Back-to-school 2020 went beyond purchasing supplies, meeting the teachers, finding the bus stop and meeting new friends. This year, it involved connecting to a laptop, tablet or similar computing device – and the school year introduced a new set of risks for students, parents, educators and administrators.
As a parent of young school-aged students, as well as an IT professional, I see first-hand how many risks identified on a daily basis are now the responsibilities of educators, and those who support them, to manage. For IT departments, responsibilities have spread beyond just the schools and supporting the teachers, administrators and district staff to now supporting every household for those children engaged in remote learning.
On September 1, 2020, the Miami-Dade County Public Schools Superintendent, Alberto Carvalho, said the district had suffered a distributed denial of service attack that previous Monday morning as a software glitch blocked access to the District’s servers. While there was no exfiltration of data, per news sources, there was impact to the education of students. In Leander ISD, outside of Austin, Texas, the start of school was delayed because of a vendor miscalculation that caused technology issues. These events are a reminder of the cybersecurity risks facing districts across the nation who are managing slim budgets and increasing IT costs.
With remote learning, there is a new avenue of attack for hackers and others willing to cause harm. As the school year progresses, we can expect to experience continued impacts to other school districts around the nation.
In my own cybersecurity practice, these are some of the risks that concern me about remote learning.
Protection of Student Data:
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. While districts are allowed to disclose data to specified parties, the risk lies in both the intentional and unintentional disclosure of information, which may be a result of an external attack or the misconfiguration or inaccurate change to system(s) that cause unintentional harm.
Unavailability of Services:
Educators around the nation are relying on education tools and connected systems to work seamlessly. The end-user experience has to work for everyone. Many users may not know how to solve their technical problems through the computer. The issues are not just external actors leveraging a denial of service campaign against a district, but also includes the capabilities of the vendors and software to meet SLAs and demands, the availability of internet and reliance on ISPs, and the change management processes in place to upgrade, patch or improve upon existing software. While our children may no longer be streaming their favorite videos, there will be more devices connected in households, between working parents and students throughout the school year.
Unavailability of Services:
Many districts used the summer to reset strategies and introduce new tools to manage remote learning, including additional communication tools (Zoom, Learning Portals, etc.). This results in more data in more places, with more tools for parents and students to rely upon. There are also challenges around the frequency and messaging within district communications. Personally, I have received more emails in one month then I have in an entire school year under an in-person classroom model (each heavy with important information). These communications, the methods in which they are sent, what is said and the frequency of outreach should be top of mind for districts looking to keep families engaged.
During the spring, there were numerous news stories about “Zoom-bombing” events, where uninvited individuals were gaining access to the virtual classroom and causing disruptions. This is not a Zoom specific issue; most of the virtual classroom and meeting platforms have security options that can be configured to reduce the likelihood of such events. Solutions include requiring passwords, setting up waiting rooms, providing different meeting ID each session, blocking screen sharing for non-hosts and regularly applying updates to the apps. While most schools are already familiar with the issue and how to combat it, staying aware of the processes and configurations that protect classroom privacy is important to keep top of mind.
Several schools have re-opened in a hybrid environment in which some students attend in person while others join the same class remotely through virtual classroom applications. In many hybrid classes, the students at school also are logging into the virtual classroom applications so they can engage with remote students. The load of voice and video traffic on the school’s wireless networks and underlying wired network/ISP can cause instability in network connections. In addition, schools are having to figure out ways to provide power for laptops that are now being used by students for eight hours straight. This situation is made more problematic by trying to maintain social distance in classrooms that aren’t designed to provide personal power outlets to students at six-foot increments.
Third Party Management:
The oversight and the validity of third parties that are supporting districts should be an area of concern for administrators. Districts are leveraging or repurposing many new tools and software. Will they be able to meet the existing policies, procedures, requirements, and regulations (locally and federally)? Districts should have in place third party management processes to continuously monitor compliance against SLAs, security, privacy and other risk areas.
Exhausted IT Staff:
With the move to a remote environment, increasing demands, changing IT landscape, and, in some cases, reduction of staff or hiring freezes, IT professionals are asked to do more and manage new risks. When combined, these risks can increase the opportunity for mistakes to be made and vulnerabilities to be exposed. Contingencies need to be in place and strategic plans should be monitored closely to ensure districts are addressing the right risks and highest needs; remembering that the end goal is for educators to teach children.
While this is not an exhaustive list, districts should be monitoring and remediating their maturity against and compliance to IT frameworks, such as NIST and TAC 202, to support their readiness and resiliency. This includes how IT incidents are escalated and communicated, and the level and depth of communication to district leadership and elected district officials.
Weaver’s professionals can help you understand the cybersecurity and IT challenges facing districts this unique school year. Contact us. We are here to help.
Public school districts can face many different types of fraudulent schemes, and perpetrators could come from any level in the organization. The…