Trends | Features

4 Hot Spots for K-12 Security in 2012

• By Dian Schaffhauser
• 01/18/12

The security trends that dominated in K-12 during 2011 will continue to have a wide seat at the table in 2012 too. But a few are approaching a tipping point that may just succeed in bringing them out of the cubicles of IT and into the offices of a broader set of district leaders.

BYOD
As more schools and districts adopt a bring-your-own-device strategy, IT departments will have to get their game up to stay on top of device diversity. As Peter Davin, CEO of security software firm Cryptozone Group, pointed out, "One security policy for everyone using mobile devices is not a suitable approach when users form such a non-homogenous group."

That strategy will have to take into consideration several components, Davin noted: making sure school and district data maintained on the network is safe from both casual infections of malware and prying eyes and educating students about the protection of their own data should their device be stolen, as well as the procedures to follow should that happen.

Before programs roll out, some schools are trying out day-long cyber-security camps and workshops to educate kids and parents about the dangers and challenges that lurk within BYOD.

Regulation Soup
A number of Web sites, including Google and Wikipedia, are taking a stand today--January 18--against proposed legislation. Currently, the United States Senate is considering PIPA, the Protect IP Act, written with the intention of giving the government and copyright holders additional legal powers to curb sites "engaging in or facilitating copyright infringement"; the House is evaluating a similar bill, this one named SOPA, for "Stop Online Piracy Act."

Whether those actually move forward or not, they may portend fudging with regulations that already exist, and which "Hack Education" blogger Audrey Watters called "woefully out of date." In a recent article for public media station KQED, Watters predicted that COPPA (the Children’s Online Privacy Protection Act), CIPA (the Children’s Internet Protection Act), and FERPA (the Family Educational Rights and Privacy Act) would all face a makeover in coming months.

As part of those activities, she added, there may be greater focus on student control of their own educational data--"both privacy protections and data portability."

Cloud Service Providers
As school districts turn to the cloud to deliver applications or provide infrastructure to address diminishing budgets and staff, IT administrators may be in for a rude shock when they discover that their service providers are as vulnerable to security problems as an open source honeypot.

Ponemon Institute, a firm that conducts research on information security, recently interviewed 769 IT security and IT support practitioners in a number of fields. In a January 2012 Ponemon report sponsored by DriveSavers, a data recovery service, researchers found that security isn't always a major criterion during the vendor selection process. In fact, of the 87 percent of respondents who experienced a data breach in the past two years, 21 percent said the breach occurred when a drive was in the possession of a data recovery vendor.

While 55 percent of respondents said their organizations used cloud service providers, more than half said they weren't particularly confident that the provider would even inform them that it would use a third-party vendor to recover data should the need arise.

In other words, the use of cloud-based services is on the rise everywhere, including in school districts, but the security aspects are getting far too little attention in the decision-making process.

Data Privacy
2011 wasn't a good year for schools and data breaches. A multitude of districts suffered the ignominy of being added to the roster maintained by the Open Security Foundation's DataLossDB--from Brownsville School District's accidental online exposure of employee names, Social Security numbers, and estimated monthly salary data to Wakulla County School District's inadvertent release of 2400 students' FCAT scores and Social Security numbers. Aside from a few incidents in which students explicitly accessed private information about their teachers or staff tossed confidential documents into trash bins, most of the security events took place because somebody did something foolish, such as allowing a laptop with confidential details to be stolen or posting publicly online what should have been kept private.

In most of these situations, the count of those touched is relatively small--perhaps a few thousand--compared to, say, a Zappos incident, in which millions of people could potentially be affected. But for those whose information has been breached, stolen, hacked into, or thrown out with the snack time milk cartons, the potential hassle factor is huge.

Likewise, aside from Lady Gaga's performance outfits, nothing changes faster than security threats. Since data breaches and other nasty security events are a given in school environments, what has to become rock-solid is the way the IT organization responds to such incidents.

As Cryptozone's Davin explained, "Establishing and communicating incident handling policies and procedures that can be quickly adapted as the threat landscape changes will be crucial to damage limitation. Creating a culture where staff is not afraid to raise security concerns or report security incidents promptly should figure prominently."

For lack of staff, expertise, and time, school districts for the most part still don't put a huge emphasis on education programs similar to those run in many colleges and corporations to continually remind people about the rules they need to follow when dealing with confidential data. Maybe 2012 will be the year that starts to change, especially if class action suits begin to surface, making the mitigation of risk more palatable and far less pricey than the potential of extended legal actions.