Over 700 breaches of K-12 databases have been recognized in the United States alone since 2017. Phishing schemes, ransomware attacks and denials-of-service tactics have been employed to access or distribute sensitive information belonging to students, faculty and staff.
Because these events don't command the same sensational headlines seen by Equifax, Yahoo or Facebook, they've largely been able to fly under the radar. That lack of awareness doesn't imply any less seriousness - the risk such posed by such intrusions is startling. Most people wouldn't likely believe that the information in a school’s servers would be a ripe target for data criminals. And yet, the Consortium of School Networking ranked education as the "single most vulnerable vertical" across business sectors, edging out retail, finance and other "traditional" targets of cyber criminals.
Student Privacy 101 - A Brief History
The groundwork for protecting student information is nothing new - the foundations were laid in 1974 with the passage of the Family Educations Rights and Privacy Act, or FERPA. The public's embrace of the need to improve safeguards surrounding online sensitive personal data is much more recent, however. CalOPPA, the California Online Privacy Protection Act, saw substantial revisions in 2013, while the E.U.'s General Data Privacy Regulation was enshrined in 2017.
The most aggressive effort to protect privacy in the education sector came in 2016 via SOPIPA, the Student Online Personal Information Protection Act. This piece of legislation was the first to formally define restrictions against using student data for non-educational purposes that include profiling for advertising or marketing and reselling of data to outside entities. Additionally, education service providers are mandated to securely manage collected student data and provide a way for that data to be destroyed or removed from any database following a request from a school or district.
According to a recent study, a vast majority of surveyed districts used at least 26 different software applications to meet the needs of their needs. The demands of the front office are wholly different than the needs of a teacher's gradebook, the lunchroom's food service database and the transportation department's CRM. That doesn't include any free or low cost programs that teachers may use to assist in managing student success. With a smattering of different systems comes a range of potential security risks ready for intrusion or exploitation.
The easiest and most logical place to begin when addressing security is ensuring that all the various applications and software systems used within a district are integrated to the fullest extent possible. It's commonly accepted as truth that error by a human user is the biggest threat to security. By ensuring that all systems are automatically accessing the same high-quality information, the need for repeated manual corrections or redundant data-entry in each department are dramatically reduced or eliminated entirely. Automated sharing between programs helps to reduce the need for user access, and decreases the potential for a cyber event through an errant keystroke or accidental button selection while fostering confidence in users about the accuracy of that data.
Next in the line of defenses against a breach or intrusion is account management. Platforms without proper interoperability require manual account creation across a dozen or more different software systems for new students or staff members. The most immediately recognized costs of this approach are poorly spent time and resources coupled with greater odds of inaccurate data. More importantly, though not as obvious, is security. Every system that requires manual user access in order to create or manage user accounts represents a point of potential intrusion, illicit access, or breached security protocols.
When account creation and management can be synchronized using an efficient and automatic directory management tool, highly-sensitive data for students and staff can be shared across multiple districts from the primary SIS or staff account management platform. Not only does this free up countless hours of time across departments and foster confidence in the quality of data, it also shrinks the pool of exploitable points of entry to a single hub. By limiting the need to access numerous systems for manual entry, the likelihood of data accuracy is magnified while also minimizing the points of weakness and, therefore, liability.
Lastly, the biggest questions to ask when considering how data is handled are “Is my data moved off-server”, “Is off-site migration necessary”, “How is it protected during movement to and from my server”, and “What happens to my data while it’s gone”. From a district-side and service provider-side vantage point, the less any data is required to be moved between servers, the less existing vulnerability is present, and the more confidence you can have in the security and integrity of that data.
Some service providers take all the data in a district for whole-scale movement off-site with minimal transparency as to the “how”, “why”, “where” and “by whom” questions that are so crucial to privacy, integrity and security. Conversely, there are approaches that allow approved users to retain full control and supervision of information at all times. Those solutions that allow for data to be managed inside existing information management systems have a significant edge and provide a perk that can’t be quantified like time and money - the benefit of peace of mind!