies are well-respected veterans of the K-12 market and take infrastructure and data security seriously. Many others, unfortunately, do not. It’s not that they’re malicious actors. Many simply aren’t as aware of the risks of not properly engineering a secure product. OAuth tokens, for example, can be big problems for EdTech vendors and the schools using their products if the platform isn’t properly secured and regularly updated. This is a cybersecurity risk that many K-12 IT teams aren’t even fully aware of.

Furthermore, there are many more vectors a cyber criminal can use to breach a school’s security perimeter than even just a few years ago. Students are constantly being introduced to technologies—email, cloud collaboration, SaaS applications, browser extensions, etc.—that they are using for both educational and personal reasons. What students and staff may not be aware of is that these same technologies are being exploited by cybercriminals to hack into a district and cause serious damage.

Additionally, districts have to follow strict student data privacy laws, including CIPA, COPPA, FERPA, and may face large fines if they aren’t compliant. In 2019, 348 cyber incidents were publicly disclosed in the K-12 education industry alone that has made student and staff data readily available. This data can then be sold and reused by cyber criminals, or encrypted and inaccessible until a ransom is paid.

DJ: What can schools do to strengthen cybersecurity?

Sander:The first thing schools can do to strengthen cybersecurity is to take a step back and try to find where any gaps in their cybersecurity infrastructure may exist. Schools need traditional cybersecurity tools such as firewalls, anti-virus, endpoint security, spam filtering, etc.

However, there are emerging threats – such as spear-phishing, social engineering, malicious third-party apps, account takeovers and more – that IT teams need to be protecting against as well with cloud application and data security tools. School districts are becoming more aware of the threats that are present in cloud computing, but we’re still only seeing about 3% of the K-12 industry making the investment to secure their cloud apps.

Once a cybersecurity audit has been completed, the next step would be for IT teams to educate, train, and test staff and students on cybersecurity awareness. This can be done using a tool that allows IT teams to send out test phishing emails, and see how many students and staff open the test email, click a fake malicious link within the email, or open a fake malicious document. With that information, students and staff can then be better educated on what to look for and spot a suspicious email that may be an actual attempt by a cyber criminal to compromise their account.

DJ: How can students help to ensure cybersecurity is appropriately maintained?

Sander:It goes back to make sure students are educated and trained to spot a potential cybersecurity risk. Cyber criminals are well-trained in social engineering and are able to pose as a school teacher or district staff member, because of the many K-12 data breaches experienced in the past year alone.

It’s important for district IT teams to work with students to ensure they know which SaaS apps and browser extensions are approved to be downloaded and installed — and then for IT teams to monitor for installs of unapproved apps into their environment. There are many malicious apps that look just like the real thing, but all they are made to do is gather login credentials that cyber criminals will then use to spread phishing and malware throughout a district.

When it comes to email, students should only send emails to other accounts with the same district email domain, hover over links to make sure the link will take them to the website the sender claims it to come from, and make sure that the sender’s name matches the email address.

Comments are closed.