Are Your School's Computers Safe?

As more school data moves online and more daily instruction occurs in digital environments, schools and their instructional and informational infrastructures are common targets for malicious actors, according to a new report by the State Educational Technology Directors Association (SETDA), the primary association representing U.S. state and territorial educational technology and digital learning leaders.

SETDA's team says its most pressing concerns for states and local education agencies are:
  • Human factors—Although districts have implemented hardware and software to strengthen the security of their networks and data, they also contain thousands of humans (adults and students) who act for various reasons or motivations, sometimes in ways that compromise or circumvent that security. Attackers can easily launch millions of phishing attacks; meanwhile, defenders can be compromised by one person clicking the wrong link. Social pressures and circumventions are significant risks that require attention, training, and continual revision and reminder.
  • Third-party connections—As networks increase in complexity and scope—when light switches, security cameras and thermostats are all potential targets for intruders—the growing patchwork of connected devices present in schools and offices creates more complexity and risk. Hundreds of edtech applications also demand access to school networks and data, and these external relationships must be meticulously managed to eliminate opportunities for data or hardware to become compromised.
  • Leadership awareness—Not raised with technology themselves, many superintendents are not fully aware of the importance of cybersecurity until they face a crisis. It is also easy for cybersecurity to get lost amid other priorities to which school leaders must devote attention and professional development. These concerns can be somewhat offset if the superintendent has a strong IT/edtech voice at the cabinet level, but many districts have yet to elevate this critical role.
  • The complexity of funding—A fundamental misunderstanding of what it takes to “buy” vs. “own/manage/support” school technology has been exacerbated by pandemic relief to schools, creating additional vulnerabilities amidst a swarm of new devices and equipment. While legislation shows some movement toward investing in cybersecurity, more designated funding is necessary. If investments in security measures are seen in competition with classroom instruction or student productivity, security posture is likely to be compromised.
  • Access to security expertise—Information is easily distributed, and people with that necessary information and knowledge are not. While some districts are large enough to support an entire cybersecurity division, smaller districts aren’t likely to afford even one position with security expertise or have access to that expertise from a distance. Lack of access to security expertise poses a threat to staff and students alike.
  • Proof of proper controls—Rapidly increasing demands from cybersecurity insurance companies has districts scrambling to avoid being left with a diminished capacity to recover from an incident. Districts must now show proof of proper controls, including evidence of planning, procedures, risk assessments and awareness training, just to cross the threshold of insurability. While this has the effect of pushing schools toward a stronger security posture, it will also provide a greater hardship to those unable to keep pace with these demands.
You can read the complete report here.