Open in app

Sign in

Write

Sign in

Is Your Student Information Secure?

Steps to Protect Your Student’s Data from Cyberattacks

McGraw Hill
Inspired Ideas
Published in
6 min readMar 10, 2021

--

By Alicia Putrino, Chief Information Security Officer at McGraw Hill

The coronavirus pandemic turned the education industry on its head. It accelerated the expansion of EdTech and suddenly made digital learning the norm in schools across the world. This rapid and radical change also exasperated existing cybersecurity vulnerabilities within school districts’ IT networks and exposed sensitive student data they are obligated to protect to significant risk.

In fact, reported cyberattacks affecting K-12 schools in the US more than doubled in August and September 2020, as students began a new school year online. School districts representing more than 700,000 students across the country were impacted as cybercriminals disabled security systems and gained privileged access to student information — like usernames, passwords, grades, and demographic data — as well as sensitive compensation and performance information about teachers and schools. After being stolen from the schools’ IT systems, much of this sensitive information was then leaked on the dark web.

In even worse cases still, after stealing sensitive student data, the criminals then executed a ransomware attack, taking down the school districts’ ability to conduct operations in any digital capacity.

Districts are prioritizing student data privacy and cybersecurity measures now more than ever as they increase their reliance on technology — like remote solutions and cloud services for data collection and storage. But for many administrators, cybersecurity is still something “new” to think about.

In previous blogs, we reviewed new student data privacy legislation and how districts can become better data controllers. In this blog, we will outline ways for administrators and instructors to stay ahead of cyberattacks and mitigate the risks posed to valuable student information.

1) Understand What Cyberattacks Look Like

Cyberattacks on schools can take a variety of different forms. Here are some of the more frequent issues facing the education sector.

  • Credential stealers: This is when a criminal sends an email message that appears to come from a trusted source making a legitimate request. There are numerous variations of this social engineering, but they typically involve requests for passwords or other sensitive information to be sent to a fraudulent location.
  • Cyber extortion: Cyber extortion through ransomware is likely the most critical threat facing schools. Ransomware is a type of malicious software (“malware”) that restricts access to the infected computer system (usually through encryption) and demands that the impacted party pay a ransom to remove the restriction. Like human viruses and infections, ransomware can evolve and adapt to counter cyber-defenses and attempts at remediation.
  • Inadequate staff training: Finally, a school district can have the greatest security in the world, but without appropriate training of staff, the risk to sensitive information and data will remain high. Inadvertent disclosures of sensitive student data by staff as well as independently contracted vendors remains a pervasive problem to school districts throughout the country. These incidents can easily evolve into major data breaches requiring notification to individuals and government regulators.

2) Know What to Do if a Cyberattack Happens

Every school, school district and administration is different and all should have their own unique individual processes to respond to an event. The point to emphasize is to have a plan in the first place.

In the face of the Covid-19 health pandemic and accompanying unrest, many organizations of all kinds found to their dismay that they were either not prepared at all or that the “off the shelf” response plans they acquired years ago were not worth much in this new climate.

For cyber risk, incident response plans should explain the respective roles for the school districts’ stakeholders including IT, administration, legal counsel, and communications. Additionally, there should always be an assessment and remediation plan put in place after the cyber attack has been contained. Proactively addressing risk is critical to prevent another incident.

3) Take Steps to Secure Your Student Information

Every one of us plays a part in keeping networks and sensitive information secure.

If you are in IT, stay current on new technologies, new capabilities, and automation. This means make sure you account for your backups, your end point protection, and, if possible, data security like encryption.

If you are a user, there are simple steps you can take improve IT security. Also, to the extent possible, administrators can create policies to enforce these best practices for their users.

1) Check Virtual Surroundings

When conducting virtual learning over video, ensure your student’s or teacher’s background does not include any revealing or other sensitive information such as addresses, passwords, prescriptions, or family photos.

2) Use Passwords

Be sure to secure each device used for learning with a secure password or pin. This helps keep identities and personal information safe if they are lost or stolen.

However, merely using a password is not enough. Consider requiring complex passwords, (sixteen characters or more) and require them to be changed every ninety days.

3) Change Default Passwords for Applications

Students are often given very simple passwords to their learning materials, which are oftentimes shared with their entire class. For example, passwords are often the student’s ID #. Require users to change default passwords to these systems so that other students/parents/unauthorized users cannot see the student’s data or personal info.

4) Remain Vigilant for Malicious and Fraudulent Emails and Text Messages

Scammer and fraud attacks increased 300 percent in 2020 due to COVID-19. We all receive massive amounts of email and it is easy to become desensitized to the content of your email. Try to always identify suspicious emails, meeting invites, or text messages.

When you receive electronic communications, be sure it’s something you were expecting to receive from someone that you actually know, and always remain on guard. Look to make sure the sender’s information matches the actual email header and be on the lookout for requests that require a sense of urgency especially if the request involves the sending of money. In general, do not click links you do not recognize, download files you do not know or enter your credentials on websites unfamiliar to you.

4) Find a Trustworthy Vendor

The IT vendors, including publishers, that your school partners with will have access to an immense volume of student data. Before contracting with any IT vendor, make sure they understand the student data privacy laws in your state, as well as your district requirements. Contracts with vendors should be clear about how their system will interact with your data — including where and how it will collect, store, and protect the information and, if appropriate, how their system will securely destroy it.

Do business with a vendor who:

  • Confirms it is compliant with the National Institute of Standards and Technology (NIST) cybersecurity framework or other similar cyber security standards
  • Has a high-security grade in the educational publishing industry. Look at websites like SecurityScorecard.com to determine a vendor’s security grade
  • Has 24/7 security monitoring in place to identify and respond to cyber threats
  • Confirms it maintains a written information security / incident response plan
  • Provides encryption to protect data-at-rest and in transit. Has a “Best-in-Class cybersecurity team that uses “next generation” technology to thwart attacks
  • Maintains appropriate levels of cyber insurance

At McGraw Hill, our approach to student data privacy has earned us the highest security grade in the educational publishing industry. For more on how we are committed to keeping your information safe, visit our data privacy center.

Data Security Policy

This Data Security Policy ("Data Security Policy") sets forth MHE's duties and obligations with respect to Personally…

www.mheducation.com

About the author

As the Chief Information Security Officer (CISO), Alicia has led McGraw Hill’s cybersecurity program as the business has evolved from a traditional publisher to a dynamic learning science company. As the education industry has brought digital and online learning to the forefront, Alicia and her team navigate the latest security risks related to distance learning, securing a remote workforce, and protecting student data and the McGraw Hill brand.

Under Alicia’s leadership, McGraw Hill has been consistently ranked top in the educational publishing industry by the SecurityScorecard ratings platform, and have maintained an “A” rating across multiple domains.

Read more about cybersecurity in K-12 schools:

Why Should Your School Care About Cybersecurity?

Everything You Need to Know About Student Data Protection

medium.com

Supporting Student Data Privacy: An Educator’s Conundrum

Why Data Privacy Policies are Important for the Future of EdTech

medium.com

Cybersecurity
Education
Classroom
Edtech
Cyberattack

--

--

McGraw Hill
Inspired Ideas

Written by McGraw Hill

22K Followers

Helping educators and students find their path to what’s possible. No matter where the starting point may be.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams