Student Data Security: A Call to Arms for K-12
Protecting personal data is a way of life for the most organizations and individuals today. Threats are on the rise and growing in sophistication. At the same time, more data is shared online and over cloud services.
But for K-12 schools, the threat is more extreme. The public sector is behind the curve when it comes to protecting data. In addition, schools don’t often have the budgets or expertise to develop enterprise-level data security programs. Finally, the bad actors, working to threaten data security and steal identities and private information, have caught on to this and the number and severity of threats in the education space are growing.
1:1 computing exacerbates these issues. Schools are purchasing more devices, handing them out to students, and replacing pen and paper lessons with online work. Textbooks didn’t come with data security threats; online lessons do. Additionally, the devices are often leaving the school network and the security protections that come with it. This facilitates 24/7 learning opportunities, but increases risk. Students are connecting with different Wi-Fi networks, sharing on social media, and using a variety of online apps and services. For many families, the school-provided mobile device is the first computer in the home.
The capabilities and resources of IT and technology teams in schools across the U.S. are also varied. Small schools may have very limited staff, or may rely on outside service providers. Technology teams are frequently made up of individuals with more background in education than technology and data security. As it has in the enterprise space, the skillset for CIOs in schools and the public sector is changing; computer security– the ability to craft and execute a comprehensive policy to organize teams and processes and to respond to threats–is a required skill in today’s schools.
Even a school with a fully staffed security team can’t be in every classroom, therefore it’s critical to educate and empower teachers
What’s a school to do? Fittingly, since we’re talking about schools, it begins with education.
Educate students: Children and teens are growing up with social media, online services, and constant access to both personal and school-owned devices. This can put sensitive data at risk. Even though we think of them as “digital natives”, knowledge about the threats of data breaches and how to protect their personal information isn’t something they’re born with; it needs to be taught. But often, even parents and teachers aren’t fully aware of the risks.
Education should be focused on the whole community. One of the ways the community around Orange County Public Schools is addressing this is by hosting a Data Protection Event, where students, parents, and educators and the community are invited and can learn about the risks as well as how to protect themselves.
Educate Teachers, Staff, and Parents: Even a school with a fully staffed security team can’t be in every classroom, therefore it’s critical to educate and empower teachers. Make sure teachers and school staff understand the risks and the importance of data security so they can reinforce it with every lesson. Ensure your Acceptable Use Policy covers data privacy and security issues – and make sure everyone starts the year reading, understanding and discussing it, not just signing it.
Reinforce with a Measured take on Discipline: Anyone working in education knows that kids like to push limits and test boundaries. Online services and devices give students new opportunities to do that, and hacking into gradebooks or into a classmate’s social media account is common. These “attacks” don’t always lead to serious harm and students are simply trying to prove they can do it. It’s important that students know, via an Acceptable Use Policy and education, what expectations are and what the response will be to these behaviors.
It’s also essential that the response should be measured. One of the most effective forms of discipline is having students, (depending on the given situation) who are caught breaching data security policies, work with their school’s CIO and security team to share how they accomplished it, why they did it, and to assist with ongoing efforts to protect. At Orange County Public Schools, we are proposing they do presentations and trainings to teach their peers about data security.
Work Together: Demand for security professionals across all industries is high, and schools often can’t compete to hire a full team with the expertise they need for their unique needs. But that doesn’t mean it’s a lost cause; rather, it’s an opportunity to collaborate to pool resources and knowledge. In our community in Florida, local district security personnel are meeting and working together to discuss security-related issues and share best practices and lessons learned. Even better: if a district has a threat, they don’t have the expertise to deal with, they can call on their neighbors for help. This type of community collaboration makes the best use of the personnel and talent a school has, and builds the trust needed to work together on sensitive issues.
Nobody is safe from identify theft– not even the youngest students. As CIOs in education, we need to build the best processes we can to protect them with technology, educate them to take action and protect themselves in their day-to-day use of technology, and work together as a community. Not only does this help our schools and students today, it also lets us educate and prepare them to be the security professionals needed in the workforce tomorrow.