Student Privacy & Cybersecurity For Schools (And Everyone Else Too)

After hearing about the Equifax breaches, Gmail phishing scams, and French and American political email hacks it can seem like the best answer is to disconnect and finally buy that hidden cabin in the woods. I understand that temptation when it seems like some random script kitty who found a new tool can put your future in jeopardy by co-opting your history. There are steps though that can be taken short of completely unplugging. It’s amazing that despite all the technological challenges we encounter within the massiveness of New York City’s school system there hasn’t yet been a major staff or student information breach that I’m aware of. It is a testament to the skill and vigilance of the NYCDOE’s cyber-security staff.

What’s even more interesting is that there may be major changes on the horizon for how web security, content filtering, and proxy solutions in my city and nation-wide. Whatever type of system you are in from a one-room schoolhouse to a massive technologically complex district, cybersecurity solutions must be considered carefully. Ultimately, it is important for you to be part of that solution. Cybersecurity must now be preventative and not just a monthly scan with outdated software (I’m looking at you Norton).

Guidelines

It is incumbent on you to make sure that you are individually and organizationally committed to student privacy and security guidelines. The may mean reviewing rules FERPA (Family Educational Rights and Privacy Act), PPRA (Protection of Pupil Rights Amendment), and COPPA (Children’s Online Privacy Protection Act) or Europe’s new GDPR (General Data Protection Regulation) guidelines. Generally speaking, you should not allow sharing of private student information amongst non-authorized individuals and you must allow authorized parents to be able to view these records upon request. This means any technology you use needs to be compliant with these same stipulations.

Student safety should always be of paramount importance and privacy is an essential part of that.

3 Steps For Cybersecurity

Step 1: People

People, meaning you, are the first and most important step in security. That means the administration and tech staff have to believe in and be committed to security. They need to allow this information to be disseminated emphatically to staff. On a small scale, this may mean don’t leave printouts of student IEPs (legal and identifiable documents) or your bank statement laying out by a printer. For the same reason that most staff don’t enter a full social security number on forms (because they should already have it), you should not leave student info open and easily available including home addresses, full names, and student ID numbers. That information also shouldn’t be used as standalone login names as any list of those

There are also basic steps that can be taken like not leaving logins and passwords lying around. Don’t make passwords you can’t remember, but follow the guidelines. That means don’t use abcd1234 or password if you actually care about your data. Login names shouldn’t be full student names or ID numbers even if it means elementary students will have a harder time logging in. In that instance use login cards to remind them that get returned and stored securely.

Schools and districts invest big money in top-of-the-line protection. Please don’t bypass it. Don’t skip a disk scan when you plug in your flash drive. Don’t open questionable emails. Don’t attempt to bypass site blocks with VPNs. If you think a site legitimately should be unblocked, request it. The NYCDOE has a request form just for that purpose. Not only do VPNs open you to a number of security risks, but it will slow down your network connection as well.

Step 2: Process

There are equipment management tools (i.e. Meraki), systems protection (McAfee), network protection (Websense), and tracking (CompuTrace) that can and should be put in place by an organization. Keep your staff up to date on this information through newsletters or, might I say, informative blogs like this one. Hopefully, they will ‘buy-in’ to the idea that information and network security are important especially when you con.

Step 3: Technology

Technology is the final step of the process. This might mean a Firewall and IPS (IntrusioPreventionon System) which prevent sites with security breaches. This is why some sights should be blocked by schools regardless of the content you can see. There is also application and device control (why you can’t automatically download and install whatever you want). These prevent security errors that might be caused by unsavvy staff. Finally, there are proactive threat protection scanning and the Antivirus & Anti-spyware. These protections are usually directly on your computer. You should regularly reimage/update systems to keep this protection consistent. It is your responsibility to protect your personally identifiable information (PII) as well as that of students.

Learning about online safety

There are a number of places to learn about online safety which I discuss heavily in my previous posts Responsible Digital Citizenship and How to Celebrate Digital Citizenship Week. In addition, NOVA Labs have created a fun game to train students in what it’s like fighting the cybersecurity battle for a large company. Apart from those learning opportunities, there are a number of behaviors you should avoid to maintain appropriate digital security.

BEHAVIORS TO AVOID

sticking post-it notes with passwords on your computer?!?!
responding to unknown/unsolicited emails
using weak passwords
not updating equipment/software
emailing financial or SSN info through unsecured email
visiting unsecured sites (many innocuous looking sites contain malicious lines of code)
using risky file-sharing software
storing sensitive info online via Dropbox or other service
leaving personal secure paper documentation on your unattended desk