Schools create their own communities. Of course, they bring together children and families from across the district, but they’re also conduits for important support in the form of student healthcare services, legal and social work, and educational development.
Because schools serve such a vital, interconnected function, they are stewards of vast amounts of sensitive information — and as a result, they’ve increasingly become targets of cyber attacks: Last year, 1 in 4 schools experienced a cyber attack, and in 2021, nearly 1 million students were impacted by 67 ransomware attacks against schools.
Student data is on the line, and schools are in a tough position, as most have limited budget and dedicated team resources to protect this sensitive information. To assist these schools in prioritizing data protection, CISA has released a new set of recommendations for K-12 school security. They are intended to start the conversation and put schools on a productive path toward strengthening student data protection.
How Schools Can Address Cybersecurity Threats
CISA highlights three primary objectives in its new report, offering a broad picture of how schools should prioritize their cybersecurity strategies and investments.
1. Invest in the most impactful security measures and build toward a mature cybersecurity plan.
Prioritize the highest-impact measures. It’s not a new concept, but it’s a smart one. This will look different depending on the school district, as some may already have a strong cybersecurity posture, some may be lagging, and some may have advanced state-level compliance regulations that they're required to meet. It’s up to the district to determine what the most impactful security measures look like for them: What areas will deliver the greatest improvements at the largest scale, for the most students and families?
One particular area of concern is email and collaboration workflows, both within and outside the school district. “No K–12 institution is an island,” the CISA report states. “Information sharing and collaboration with peers and partners is essential to build awareness and sustain resilience.”
Email and file-sharing workflows represent a huge area of risk — and a high-impact opportunity to strengthen data protection. Schools must collaborate with a high volume of external parties, from parents and guardians, to law enforcement, to state and local government entities. They also manage highly sensitive information about their students, including personally identifiable information (PII), health records (including protected health information, or PHI), developmental data (such as individualized education plans or IEPs), and even forms for extracurricular activities and athletics.
If you’re looking to prioritize protecting high-impact data protection, Virtru customer Showkat Choudhury, CIO of Central State University, says it well: Young students are “just starting their lives,” Choudhury emphasized. “At this early age, if they lost their most securely held information — date of birth, health records, social security numbers — if it’s compromised just one time, that information may float on the web for decades.”
2. Recognize and actively address resource constraints.
It’s no secret that U.S. schools are budget- and resource-constrained. Ask almost any teacher or administrator, "Does your school have adequate budget to support your students in all the ways you're expected to support them?" and, after laughing at you, they will likely respond with, "Uh, no."
In order to take appropriate action when it comes to data security, schools must take stock of where they stand today in terms of staffing and resources. Schools will have to spend wisely to implement the most robust, easy-to-implement technologies to protect their students. This is why schools need affordable data protection solutions that strengthen student privacy and meet compliance needs like HIPAA, CJIS, FERPA, and state regulations like New York Ed Law 2-D — at a price that is reasonable for even a small underfunded district.
“We do not have a big tech budget,” said Virtru customer Sunshine Miller, IT Director for Newfield Central School District in New York. “We don't have a big general budget for the district at all. We have a very high level of students with special education needs, and a very high level of students that come from poor homes. So, there are lots of thorns on the rose here. We did not think that we would be able to afford encryption for the district, but Virtru has been great for us. I am so happy that we've actually been able to afford encryption — and that we've been able to afford it for the whole district. It's very rare that a company gives you the full product, at a reasonable price that a school district like ours can afford.”
Miller emphasizes the greater impact of protecting student data: “The administration and IT team believe that something as important as data protection should not be reserved for districts that can afford it. Virtru has filled that inequity gap for us, and that's so important.”
3. Focus on collaboration and information-sharing.
CISA highlights that collaboration and information sharing are essential functions of a school district. Schools will always need to share information externally, so it’s vital not to overlook these workflows, and not to let student data become compromised in the process of sharing information externally.
Collaboration is one of the most common voluntary vulnerabilities, and it’s a real conundrum for schools in particular. If a teacher needs to send a student’s IEP to a parent, and that parent isn’t particularly tech-savvy, a cumbersome portal-based encryption solution is not going to work well. If a parent can’t access this important information, a teacher might be tempted to just send it in a standard email, which exposes the student’s sensitive data to risks.
Teachers are immensely resource-constrained and, in the wake of a pandemic, their responsibilities are even more vast than ever before. This is why ease of use is vital to securing student data. Teachers don’t need more hurdles to jump. If it’s not easy, it’s going to be yet another challenge for them to overcome, and no one wants that.
Make It Easy for Teachers and Administrators to Protect Student Data
Thankfully, data protection doesn’t have to be cumbersome. It can be simple, integrated, and even automated so that teachers can focus on supporting and educating their students.
Because email, file-sharing, and collaboration workflows represent such a big swath of risk for schools, these areas are a great place to start. As CISA highlights, this represents a high-impact area that schools should be prioritizing.
Virtru makes it easy for teachers and administrators to protect student data with end-to-end encryption, while also making it easy for parents and external parties to access the sensitive information that’s been shared with them. Our client-side encryption solutions put control in the user’s hands, and our server-side encryption can automate certain workflows (for example, automatically encrypting any email leaving the network with the keyword “IEP” or “medical record) — offering a layer of seamless protection that takes human error out of the equation.
Finally, and importantly, Virtru is affordable for the schools that need it most. Whether you’re using Google Workspace or Microsoft, Virtru meets your teachers and staff where they are, and we can help you protect the high-stakes data that you’ve been entrusted with.
We’d love to talk with your school about your options for data protection. Book a demo with our team today to start the conversation.
