School Cybersecurity: 5 Tips for Digital K-12 Operations

Best practices for improving your school and district cybersecurity in an increasingly digital education landscape 

In 2021, K-12 Six documented 166 school cybersecurity incidents affecting 162 districts across 38 states. In 2022, 45 school districts representing 1,981 schools suffered ransomware attacks.

Both schools and students pay the price with a single cyberattack creating a loss of learning of up to three weeks, the overall recovery time is nine months, and the average cost of a data breach is $4.24 million across all industries.

In 2022, a cyberattack on a provider of student-tracking software impacted the personal information of over one million current and former students in dozens of districts across the U.S. Attacks have disrupted daily operations in every state, including Buffalo Public Schools in Clark County, Nevada, and Baltimore County Schools, according to a Government Technology report. 

In the aftermath of the COVID-19 pandemic that drove school operations online, more interactions and data are continuing to flow digitally. And, with many operations taking place via non-district devices outside of the digital ecosystem, it’s more important than ever to bolster your school cybersecurity efforts to ensure your systems, data, and privacy are safer. 

Remote and hybrid learning technologies are here to stay with many districts continuing to offer fully remote options for students who learn best in that way. Students, teachers, and staff will continue to do more of their work digitally—whether in the classroom, the office, or at home.  

With so many stakeholders on digital devices, schools are increasingly vulnerable to cyber threats and should be prepared for online attacks. 

Here are five tips and considerations to improve cybersecurity in schools and districts:

1. Communicate: Protecting Your District Starts with Informing Educators and Families 

Ensure that staff, students, and parents are aware of the wide array of cybersecurity threats. Communicate regularly either from the IT department, each school’s principal, or the superintendent. 

Provide helpful tips and best practices. Educate your users and help protect them from increased ransomware attacks, phishing attacks, threats against Internet of Things (IoT) devices—and even student-driven attacks. 

Offer continuous training. As with any learning, it takes a lot of repetition, re-reading, and practice for users to fully embrace cybersecurity in schools’ best practices. Reshare your standard protocols, with an emphasis on extreme vigilance during this new age of increased online usage.

A final piece to communicate with your schools and districts is digital citizenship, especially with increased online collaboration and video conferencing.

“Particularly in these times, we’re looking for civil discourse both with asynchronous and synchronized communications,” says Bob Schuetz, Technology Coordinator at Palatine High School in Township HS District 211. “It’s important to make social connections in a civilized, cordial manner. I prefer the phrase ‘digital contribution’ instead of ‘digital citizenship,’ so that we’re providing benefit to other users, and then we see the value of those connections—what we’re giving back in terms of digital content and sharing knowledge.”

2. Protect Your Valuable Assets 

In addition to general best practices, focusing on protecting data, privacy, and equipment is essential. Districts should have tested firewalls and antivirus software in place, share information only on secure systems, and connect users to the district network through secure VPNs.

Other necessary steps to improve K-12 data security include: 

• Conduct security audits. A third-party audit has excellent value for a district to gain a holistic view of how their technology is laid out and to take appropriate actions when needed. Download the CoSN K-12 Community Vendor Assessment Tool (K-12CVAT), which is a questionnaire framework to measure vendor risk before you purchase a third-party solution.  
• Look at these four key areas. 1) What is the user’s ability to keep data secure? 2) What’s the infrastructure? 3) What are the applications? 4) What are the processes the district uses? An objective assessment of those four areas gives insight into potential weaknesses. 
• Adhere to strict criteria when selecting edtech vendors. While time may seem short, and the need to get up and running with remote services is critical, don’t forget to vet your edtech partners thoroughly. It’s important for districts to require security standards and certifications, such as ISO 27001 and the use of a Security Operations Center (SOC) examination. Download the 20-Point Cybersecurity Inspection for Edtech Vendors to assess your systems.  
• Additionally, districts should consider moving to cloud-based hosting of applications to reduce risk, increase data security, and decrease total cost of ownership.

At PowerSchool, we’re dedicated to protecting your data with best-in-class security in our interoperable solutions, as a company, and with our employees. Initiatives in becoming the most progressive edtech company in the field of data security and privacy include SOC 2 Compliance, use of a Security Operations Center (SOC), and ISO 27001:2013 certification.

