Students and staff went from walking school hallways and cramming into classrooms and cafeterias, to staying home to halt the spread of the virus. In many cases, district faculty and staff were given a day or two notice that buildings were shutting down. The resulting effort to set up remote learning to continue students’ education is among the most admired stories of this crisis. K-12 IT teams, tech admins, faculty, and administrators moved with astonishing agility to enable at least some level of learning continuity.
In the rush to set up remote learning, districts frantically purchased new devices and technologies. This shift is being described as a boon for the EdTech industry, as school adoption of cloud apps like G Suite, Microsoft 365, Schoology, Seesaw, and others skyrocketed. Many vendors began offering free or reduced pricing for their apps and services to support the cause—and increase their user base.
In fact, school districts are among the biggest adopters of cloud technology today. However, there is a downside to this. Districts are lagging in securing their cloud environments, leaving themselves exposed to emerging threats and cyber incidents. According to The K-12 Cybersecurity Resource Center, there have been 867 publicly disclosed cyber incidents since 2016. In 2019 alone there were 348, almost tripling the 2018 total.
When districts closed their doors and went remote, the type of cybersecurity incidents schools saw also changed. This is largely because the apps being used by students and staff are different than those used earlier this year. Teachers are relying on video conferencing and cloud applications to run their classes from home, and students are using the same apps to stay connected to friends and classmates while in isolation.
Cybersecurity gaps in district IT infrastructure existed before COVID-19 forced students and staff to stay home. When the upcoming school year arrives, schools will not be operating as they did before the pandemic and will embrace more remote learning than ever. District IT teams must be ready for the cybersecurity, student safety, and compliance threats they will face when classes resume in the fall.
Districts Are Shifting Classrooms to the Cloud
K-12’s move to cloud computing began long before COVID-19, but the shift to remote learning certainly sped things up and changed the way apps are used. Districts use cloud apps for learning management systems (LMS), student information systems (SIS), and financial and human resources systems. According to CoSN’s 2020 EdTech Leadership survey, 97% of districts are using a cloud-hosted LMS—a popular one being Google Classroom. Additionally, 64% of districts host their financial systems in the cloud and 51% do so with their HR systems.
Millions of students and teachers are using cloud applications to attend class remotely, complete coursework, communicate with teachers, and collaborate with their peers. The COVID-19 pandemic is challenging district IT departments to ensure that all these students, teachers, and staff are protected in the cloud—from afar—now that no one is using school networks.
Challenges Following School Closures
The use of video conferencing platforms such as Zoom, Google Meet, and Microsoft Teams continues to increase to properly support remote learning. However, these video conferencing platforms are designed for commercial business and weren’t thoroughly vetted by IT departments at the beginning of the pandemic.
The result? Shortly after remote learning began, districts nationwide experienced incidents where unauthorized people hijacked virtual classrooms to cause disruptions and wreak havoc. It became quickly clear these apps never had features in place to support K-12 school districts and the minors using them.
Unfortunately, this isn’t the only problem IT departments are facing. Another example involves teachers recording their classes and posting them online, unaware of the consequences. Social media platforms are filled with pictures of virtual classes with students and sensitive information from inside of homes. This poses a huge cybersecurity risk as cybercriminals use this information to perform social engineering attacks and gain access to school accounts. Further, posting class recordings and lessons online is a data privacy risk school districts are responsible for. With a couple of months to prepare for the next school year, it’s time for IT departments to fill the gaps, monitor the new cloud apps being purchased, and keep sensitive district data secure and private.
Securing Remote Learning Environments
Districts are struggling to address newer threats and activity taking place inside the cloud applications being used as classrooms. Many incidents within cloud apps result in data breaches, loss of sensitive district data, and unauthorized public disclosures frequently seen today. In fact, the most experienced type of school-related cyber incident is data breaches involving the unauthorized disclosure of student data, according to The K-12 Cybersecurity Resource Center.
IT departments are becoming more aware of the risky activity taking place in cloud applications and that traditional cybersecurity tools are unable to protect against them. Because the activity takes place within the application, traditional cybersecurity tools have trouble detecting it since data never travels in or out of a district’s domain.
