When it comes to cybersecurity, the K-12 education sector has room to grow.

According to a study on K-12 cloud security by ManagedMethods, 86% of surveyed district-level school administrators reported either using or planning to implement cloud-based student data management programs — but half of respondents did not have or were unsure if they had a cybersecurity platform in place to protect that data.

School administrators in charge of K-12 cybersecurity deal with a myriad of challenges while navigating how best to secure the data of their students and staff. Andy Lombardo, Director of Technology at Maryville City Schools in Tennessee, and Charlie Sander, CEO of ManagedMethods, discuss the current threat landscape and how school administrators and IT directors can best maintain data privacy in their communities.

Challenges of K-12 data privacy

The cybersecurity knowledge gaps in the K-12 sector present opportunities for cyberattacks on unprepared systems. "One of the main data privacy challenges K12 cybersecurity leaders face today comes down to detection," according to Lombardo. "The education industry in general is a bit further behind other industries. There are a lot of cases where data breaches and compromises are either not reported or not known, and this can threaten data privacy if not addressed."

Another challenge of securing school data is insider risk. "One of the biggest threats to data privacy are students and staff," said Sander. "Accidental data leaks are most common because of someone improperly sharing or storing sensitive documents in their school-provided cloud shared drives. It’s important that administrators protect privacy from both external and internal exposure."

How to start securing school data

Faced with knowledge gaps and cyber threats from internal and external sources, those responsible for K-12 cybersecurity should begin by assessing their organization's threat and risk levels. Lombardo recommended looking into the Cybersecurity Self-Assessment from The K-12 Cybersecurity Resource Center and the cybersecurity standards from the K-12 Security Information Exchange (K12 SIX) as a starting point for school administrators in charge of data privacy.

"Districts also need to be proactive about auditing who has access to their data — vendors included," said Lombardo. "The Student Data Privacy Consortium (SDPC) is an indispensable tool for data sharing agreements and localized student privacy resources. Getting started begins with identifying the data that is out there, who is accessing it, and what it is being used for."

Once school administrators research their current cybersecurity posture, they can tackle more specific challenges faced throughout the district. According to Sander, further steps for K-12 cybersecurity leaders include:

  1. Set up external sharing standards to prevent accidental sharing of sensitive data
  2. Require a strong password for administrative staff
  3. Enable multi-factor authentication for staff (at minimum)
  4. Require data-sharing agreements with vendors
  5. Manage the access and permissions of learning management apps used in schools