According to a recent study, a majority of surveyed districts used at least 26 different software applications to meet the needs of their needs. The demands of the front office are wholly different than the needs of a teacher's gradebook, the lunchroom's food service database and the transportation department's CRM. With a smattering of different systems employed, a range of potential security risks is all but inevitable.
Over 700 breaches of K-12 databases have been recognized in the United States since 2017 alone. Phishing schemes, ransomware attacks and denials-of-service tactics have been used to gain access to districts servers, steal sensitive information and hijack critical systems.
Such intrusions don't command sensationalist headlines as did Equifax, Yahoo or Facebook, so they've largely been able to fly under the radar of public awareness until very recently. The lack of publicity doesn't imply a lower level of danger - the risk such intrusions pose is startling, despite the common misconception that data held in a school’s servers is a low-opportunity target for cybercriminals. According to the Consortium of School Networking, educations is the "single most vulnerable vertical" of business sectors, edging out retail, finance and other "traditional" targets of cyber criminals.
History of Student Privacy 101
The groundwork for protecting student information is nothing new - the foundations were laid in 1974 with the passage of the Family Educations Rights and Privacy Act, or FERPA. However, the public's recognition of the need to improve how sensitive personal information is defended online is much more recent.
The most aggressive effort to protect privacy in the education sector came in 2016 via SOPIPA, the Student Online Personal Information Protection Act. This piece of legislation was the first to formally define prohibitions against using student data for non-educational purposes, including profiling for advertising or marketing, and reselling data to outside entities. Additionally, education service providers are required to securely manage collected student data and provide a way for that data to be destroyed or removed from any database upon request.
The Hardest Part is Getting Started
The easiest and most logical place to begin when addressing security is ensuring that all the various applications and software systems used within a district are integrated to the fullest extent possible. It's commonly accepted as truth that error by a human user is the biggest threat to security. By ensuring that all systems are automatically accessing the same high-quality information, the need for repeated manual corrections or redundant data-entry in each department are dramatically reduced or eliminated entirely. Automated sharing between programs helps to reduce the need for user access, and decreases the potential for a cyber event through an errant keystroke or accidental button selection while fostering confidence in users about the accuracy of that data.
Next in the line of defenses against a breach or intrusion is account management. Platforms without proper interoperability require manual account creation across a dozen or more different software systems for new students or staff members. The most immediately recognized costs of this approach are poorly spent time and resources coupled with greater odds of inaccurate data. More importantly, though not as obvious, is security. Every system that requires manual user access to create or manage user accounts represents a potential point of intrusion, illicit access, or breached security protocols.
When account creation and management can be synchronized using an efficient and automatic directory management tool, highly-sensitive data for students and staff can be rapidly shared across multiple districts from the district SIS or staff account management platform. Not only does this free up countless hours of time across departments and foster confidence in the quality of data, it also shrinks the pool of exploitable points of entry to a single hub. By limiting the need to access numerous systems for manual entry, the likelihood of data accuracy is magnified while minimizing the points of weakness and, therefore, liability.
Lastly, the biggest questions to ask when considering how data is handled are “Is my data moved off-server”, “Is off-site migration necessary”, “How is it protected during movement to and from my server”, and “What happens to my data while it’s gone”. From a district-side and service provider-side vantage point, the less any data is required to be moved between servers, the less existing vulnerability is present, and the more confidence you can have in the security and integrity of that data.
Some service providers take all the data in a district for whole-scale movement off-site with minimal transparency as to the “how”, “why”, “where” and “by whom” questions that are so crucial to privacy, integrity and security. From a protection and system defenses perspective, the most ideal solutions manage data on-prem, and allow approved users to retain full control and supervision of their information at all times. Those solutions that manage data inside existing information management systems without any migrations or batch exports provide a perk that can’t be quantified like time and money - the benefit of peace of mind!