Think about what happens once a teacher or student clicks on a socially engineered phishing email containing malware or installs a malicious third-party app—a cybercriminal gains access to the school account. With that access, the criminal is able to send emails and file attachments containing phishing and malware to other students and staff and further infiltrate a district’s data infrastructure via lateral phishing. This type of cyberattack consistently impacts districts of all sizes—the end result often being the exposure of sensitive personal information belonging to students, teachers and staff, or a ransomware attack that blocks districts from accessing their data.
Monitoring, detecting, and protecting against cyberattacks is much more difficult now that districts are operating remotely. Cybercriminals are advancing in their tactics to get into a district’s system—IT departments must advance their cybersecurity defenses to be better prepared.
Student Safety During Remote Learning
Cybersecurity risks aren’t the only thing districts need to juggle in the new remote learning environment. There are also student safety risks that can go unnoticed if districts do not properly monitor their cloud applications.
Schools were already struggling with students using Google Docs as chat rooms before COVID-19 closed school buildings. Now that apps such as Google Meet, Google Chat, and Microsoft Teams are the popular apps teachers are using, students are using them as another channel to interact with one another. For IT departments, monitoring for student safety incidents taking place in these instantaneous interactions between students is challenging when there are cybersecurity risks to watch for at the same time.
The student safety risks existing in video conferencing and chat applications include cyberbullying, signs of self-harm, threats of violence, racial and LBGTQ discrimination, inappropriate behavior, explicit content, and more. Further, these risks also exist in both text and image content—making it tough to detect when risk is present in an application, email, or file attachment. COVID-19 and the larger adoption of cloud apps and video conferencing has exacerbated the challenge when it comes to protecting students and staff.
Another risk involves students who stay in a virtual classroom after the teacher leaves. Students use these as opportunities to communicate with each other, share gossip, cause mischief, and more. Teachers are mostly unaware these incidents are happening. Monitoring for them can help educate teachers and administrators about how students are using newer cloud applications in ways they are not intended to be used and can help mitigate future incidents.
The Student Data Privacy Challenge
Student data privacy is always a concern, but a remote learning environment makes keeping student data private a tougher task. Detecting sensitive data that has left a school district’s information system—accidentally or intentionally—is more difficult when external networks are used. Most districts are operating in the cloud, which means firewalls, antivirus software, and on-prem content filters are not effective. The challenge increases dramatically if a district is not one-to-one and students are using personal devices.
Regardless of the device, students and staff are logging into their school accounts from many different networks. It’s those cloud accounts that need monitoring tools implemented before the upcoming school year. Districts face strict regulations regarding data privacy because the majority of their stakeholders are minors. Federal laws such as the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), Children Internet Protection Act (CIPA), along with state and local laws must be met.
District IT teams are familiar with using content filters to prohibit students from accessing unapproved websites and meet CIPA laws. However, many do not realize that student access to content when using district cloud applications falls under the same regulations and are not protected by traditional content filters. As a result, the adoption of Google Meet, Google Chat, and Microsoft Teams pose a high compliance risk that districts need to address while students and faculty are on break this summer.
Looking to the Future
The 2020 CoSN EdTech Leadership Survey found that cybersecurity is K-12 IT leaders’ number one priority. However, districts are not putting much of their budget toward addressing it. When they do, most of the budget is allocated to securing the network—not the cloud.
On the plus side, more IT leaders are understanding the need to properly secure their cloud applications. To do this, districts are looking into emerging cloud security and student safety tools that aren’t on-premises and don’t require an extension, proxy, or agent. This allows IT departments to detect risks efficiently and effectively in the cloud, no matter what device or location their users login from.
Cloud security is critical for districts to detect cybersecurity and student safety incidents in G Suite and Microsoft 365. Over the course of this summer, district administrators and IT teams must prioritize implementing a multi-layered cybersecurity infrastructure that includes cloud monitoring.
The risks have been there all along—COVID-19 made them obvious. District data won’t always be accessed from school networks, and IT departments must understand how much of cybersecurity, student safety, and compliance gap a lack of cloud monitoring creates.
About the author: Charlie Sander is the CEO of ManagedMethods—a cybersecurity, student safety, and compliance platform for K-12 school districts—and brings over 35 years of experience in the IT industry.