Banks and ATMs have cash. Department stores have goods. Grocery stores have food. But what does your organization have that’s of value?
Old desks? Those are kind of bulky and hard to just run off down the street with. What about those 10-year-old textbooks? Good luck selling those on Amazon for $0.25. And like desks, textbooks are typically difficult to run off with. But there is something that schools have that has a great deal of value: student information.
Unlike a missing spot on a grocery store shelf, if someone were to steal a school’s student data, no one would know right away and no one could be found literally running down the road with it. The thieves may never be detected until they are the online equivalent of miles away from a student information system. While schools don’t have millions of dollars sitting in a back vault, they do have gigabytes of value stored within their student information system.
There are many estimations of what student data is worth on the dark web. For the purposes of this piece, I’m not going to throw numbers out there because I’m unsure of the accuracy of any one report. What I do know without giving a dollar amount, as an IT expert in the education industry, is that student data is worth enough to steal from school districts.
Why would anyone steal student data from kindergarteners all the way to college graduates? What are cybercriminals doing with the data? Here’s a small sample of what they could be doing with it: Medicare fraud, applying for credit cards, and many other forms of identity fraud.
What makes it even more dangerous is that few people think to run credit checks and identity fraud checks on their school-age children. It’s only when that student is trying to apply for a financial product in the future that they notice what could be years of fraud involving their identity, leading to devastating effects down the line.
A few suggestions on how to combat your student data from being exploited:
1. Be a Data Gatekeeper
Take your responsibility as a gatekeeper to student data very seriously. When allowing access to any student information, only give staff members or contractors the access they need and no more. This is called the principle of least privilege. This is not about holding information back or a power play. Simply put, it’s about only giving wide access to people who absolutely need it to complete their jobs, such as the director of technology or a database manager. The more people who have broad access, the more potential paths nefarious people have into accessing all (or much) of your student information.
And no, IT leaders, your personal account shouldn’t have domain admin rights.
2. Updates, updates, updates…
Aren’t updates a drag? If you use Windows 10, you are, no doubt, sick of the “perpetual beta” mindset of Microsoft that has led to many updates for the operating system. Is it a pain? Yup! Do you need to do it? Absolutely! Updates are there for a reason: to protect end users from vulnerabilities that have been found and exploited. IT staff, keep your servers updated. Run firmware updates on switches, firewalls, and all your major pieces of infrastructure. Be diligent. You can’t afford not to be.
3. Teach your people well
Get in front of the people in your organization and talk about how important it is that they take care of their credentials. Help them understand what a phishing message looks like and why not to click on it.
In my current district, we’ve done awareness sessions on how phishing works. Then, we followed it up with campaigns with our own internally created phishing emails. The results weren’t great since many people still clicked on our fake phishing emails. But, every click that happened during these campaigns was another teachable moment to help people understand these concepts. Plus, maybe they will be wiser when a REAL phishing email crosses their inbox.
People are trusting. They are trusting to a fault and bad actors know that and try to exploit the good nature of people every day.
4. Get over it
You can’t and won’t be able to stop everything, just like you can’t guarantee everything on your network will work all of the time. It’s not that you don’t strive for that zero downtime or fight like hell every day to keep your network safe. That’s a given.
In IT, you mitigate risk and work to plan for the day you hope will never come. That’s the last piece of advice.
My colleague Ryan Cloutier from Minnesota likes to say “your data breach is coming…are you prepared for it?” While you’re doing all the work that needs to be done to strengthen and maintain the integrity of your network, make sure you have a plan in place for the instance when data is leaked or information is exposed. It’s not fun to think about but it’s part of our role. Be prepared for a disaster recovery situation. Be ready, because when it comes, your actions after the incident will help to limit exposure and provide transparency to those impacted.
About the Author:
Nathan Mielke has worked in EdTech for a dozen years. His experiences include K-12 libraries, desktop/network support, instructional technology coaching, assessment coordination, and most recently, as a technology director for a 1:1 union high school district with more than 1,400 students. He specializes in building reliable, efficient systems to support student learning and school operations. He shares his insights and expertise in a variety of publications such as CoSn, ASCD, and his blog, Solution Agnostic. Nathan is a current StormWind Studios student and uses this training to be an even better leader in the K-12 educational technology industry.