Education Sector Ranks Last in Total Cybersecurity Safety

Upon returning from the NICE K12 Cybersecurity Education conference in San Antonio earlier this month, I was energized by the passion and impressed with the vast collection of educators who are eager to learn about infusing cybersecurity into their classrooms.

Then I read the 2018 Education Cybersecurity Report published by SecurityScorecard, which found that out of 17 industries, the education sector ranks dead last in total cybersecurity safety.

When it comes to the classroom, many parents and some teachers and administrators work on the assumption that new technologies and educational tools—and all the data they collect on children—are safe. But, it’s important not to conflate technology with security. An educational app is equally as vulnerable as any other app downloaded through an app store.

The problem is, “Societal expectations bombard educators and school IT departments. Parents read about applications to help children learn and then request that schools use them. Parents, however, do not understand the ongoing work that monitoring student data requires,” the report said.

As a result of the pressures to comply with parent demands, “Education struggles with application security, endpoint security, patching cadence, and network security. These four cybersecurity weaknesses put youth at risk, in spite of schools’ efforts to protect children and prepare them for the future.”

Regulations and the (Lack of) Impact

In addition, the report found that several regulatory acts, most notably the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), requiring educators to boost cybersecurity performance do not appear to be having the intended effect.

The goal of the Office of Educational Technology (OET) is to enable access and effective use of technology to all students. To support that endeavor, it recognizes the need for ubiquitous connectivity, powerful learning devices, high-quality digital learning content and responsible use policies.

At the same time, the OET acknowledges: “Acting as the stewards of student data presents educators with several responsibilities. School officials, families, and software developers have to be mindful of how data privacy, confidentiality, and security practices affect students.”

The OET then directs educators to links for key federal laws to protect student data, however, it’s important to note that the Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices” report issued by the U.S. Department of Education (DoE) to addresses questions related to student privacy and the use of online educational technology in the classroom was last updated in 2014.

Despite these out-of-date regulations, schools are being held accountable for failing to comply. The Agora Cyber Charter School serves as an example of the consequences for not complying with federal regulations. In November 2017, the DoE ruled that Agora had violated FERPA with regard to protecting the personally identifiable information of the filing party.

As a result, the Family Policy Compliance Office ruled that Agora could, “… no longer require, as a condition of attendance or receipt of educational training or services, parents or students to accept or enter into any agreement, such as a terms of use or terms of service, with any contractor or other third party … that waives the rights and protections afforded to the parent or student under FERPA.”

The K-12 Cybersecurity Resource Center also reported that the Office of the State Comptroller found that for more than a year, the New York State Education Commissioner’s department had failed to take adequate steps to secure its computer information systems, which left students’ personal data at risk of being breached.

Increasing Targets of Attack

In the fall of 2017, scammers successfully pilfered $56,459 in payroll funds from the Atlanta Public Schools after 27 employees unwittingly fell victim to a phishing scam.

The Lake Ridge School District in Indiana lost $120,000 after a bank employee sent a wire transfer to contractors working on the school’s renovation project as was requested in a fraudulent email.

SecurityScorecard said that its data follows warnings from the DoE Office of Inspector General noting that internet-based student data collection, learning and management platforms are becoming more ubiquitous and the target of more precise intrusion attempts.

Why Privacy Matters for Teachers and Students

The Parent Coalition for Student Privacy, in combination with the Badass Teachers Association, reported that they see education reform and the swift adoption of technology in schools as “corporate-driven.” As a result, they have pushed back and created an Educator Toolkit for Teacher and Student Privacy.

Among the many recommendations they make for privacy protection, the coalition advised, “The first and perhaps most important step to take before adopting ed tech is to evaluate whether the program will support or improve teaching and learning, rather than replace the relationship between you and your students.”

When implementing new technologies in education it’s important to consider the impact not only on student learning but also on data privacy. A holistic cybersecurity plan can better prepare teachers and schools to be resilient in the event of a cyberattack.

“By incorporating technology and people, a robust program mitigates risks, while also ensuring ongoing education instills good security habits into employees, students, and their parents,” said the SecurityScorecard report.

Kacy Zurkus

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus