If there is an Achilles’ heel to a future of robust personalized learning for all K-12 students, it is the uneven attention to the cybersecurity risks facing school information technology assets and data. In this post, I offer emerging lessons about real and perceived information security issues facing schools from the data underlying the K-12 Cyber Incident Map.
Earlier this week, an unknown person or persons launched a short-lived, but clever cyber attack against Google Docs’ users. While apparently not targeted toward schools, it very quickly found its way to K-12 classrooms nationwide, resulting in alarm and confusion. Based on my investigation of the exploit, here are the three lessons I believe those of us in K-12 education should take from this incident.
Since 2016, multiple news reports document that K-12 students are being charged with and convicted of crimes for hacking their schools. In other cases, these incidents have led to students being expelled. Are schools and the police over-reacting to student hacking of schools? Are our current laws and school policies appropriate? It may be time for a hard look at these questions.
Today, I am pleased to introduce and launch the “K-12 Cyber Incident Map.” It is a visualization of cybersecurity-related incidents reported about U.S. K-12 public schools and districts from 2016 to the present. Painstakingly assembled from public reports, it was created to begin to build a data-based awareness of the scope and variety of digital security and privacy threats facing K-12 public schools and districts, as well as to shed a light on the need for uniform standards for disclosing cyber incidents affecting schools, students, and educators.
There are a range of potential cybersecurity threats facing K-12 schools. Thanks to my invited participation in a National Governors Association cybersecurity summit, I’ve documented my current thinking on the cybersecurity in K-12 education, why it is an important issue, and what should be done about it. Ultimately, if we can’t generate the political will to address these issues head on, states and the federal government have no business pursuing school reform and improvement strategies dependent on technology.
Hackers will target anyone and anything, be that hospitals, the police, or other hackers. Even though the year is just getting started, schools have already faced a wave of phishing attacks designed to steal sensitive employee tax information. The IRS has called this “one of the most dangerous email phishing scams” they have seen.
It is inevitable that the education sector will experience data breaches and be subject to cyberattacks. One recent phishing attack has become so widespread and so damaging that the Internal Revenue Service (IRS) itself has issued public guidance for schools on how to respond. Please share this information widely, educate yourself, and work with your schools to mitigate the risks of handling personal data of school employees, students, and their families.
Select state government audits of school district IT security procedures find a concerning state of affairs. State departments of education should adopt and promulgate digital security expectations and best practices for schools, provide technical assistance and resources to districts to support implementation, and conduct regular audits to ensure compliance.
Every school district should be able to answer three very simple questions about their IT and student data security practices.
Advocates would have us believe that school districts are incapable of making responsible decisions about technology-related privacy and security issues affecting students. Even if they are correct about the current state of affairs – and they just might be – it doesn’t abdicate our responsibility to help schools and educators do better.
