IT leaders can take a twofold approach to help K–12 students meet the new security challenges of remote learning.
They can proactively support students and parents in their efforts to stay safe in the remote learning environment, teaching the importance of cybersecurity. They can also shore up internal systems, processes and infrastructure to back up that learning.
Whatever they do, the reality of schools operating almost entirely online has only heightened concerns about cybersecurity — and with good reason. Some of the nation’s largest school districts have recently dealt with cyberattacks that halted remote learning, spurred leaders to postpone the first day of classes or involved the release of sensitive information.
“Instead of having everyone on one network, you have people on multiple networks, and each of those has its own vulnerabilities,” says Amy McLaughlin, CoSN’s project director for cybersecurity initiatives. “You may have an increase in fraud attacks because people aren’t there to double-check.”
Even before the coronavirus pandemic, cybersecurity was a top-of-mind concern for K–12 technology leaders. Sixty-nine percent of those who responded to CoSN’s annual leadership survey ranked cybersecurity as a No. 1 priority.
To better address cybersecurity, while also accommodating greater networking demands, districts need to be proactive about training users — even the youngest ones.
Address Cybersecurity at a More Accessible Level
You likely can’t teach a 5-year-old all the nuances of cyber hygiene, but there’s much IT staff can do to steer kids down the safest pathways.
As the core tool of remote learning, video itself introduces a range of new security and privacy concerns. Consider the possibility that students can see and potentially record one another, or that adults in the room can see or be seen.
“You are potentially exposing their siblings or other family members,” says Christine Fox, interim executive director of the State Educational Technology Directors Association (SETDA). “There are also issues around parents participating or observing: This is the child’s class, and the parents are not supposed to be directly a part of that. And it is certainly not okay to record a class and then to repost it online and share it.”
Teachers and others can help students navigate safely. Kids can be taught to cover web cameras when not in use, for example, or to use a neutral background that ensures privacy and minimizes issues of social and financial equity.
Lorrie Cranor, director of Carnegie Mellon’s CyLab Security and Privacy Institute, offers additional tips for safe at-home learning:
- Teach kids how to pick a good password or use a password management tool.
- Define “personal information” and teach kids not to share it online without asking a parent first.
- Offer an age-appropriate definition of phishing attacks and scams, so they’ll know how to handle suspect email or online messages.
- Be open: Parents should let kids know that they can talk about things they see online that make them uncomfortable.
Knowing kids won’t always get it right, IT can implement solutions that further enhance security. For example, the same multifactor authentication tools that support teacher and staff identity can be deployed to students and parents.
“Then, if someone does get your password, they still cannot get in,” says Joseph Hall, senior vice president for a strong internet at the Internet Society. “Extending that to students and parents can be inconvenient, but it’s important, since passwords and identity are where bad things can happen.”
Protect Students and Educators Online — Wherever They Are
On the infrastructure side, schools that have deployed devices can support content filtering to ensure kids who are learning at home stay on the straight and narrow. In cases where students are using their own computers, an alternative approach may be required.
“It is really important that when they are in their school space, they are logging into a learning management platform that limits their access,” McLaughlin says. “That ensures that when they are in the classroom, only certain things will work for them.”
Content filtering may need to be fine-tuned for different learners. “There’s a difference between a first grader and a twelfth grader, what kinds of content they should be accessing and what they can be doing,” Fox says.
“At a minimum you have to meet the federal privacy requirements,” she says. “Beyond that you have to look at your specific circumstance, what the tools are that the teachers are using and how they are using them with a specific group of students.”
Hall advises IT staff to also take a fresh look at how data is stored. “Many video calls are being recorded, and those sessions should be encrypted both in transit and in storage,” he says. “In-transit is baked into most solutions. At-rest is a choice you can make; it represents another step and may be an inconvenience for IT administrators, but it’s still an important security measure.”
IT can also support student privacy and security by managing the tools educators use. “Before teachers use an application, it should be vetted and approved by their school district,” McLaughlin says. “There are all sorts of free applications that people get excited about, but they may not have the appropriate privacy protections.”
Support Continuous Awareness of Cybersecurity Best Practices
While technology can support privacy and security, the remote learning environment makes it necessary for everyone in the K–12 ecosystem to put renewed focus on the human element, to educate and inform students themselves about best practices in the online space.
“The current situation has amplified the need for schools and teachers to build cybersafety lessons into the school day,” McLaughlin says.
“This is the cyber version of don’t talk to strangers,” she says. “What is a stranger online? What is appropriate to share online? Who should be in a Zoom meeting? These can’t be things we teach once a year. Schools need to educate children continuously on these critical digital life skills.”