Cybersecurity in K-12 is ultimately more than a student data privacy concern, additionally encompassing employee and staff data. Ransomware attacks targeting any of this data, for example, can scam districts out of hundreds of thousands, or even millions, in funds.
In a Thursday afternoon webinar hosted by K-12 cloud security firm ManagedMethods, moderated by Jake Kasowski and Katie Fritchen, district IT professionals discussed the state of K-12 cybersecurity and student data privacy in a school year disrupted by the coronavirus pandemic.
EdTech Strategies Founder and President Doug Levin said he has a database via his K-12 Cybersecurity Resource Center of 867 incidents disclosed by schools and districts since 2016. He has previously stated the actual number of incidents is likely exponentially higher.
In the 2019 calendar year, Levin said, there was a large number of data breaches and ransomware incidents. “Those were really two of the big stories from last year. Up until March, it seemed to be the same story in 2020.”
That changed at the beginning of April. With school shutdowns taking hold, Levin saw a “dramatic shift” in the types of incidents being disclosed. Those emerging included compromised remote learning, particularly in videoconferencing with incidents like "zoombombing."
Ransomware and data breaches dropped off the map entirely. He said “it could be a change in public reporting,” but it may also be incidents are still occurring and haven’t been discovered.
Outside of school, devices may not be as well protected, could have been compromised, and are just “waiting” to be reconnected to the network. The FBI this week issued a warning along these lines in regard to remote desktop protocols.
"It’s not that [the threat has] gone away," Levin said. "We need to be thinking about what the fall might look like when those devices get back on school networks."
'Flipped on your head'
Greg Hogan, network data and security coordinator for Georgia's Bibb County School District, said during the webinar his 21,000-student district got “very little warning” for the shutdown but a lot of protocols "clicked in" very quickly. They had a lot of good security practices in place at a cloud level, putting them at an advantage as everyone scattered.
The first priority was finding out who needed devices and internet. Within a week, 3,500 laptops and 1,600 hotspots were issued to students. Six months prior, the district had applied to a Sprint grant that would provide hotspots, so plenty were available.
Remote access presented a trickier problem. “You’re flipped on your head a little bit” when your job becomes a matter of letting everyone into the network from the outside, rather than protecting outside access from within, he said.
“We feel pretty confident that we’ve locked down devices pretty tight and that they should be pretty clean,” Hogan said, noting that cloud security protocols should be able to catch any issues with devices accessing from outside the network.
Neal Richardson, director of technology for New Hampshire's Hillsboro-Deering School District, had a somewhat more nimble experience by virtue of being smaller. Within 30 minutes, they were able to get devices and charging cords into the hands of 1,100 students before they left for the day prior to the shutdown. Previously, only high school students took devices home, but now all grade levels do.
Hillsboro-Deering was never a large remote access district to begin with, he said, but it has shifted to a cloud model over the last few years because on-premises networks are much more expensive to maintain.
Outside access to school networks also necessitated a little fine-tuning for Hogan and Richardson.
Hogan said he put conditional access in place to begin with, instituting measures like two-factor authentication three years ago due to phishing attacks. The conditional access protocols also bar access from IPs outside the U.S., and the district relies on Microsoft protocols to ban known blacklisted IPs from accessing the network.
Richardson added he was caught completely offguard when people fired up their phones as hotspots and suddenly their IPs came in as being from locations like Colorado because of the way cell networks work. This required them to lighten some restrictions a bit.
Hogan said his district also had to take into account the need to continue filtering devices off of the network, just like they were on it. This provided an additional level of assurance students “wouldn’t hit sites they didn’t need to be hitting.”
Richardson noted his previous indicators of compromise were knowing when students would be on-site, what their browsing habits would be like, and what times they were on. But that changed during remote learning, and he also had to rely more on filtering capabilities as students were accessing the network at random hours of the night.
He was also concerned with every vendor throwing up software and resources for temporary free access because it should all be vetted for student privacy safety before it could actually be used.
Levin added that he has anecdotally heard many school and district IT directors say they did things on their networks they were uncomfortable with and that they’re probably going to regret because priority was placed on availability and access. “We’re likely to see a little more centralization of approvals,” he said.
Hogan noted remote support was difficult. Things like printers and other software needed to be installed, and your administrator rights to do these things are suspended once you take devices off-site. “We had to get creative in getting support to people,” he said.
Next year, the district is looking at putting those protocols in place before devices leave the network so they can provide those administrative approvals remotely.
On content filtering, they need more visibility and reporting, he said. He also wants to give parents more control and insight into what students are doing on the devices they’re sent home with.
“This has been a tough experience and less than ideal for most people,” Levin noted.
Hogan added the pandemic forced IT professionals to step outside the box and try things they wouldn’t have otherwise. “To me that’s a great silver lining,” Hogan said. “As bad as it is, it’s been a growth I’ve seen in my technicians and myself included.”
But that doesn't mean they're in any hurry to play out a similar scenario. "We proved the point we could flex, but let’s not," Richardson said.