Do schools have a cybersecurity problem?

We often think of financial institutions, corporations, and governments as the primary targets of cyberattacks. But are schools at risk as well?

The answer, unfortunately, is yes—and the problem is growing.

In this two-part article, we’ll provide you with an overview of the problem, as well as some actionable ideas for dealing with it.

The changing face of education

With state and local education budgets stretched thin, and faced with the challenges of preparing students for an increasingly tech-centric job market, school districts across the country have embraced technological solutions that promise to do more with less and get kids ready to thrive in an information economy.

Educational technology, or EdTech, is now a multi-billion dollar industry. And for their part, school administrators generally consider tech spending an excellent investment, given its ability to reduce costs and (arguably) improve learning outcomes.

How schools use technology

There are several ways in which schools and universities are turning to tech to enhance learning and save money: 

Learning Management Systems, or LMSs, are software platforms (usually web-based) which are used to deliver course content, provide a forum for student discussion and instructor feedback, facilitate assessments, and track grades. Blackboard, Canvas, and Moodle are by far the biggest names in the industry, but there are plenty of smaller and specialized LMSs as well.

Student Information Systems, sometimes called Student Management Systems, are administrative software platforms designed to host and manage student data. This can include standard academic data, like registration information, grades, and transcripts, but it can also encompass more sensitive personal data such as class schedules, contact information, and student medical records.

General IT and networking systems, of the sort you’d find in any office these days, are of course also used in schools. This covers things like human resources and accounting software, local computer networks and databases, as well as school websites and email servers.

EdTech’s cybersecurity problem

So are these systems, in increasingly wide use in our kids’ schools, actually secure? Sadly, the answer appears to be no.

One organization that began tracking cybersecurity incidents in K-12 schools recorded an average of one incident every few days in 2018, and as of mid-2019, that number appears to have increased substantially. What’s more, the researchers cataloging the incidents are quick to point out that these are just the ones we know about: There is, in all likelihood, a far higher number of attacks which are simply never reported (or worse, never noticed).

The response so far

So how are the EdTech companies and schools responding to this situation? Not very well.

As we discussed on a recent Checklist podcast, even enormous financial institutions and software companies can offer subpar responses to cybersecurity breaches, from “adequate but lackluster” to “terrible”. 

EdTech is no different, as one highly publicized case recently demonstrated. Highschool student and security researcher Bill Demirkapi found vulnerabilities in both his school’s LMS and student management system. The LMS company, Blackboard, seemed to ignore the Demirkapi’s emails for months. They have since acknowledged that they could improve the way they handle vulnerability reports. Follett, the company responsible for the school district’s student management system, also proved difficult to contact, leading the frustrated student hacker to make a very public disclosure of the issue…which earned him a suspension from school.

Schools themselves seem alarmingly unprepared for the threats they’re facing. Observers note that leaders in education have been slow to acknowledge the danger, with a troubling number of schools lacking basic cybersecurity precautions. How bad is it? One study ranked K-12 schools lowest out of all state and local government agencies in terms of having a robust and mature cybersecurity program.

There have, however, been some positive signs. There has been an increased awareness of the issue of cyberthreats in schools over the last couple of years. And in several states, government officials have enacted cybersecurity legislation and initiatives that could serve as models for other locales.

But it’s clear that we still have a long way to go before sensitive student data is truly secure in the hands of the school districts charged with protecting it.

So if you’re a parent of a school-aged child, or simply a concerned citizen, what practical steps can you take to address the issue of cybersecurity in schools? 

That’s what we’ll talk about in part 2.