Protection of private student data has been a concern of school personnel for a long time. Signing out paper “cume” folders that contained confidential teacher comments, students’ private information, grades, and other cumulative information about students was standard practice well before such information became digitized. A locked records room and locked file cabinets were common well before data was stored on computers, managed off-site, and housed in the cloud.
However, for past generations the issue was largely local and internal. There was little interest by outside parties in stealing large amounts of student data to be held for ransom or sold on the black market. Today, the world has changed. The need to protect student data remains, but interest in finding ways to steal it has grown. The same is true for other types of information stored by schools including financial and employee information.
Consider the disruption experienced by schools, hospitals, and other organizations and agencies that have been victimized by hackers who blocked personnel from accessing data or modified their data in ways that made reconstruction nearly impossible. Beyond attempts to ransom what hackers have stolen, there is a growing market for stolen student records. Experts note that the price of a social security number on the dark web is about $10, while a robust student record can go for between $250 and $350. Equally disturbing is how stolen student information might be exploited and used to disrupt the lives of victims.
In the old days, the challenge was fairly simple: to monitor and manage who had access to the locked file cabinets and ensure that the people who viewed the contents of paper student records had a legitimate need and knew what was to remain confidential. While the basic idea of protecting student information has not changed, the processes for managing data security have become much more complex, multidimensional, and challenging to manage. Meanwhile, the potential consequences of failing to protect student data have become much greater.
Of course, school districts must have in place adequate, up-to-date firewalls to protect hackers from easily entering the system, or unaware users from accessing, downloading, and installing software that could threaten the security of the system. Schools and school districts need to be careful and thorough when contracts with outside entities include access to and storage of student data to be certain that adequate protections are in place to protect from large scale hacks and theft.
Still, experts point to humans as the most consistent weak point in most cybersecurity systems. Personnel who work with data systems can be tricked into responding to phishing emails and introduce malware into key operational programs. Teachers with access to administrative programs can create serious and expensive problems. Of course, most schools have bright, curious, and sometimes ill-intentioned students who may find ways to access and disrupt student data systems with personal or system-disruption motivations. Not surprisingly, schools with the most technology available to students and staff tend to be most vulnerable to disruption.
It’s true that when student data was stored in paper files that security was primarily a human challenge. Despite major advances in technology, tools, and data storage and maintenance, this remains the greatest area of vulnerability today. Once systems are in place to protect against technical threats, it is human behavior that will remain the greatest point of vulnerability. The best strategy to counter the weakness is frequent, informative, engaging training to help staff and students recognize and resist actions that can place important information and functions at risk. Here are some initial training topics and tasks on which we can focus:
- Basic practices for password usage and protection
- Recognizing a phishing email, text, or message
- Cautions related to data sharing
- Role and function of firewalls
- Knowing when to report abnormal activity in programs
- Limits on downloading and installing external programs
How frequent, comprehensive, and useful are cybersecurity training activities in your school and school district? What do you need to learn to better protect your professional and personal cybersafety?
Cavanagh, S. (2019, March 19). The best defense against cyberattacks, from a district CTO. Retrieved from https://www.edweek.org/ew/articles/technology/2019/03/20/the-best-defense-against-cyberattacks-from-a.html