Cybersecurity for schools is a growing area of interest due to 1) the increased adoption of instructional technology tools, and 2) increases in cyber attacks against both the software vendor and users of these platforms.
Data privacy and data security are especially important anytime students are using technology due the potential data at risk. Sprig Learning has written on this topic, offering tips on protecting children’s data online on computers and mobile devices.
This article is dedicated to teacher’s use of technology.
The majority of early learners may not use computers, tablets and phones in schools, but their teachers use these devices to manage planning, instructional and assessment data.
Thus it’s very important to understand the importance of cybersecurity in schools.
What Is the Importance of Cybersecurity in Schools?
As the number of students enrolled in schools continues to grow and online learning expands, the safety and protection of student data is crucial.
Increased Threat
Last year, the number of cyberattacks on schools jumped by 75% with over a 1000 schools experiencing ransomware attacks.
According to data from Check Point Research, the education/research sector suffers the greatest number of weekly cybersecurity threats.
With the threat of such attacks looming in the K12 education sector, it is important to take necessary measures.
With the growing prominence of cybersecurity, it’s not just the CIO who should be in roundtable discussions on how to best mitigate such risks, but other school district leaders and educators at all levels must have a base understanding of the threats and the right course of action.
K12 Cybersecurity Act
The K-12 Cybersecurity Act was signed into law in 2021, which aims to strengthen the cybersecurity of the United States’ K-12 educational institutions by conducting a study in cybersecurity risks, presenting the findings, and developing an online training kit for officials.
The cybersecurity toolkits published thus far offer some general guidelines, but a lot is still left up to the schools regarding how they want to set their cybersecurity strategy.
Cybersecurity Budget for Schools
District Administration reports that 20% of schools out there spend less than 1% of their IT budget on security, the rest spending 8% of their IT budget on average on cybersecurity.
For schools who have not prioritized cybersecurity yet, what are some best uses of the IT budget which will minimize risks, threats, and create a robust infrastructure for the future?
- Awareness training to the risks and how they are mitigated;
- Anti-malware software to detect the potential presence of malware;
- Anti-phishing software on email services to detect attempts to capture information, or even suspicious emails;
- Performing threat and risk assessments (TRA) against all new software or technologies being used. This should include a privacy impact assessment (PIA) for any platforms holding PII data of students or staff;
- SLA’s with providers that account for data breaches and course of action including notifications during and after an incident;
- Create a governance model that will allocate resources to ensure security and privacy are ongoing tasks across the organization’s operations.
Cybersecurity for School Districts
What are some things instructional technology should possess which will keep student’s data safe and secure?
Cybersecurity for school districts consists of keeping student data private and secure. Sprig has previously written on data privacy and data safety before. Please refer to those articles for a more in-depth explanation of what it takes to keep student data private and secure.
Information from those articles are presented here in a questionnaire format. To develop a top-notch cybersecurity strategy and successfully implement it, the following questions have to be asked.
Has your Instructional Technology Provider Completed Assessments on Threats, Risks and Privacy?
A governance model or framework makes it easy to perform both a Threat and Risk Assessment and a Privacy Impact Assessment – two critical components in developing and maintaining a safe platform.
A Threat and Risk Assessment allows us to discover any potential flaws in our digital assets and address each one to reduce risk.
The Privacy Impact Assessment assists in the identification and recording of any components of our system related to personal or student data that may be at risk, and then developing a plan to manage and mitigate those risks.
Does your Instructional Technology Provider have Failsafes? Does it train itself to get better?
Assessment and documentation cycles help to develop a Secure Development Lifecycle (SDLC) that decreases our platform’s overall attack surface. Maintaining a secure platform is an ongoing activity that does not end after development is completed.
Servers must be monitored constantly for any indication of risk. Multi-layered system should assure that even if the web server is compromised, the student data is safe.
Penetration testing should be conducted to ensure that no internal errors are made on the code or on the server.
Is there sufficient understanding of the data policy and culture of the instructional technology provider?
First and foremost, schools should partner with EdTech companies that care about students. From pedagogy to platform and privacy, your tech partners need to put students first.
Ask for a copy of the company’s privacy policy and make sure it looks something like this. If an EdTech company values the best interests of students, they will not sell data to advertisers or any other external 3rd party providers.
Is there enough information about cybersecurity and collaboration amongst different stakeholders to keep student data safe and secure?
The fact is, there is only one way to fight the sale of information: with information itself. Staying informed is the only way to protect student data and the onus is on caregivers and educators to learn with students in mind.
Caregivers and educators need to work together to protect student data inside and outside of the classroom and educate themselves so that they can understand the technology their children use. It takes two to keep student data safe, make sure your education partners are in it for the right reasons.
The Sprig Difference
All Sprig software and platform services have affirmative answers to the questions posed in the prior section. They are held to high specifications using regulatory regulations and ISO cybersecurity standards to ensure student data is safe and that privacy is assured.
Sprig values student privacy, and as such, we do not sell or advertise any student data to third parties. Nor will we ever, as it it is not part of our business model.
For our product development, we use a governance model that includes a Secure Development Lifecycle (SDLC) to keep track of every component, identify potential risks, and carefully resolve each one.
Sprig has partnered with TwelveDot Security as its development partner to further emphasize the need for privacy. TwelveDot creates all of Sprig’s platforms using the most recent digital security safeguards and criteria. TwelveDot has been a global leader in cybersecurity for the last twelve years, assessing and defending enterprises against data breaches and cyber threats.
Do you have questions related to data privacy or cybersecurity? Don’t hesitate to reach out to us.