This article was written by Thuy Wong, President and CEO of CharterSAFE, a Principal Sponsor of the Charter Schools Development Center.
Identity theft and data breaches are on the rise and K-12 schools are quickly becoming one of the biggest targets. In fact, from 2016 through 2022, there have been more than 1,600 publicly reported cybersecurity-related incidents at K-12 public schools, affecting millions of current and former students. But in California, it’s reaching a crisis point. The nation’s second-largest school system, Los Angeles Unified (LAUSD), fell victim to a massive data leak last year, and recently confirmed that 2,000 students had their personal information compromised. This isn’t a one-time blip. Exposure of private information can have long-term impacts for not only schools, but for the students they serve.
When students’ personal information is compromised, it can lead to emotional and financial harm for years to come. Schools manage a slew of personal data, from health and psychiatric records to academic test scores to even social security numbers. For school districts, financial losses from a cyberattack can be in the millions, according to the U.S. Government Accountability Office. These costs may include replacing computer hardware or enhancing cybersecurity protections, not to mention the burden and risk of identity theft. Yet, the majority of school districts do not have a single staff member solely dedicated to cybersecurity.
Due to the rise of breaches, experts agree that without the proper technological safeguards, K-12 schools are left vulnerable to such attacks. To meet the severity of this moment, in late January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released its report to help schools better protect against cybersecurity threats. CISA’s key recommendations for schools were straightforward: implement multi-factor authentication, run a strong cybersecurity training program, and raise awareness among education leaders. While the federal government is taking meaningful steps to combat these rising risks for schools, educators agree that more immediate, tangible action must be taken.
Since 2014, California was among several states to pass student data privacy and security laws–with dozens of K-12 ed tech providers signing on to a national Student Privacy Pledge, committing to a “comprehensive security program.” But a pledge can only go so far, as cyberattacks have only increased. A glaring example is Illuminate Education, which is based in California and is one of the nation’s leading vendors of student-tracking software. Last year, company databases were subject to unauthorized access. This cyberattack on Illuminate Education affected the personal information of more than a million current and former students across dozens of districts—including in LAUSD.
What can be done today to begin addressing these rampant cybersecurity attacks at the school level? Here are proactive steps you can take today to protect your school community against systemic cybersecurity threats:
- Sanitize Network Traffic. Establishing safeguards on the Internet is critical in general, but even more so for schools. You can start by blocking access to any known malicious sites.
- Train Staff. Attacks are often socially engineered. That means staff must know how to identify and respond to these threats. Protecting against phone-based, email-based, and SMS-based scams through regularly scheduled training for staff helps ensure they have the language and tools needed, such as phishing campaigns. Required training will help your school community not only identify cyber threats but share actionable guidance on what to do if any information at your school is compromised.
- Protect Student, Teacher, and Staff Identities. Restricting administrative access to only those who need it can help keep devices and personal information protected, since users with administrative privileges can often bypass critical security settings and access sensitive information. This can be done by validating which staff members are required and authorized to carry out those tasks as part of their duties. Implementing multi-factor authentication to ensure the identity of those with access is also critical.
- Practice Continuous Improvement. Regularly patching and updating systems is one of the most important cybersecurity procedures to protect against known vulnerabilities as well as provide new features. Lastly, enact policies to regularly backup your data in different mediums (e.g. separate servers), archive or delete sensitive information, in alignment with your record retention policies.
The scale and number of attacks escalated during the pandemic as more schools relied on technology for instructional delivery and operations. In an increased digital age, cyberattacks will only become more hazardous for students and their school communities. It has never been more important for school leaders to prioritize cybersecurity education and protections, and it’s past time for schools to reevaluate the cybersecurity protections they have in place for their systems and those who access them.
For more resources to better equip your school community against cybersecurity threats, visit: CISA’s toolkit.