Nine PowerSchool products have fully completed CoSN K-12CVAT profiles, confirming “that information, data, and cybersecurity policies are in place to protect your sensitive school information and constituents’ PII.” CoSN recommends using the K-12CVAT as part of your procurement processes.

We perform penetration testing, vulnerability scans, and next-generation endpoint protection. PowerSchool uses WAF (web application firewall) and IDS/IPS (Intrusion Detection System/Intrusion Protection system) to protect our networks and devices, and secure software development/OWASP to confirm that security is considered in the entire end-to-end process of developing software. 

3. Protect Your Devices—and Others’ Devices 

Cybersecurity preventative costs are rising—with increased cybersecurity insurance premiums and the impacts of ransomware attacks and lawsuits over data breaches. That’s why it’s more important than ever to work with everyone within your school or district to build and fortify your human firewall.

While it’s ideal to have all staff and students use district-issued and secure devices, the reality is you may need to let users operate on their own phones, tablets, laptops, and desktop systems. It’s essential to know who has home access to devices and how many devices you’ll need to provide.

For devices you distribute, here are questions to ask, according to CoSN: 

• Are devices locked down? 
• Have administrative rights for end users been removed so students can’t install unauthorized software on the devices? 
• Does your web content filtering protect these devices when they’re being used remotely? Is it set up on every device? 
• Is antivirus/anti-malware software installed on each device? 
• If you’re using a web conference system, are the video/audio calls encrypted? 
• Is recording enabled/disabled? 
• Can the system have recording enabled for the teacher but disabled for the students? 
• Where are recordings stored? 
• How much effort is required to get secure devices distributed with all software and operating systems functioning properly

4. Beware of Free, Unproven Software 

Again, make sure you’re partnering with legitimate, trusted edtech vendors. According to the FBI, “Malicious cyber actors may use legitimate-looking telework software—which may be offered for free or at a reduced price—to gain access to sensitive data or eavesdrop on conversations. Cyber actors may also use phishing links or malicious mobile applications that appear to come from legitimate telework software vendors.”

It’s essential to set guidelines at the district level for what software and tools can be used. Otherwise, you may end up with unproven applications that put your data at risk.

“Enticed by free or low-cost apps and software, teachers may seek to open personal accounts with third-party apps to use in their classrooms that have not been vetted by a school district technology department,” explains Eileen Belastock, Director of Academic Technology at Mount Greylock Regional School District, Massachusetts. “By signing up for these free and low-cost apps and agreeing to the terms of use and privacy policies, teachers take on the unauthorized role of designated school officials that significantly increase the potential risk to students, teachers, parents, and school districts that data will be shared for non-educational purposes.” 

5. Ensure Staff and Student Online Safety 

With all of your teachers, administrators, students, and parents using digital devices and communicating via multiple online avenues, it’s critical to determine guidelines and rules to keep everyone cybersafe.

Make sure your teachers are prepared to teach and communicate in a digital environment. In addition to their basic teaching skills, digital skills they need include “how to conduct classes in a virtual environment, knowing when and how to use video conferencing, share content, respond to students’ submissions, and more,” according to CoSN.

For Ralph Valenzisi, Chief Technology Officer at Norwalk Public Schools, cybersecurity and digital citizenship are among among his top concerns. With an emphasis on setting clear expectations for students, providing concrete examples of good digital behavior for students and teachers, and ensuring that parents are part of the process, Norwalk Public Schools is committed to staying ahead of the game from a digital citizenship standpoint. 

“It starts with innocence,” adds Jeff Bradbury, Instructional Coach for Digital Learning at Norwalk Public Schools. “Kids don’t always know what they’re getting into until they’re already there.” Jeff works directly with educators and instructional coaches to help educate them on the importance of being aware of their online activities and incorporating safety measures into the way they teach and interact with parents and students, both in-person and online. 

The Importance of “Always On” Cybersecurity 

Even though we’re facing times of continuing cybersecurity attacks and threats, it’s important to remember that basic cybersecurity measures can keep students and staff safer. Protecting your data should be a top priority 365 days a year for everyone using your system and accessing programs and data.