Protecting more than privacy in K-12 sector

Regulations protect privacy, but what about the overall cybersecurity of public schools that already function on limited resources

Stack of school books on desk with an apple on top

Larger enterprises have the resources to not only afford the technology needed to grow in the digital age, but they also have the budget and manpower to build security into their overall ecosystems.

Does the K-12 education sector have the means to do the same? As the use of technology becomes more prevalent in public schools, will collecting more data potentially increase the cybersecurity risks for the K-12 sector?

Earlier this fall, the Center for Data Innovation released a report, Building a Data-Driven Education System in the United States, in which they said 93 percent of teachers are regularly using digital tools to assist classroom instruction in some capacity.

Researchers want to leverage that data to transform education; however, these escalating plans for using data collection to advance public education raise questions about the risks to schools.

Keith Lowry, senior vice president, Nuix USG, a global security intelligence firm, said, "K-12 runs at the state and local level, and they are individually going to be responsible for the protection of those infrastructures."

Who then, at the state and local level, is thinking about security in education? "In general terms," said Lowry, "most people and organizations including government agencies are either turning a blind eye or are not technologically tuned in to the tremendous threat that happens to be at our doorstep in our digital world."

Security begins with administrators and leaders. Before schools start collecting this myriad data on students, they have to spend some time and write policies and work out processes and procedures to plan for an attack, but are they too late?

The reality is that schools are not operating with no data right now.

Daniel Castro, director, Center for Data Innovation, said that in some ways the challenges in education aren’t too different from what you see in other industries. "We know there’s a lot of best practices from thinking about authentication to vulnerability testing, but school districts don't have to have all that expertise."

[ ALSO ON CSO: Schools keep track of students' online behavior, but do parents even know? ]

In addition to cloud services, Castro said that a lot of that security will come from the vendors themselves. "Schools, school districts, partners, and state governments can provide oversight of different vendors so that when systems have security vulnerabilities, they are identified and distributed widely," said Castro.

Being able to differentiate between secure and insecure products and having model clauses for cloud computing within the education sector are other ways to think about risk, said Castro, but "The solution can’t be each school needs to do X, Y, and Z. It has to be looking at how do you get vendors to secure the quality of their products?"

Creating a certification system for vendors to ensure broad commitments to security and getting the industry to agree to the same practices is another solution that Castro said could have great success.

Daniel Castro, director, Center for Data Innovation

"That type of scenario has potential to get education to a better standard," said Castro. "The other challenge is authentication, and that goes beyond education as well. Without it, there’s not much you can do on the security side. I’m not terribly optimistic that the US is going to solve it, but schools can put more pressure to resolve those challenges."

Unfortunately, regulations haven't kept up with the pace of technology, said Steve Ritter, chief product architect at Carnegie Learning. "FERPA is a very old law. Even for the most well-intentioned people it's hard to map. It has this model where the school is providing data to the third party, but the school doesn't have the data and make a choice to send it to the vendor," Ritter said.

Two kinds of potential problems include technical security and standard practices of being encrypted so that data isn't sent unencrypted. There's also privacy protection in general.

Developing a common standard around how data is collected, for what purposes it is used, with whom it is shared, how it is stored, and how it is eliminated would help to bring everyone onto the same page because there seems to be some discrepancy over what kind of data has the greatest value.

A rule of thumb for best practices, said Ritter, "Don't collect any information that you don't need. You don't need to know gender, race, or if a student is eligible for free or reduced lunch. That's just a matter of being careful. If you get hacked, the consequences should be as minimal as possible."

Ken Koedinger, professor in the Human-Computer Interaction Institute at Carnegie Mellon's School of Computer Science said, "If vendors are using the data to improve the curriculum, they don’t need to know who the students are. If the data is vigorously de-identified, eliminating record and demographic information, we might not have so much to worry about."

Steve Ritter, chief product architect at Carnegie Learning

On the other hand, chief learning officer at Kaplan, Bror Saxberg, said, "There are ways to do rich analyses of large sets of data that anonymize and also protect identity of students while doing some very valuable work, which can lead you to understand how to personalize, but if the goal is to de-identify data, then don't collect data."

One way to address concerns is that as the risk goes higher, the access is more highly limited. "We have public data sets of K-12 student interactions that anybody can access because they are so de-identified," Koedinger said.

According to Koedinger, the National Academy of Education is starting to have these conversations, but there needs to be some way to get the word out to the schools that they should be putting pressure on the developers and vendors.

"The school should be demanding that security. A school could say to a vendor 'we will use your product, but only if you guarantee that the data you keep is fully de-identified'," Koedinger said.

Having clear data governance policies that establish procedures for the responsible use of data will help to mitigate risk. "Make sure you are clear what permissions people have to see, analyze, and download data so that folks aren't getting all kinds of data into places where it shouldn't be," Saxberg said.

The risk is people doing things that are convenient for them and putting things where they ought not to be. "There are tiers of data security thinking that all people in education should be thinking about and should be sensitive to, and a lot of folks aren't thinking about that responsible use of data," said Saxberg.

As it is across most sectors, Ritter said, the majority of people don't think about security until they have a problem. "Those in education who are doing security well are asking for specifics about data privacy and security. They want to know how a vendor collects and stores data, what their policy is for correcting data, and whether they have a breach response policy?"

At this point where the vast majority of schools are already operating with a sizable amount of data being collected, it's not feasible to come to a dead halt in order to write policies and procedures. The best most can do is move forward with security in mind and take precautionary measures before a major breach occurs.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)