4 Hot Spots for K-12 Security in 2012

  • By Dian Schaffhauser
  • 01/18/12

The security trends that dominated in K-12 during 2011 will continue to have a wide seat at the table in 2012 too. But a few are approaching a tipping point that may just succeed in bringing them out of the cubicles of IT and into the offices of a broader set of district leaders.

BYOD
As more schools and districts adopt a bring-your-own-device strategy, IT departments will have to get their game up to stay on top of device diversity. As Peter Davin, CEO of security software firm Cryptozone Group, pointed out, "One security policy for everyone using mobile devices is not a suitable approach when users form such a non-homogenous group."

That strategy will have to take into consideration several components, Davin noted: making sure school and district data maintained on the network is safe from both casual infections of malware and prying eyes and educating students about the protection of their own data should their device be stolen, as well as the procedures to follow should that happen.

Before programs roll out, some schools are trying out day-long cyber-security camps and workshops to educate kids and parents about the dangers and challenges that lurk within BYOD.

Regulation Soup
A number of Web sites, including Google and Wikipedia, are taking a stand today--January 18--against proposed legislation. Currently, the United States Senate is considering PIPA, the Protect IP Act, written with the intention of giving the government and copyright holders additional legal powers to curb sites "engaging in or facilitating copyright infringement"; the House is evaluating a similar bill, this one named SOPA, for "Stop Online Piracy Act."

Whether those actually move forward or not, they may portend fudging with regulations that already exist, and which "Hack Education" blogger Audrey Watters called "woefully out of date." In a recent article for public media station KQED, Watters predicted that COPPA (the Children’s Online Privacy Protection Act), CIPA (the Children’s Internet Protection Act), and FERPA (the Family Educational Rights and Privacy Act) would all face a makeover in coming months.

As part of those activities, she added, there may be greater focus on student control of their own educational data--"both privacy protections and data portability."

Cloud Service Providers
As school districts turn to the cloud to deliver applications or provide infrastructure to address diminishing budgets and staff, IT administrators may be in for a rude shock when they discover that their service providers are as vulnerable to security problems as an open source honeypot.

Ponemon Institute, a firm that conducts research on information security, recently interviewed 769 IT security and IT support practitioners in a number of fields. In a January 2012 Ponemon report sponsored by DriveSavers, a data recovery service, researchers found that security isn't always a major criterion during the vendor selection process. In fact, of the 87 percent of respondents who experienced a data breach in the past two years, 21 percent said the breach occurred when a drive was in the possession of a data recovery vendor.

While 55 percent of respondents said their organizations used cloud service providers, more than half said they weren't particularly confident that the provider would even inform them that it would use a third-party vendor to recover data should the need arise.

In other words, the use of cloud-based services is on the rise everywhere, including in school districts, but the security aspects are getting far too little attention in the decision-making process.

Data Privacy
2011 wasn't a good year for schools and data breaches. A multitude of districts suffered the ignominy of being added to the roster maintained by the Open Security Foundation's DataLossDB--from Brownsville School District's accidental online exposure of employee names, Social Security numbers, and estimated monthly salary data to Wakulla County School District's inadvertent release of 2400 students' FCAT scores and Social Security numbers. Aside from a few incidents in which students explicitly accessed private information about their teachers or staff tossed confidential documents into trash bins, most of the security events took place because somebody did something foolish, such as allowing a laptop with confidential details to be stolen or posting publicly online what should have been kept private.

In most of these situations, the count of those touched is relatively small--perhaps a few thousand--compared to, say, a Zappos incident, in which millions of people could potentially be affected. But for those whose information has been breached, stolen, hacked into, or thrown out with the snack time milk cartons, the potential hassle factor is huge.

Likewise, aside from Lady Gaga's performance outfits, nothing changes faster than security threats. Since data breaches and other nasty security events are a given in school environments, what has to become rock-solid is the way the IT organization responds to such incidents.

As Cryptozone's Davin explained, "Establishing and communicating incident handling policies and procedures that can be quickly adapted as the threat landscape changes will be crucial to damage limitation. Creating a culture where staff is not afraid to raise security concerns or report security incidents promptly should figure prominently."

For lack of staff, expertise, and time, school districts for the most part still don't put a huge emphasis on education programs similar to those run in many colleges and corporations to continually remind people about the rules they need to follow when dealing with confidential data. Maybe 2012 will be the year that starts to change, especially if class action suits begin to surface, making the mitigation of risk more palatable and far less pricey than the potential of extended legal actions.

Featured

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Point to Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • laptop displaying a glowing digital brain and data charts sits on a metal shelf in a well-lit server room with organized network cables and active servers

    Cisco Unveils AI-First Approach to IT Operations

    At its recent Cisco Live 2025 event, Cisco introduced AgenticOps, a transformative approach to IT operations that integrates advanced AI capabilities to enhance efficiency and collaboration across network, security, and application domains.

  • educators seated at a table with a laptop and tablet, against a backdrop of muted geometric shapes

    HMH Forms Educator Council to Inform AI Tool Development

    Adaptive learning company HMH has established an AI Educator Council that brings together teachers, instructional coaches and leaders from school district across the country to help shape its AI solutions.