What does your organization have that’s of value?
- Banks and ATMs have cash.
- Department stores have goods.
- Grocery stores have food stuff
What does your organization have that’s of value?
Old desks? Those are kind of bulky and hard to just run off down the street with. What about those 10-year old textbooks? Good luck selling those on Amazon for $.25. And like desks, textbooks are typically also difficult to run off with. There is something that schools have that’s built up in bits and bytes, 1s and 0s that has a great deal of value: student information.
Unlike a missing spot on a grocery store shelf, if someone were to steal a school’s student data, no one would know right away and no one could be stopped literally running down the road with it. The thieves may never be detected until they are the online equivalent of miles away from a student information system. While schools don’t have millions of dollars sitting in a back vault, they have gigabytes of value stored within their student information system.
There are many estimations of what student data is worth on the dark web. For the purposes of this piece, I’m not going to throw numbers out there because I’m unsure of the accuracy of any one report. What I do know without giving a dollar amount, as an IT expert in the education industry, is that student data is worth enough to steal from school districts.
Why would anyone steal student data from kindergarteners all the way to college graduates? What are cybercriminals doing with the data? Here’s a small sample of what they could be doing with student data: Medicare fraud, applying for credit cards, or other forms of identity fraud.
What makes it even more dangerous is that few people think to run credit checks and identity fraud checks on their children or school-age children. It’s only when the student is trying to apply for a financial product in the future that they notice what could be years of fraud involving their identity. Leading to devastating effects on those students down the line and throughout the rest of their life.
A few suggestions on how to combat your student data from being exploited:
1. Be a Data Gatekeeper
Take your responsibility as a gatekeeper to student data very seriously. When allowing access to any student information, only give staff members or contractors the access they need and no more. This is called the principle of least privilege. This is not about holding information back or a power play. Simply put, it’s about only giving wide access to people who absolutely need it to complete their jobs, such as the director of technology or a database manager. The more people who have broad access, the more potential paths nefarious people have into accessing all (or much) of your student information.
And no IT leaders, your personal account shouldn’t have domain admin rights.
2. Updates, updates, updates…
Aren’t updates a drag? If you use Windows 10, you no doubt are sick of the “perpetual beta” mindset of Microsoft that has led to many updates for the operating system. Is it a pain? Yup! Do you need to do it? Absolutely! Updates are there for a reason: to protect end users from vulnerabilities that have been found and exploited. IT staff, keep your servers updated. Run firmware updates on switches, firewalls and all your major pieces of infrastructure. Be diligent. You can’t afford not to be.
3. Teach your people well
Get in front of the people in your organization and talk about how important it is that they take care of their credentials. Help them understand what a phishing message looks like and why not to click on it.
In my current district, we have done awareness sessions on how phishing works. Then, we followed it up with campaigns with our own internally created phishing emails. The results weren’t great since many people still clicked on our fake phishing emails. But, every click that happened during these campaigns was another teachable moment to help people understand these concepts. Plus, maybe they will be wiser when a REAL phishing email crosses their inbox.
People are trusting. They are trusting to a fault and bad actors know that and try to exploit the good nature of people every day.
4. Get over it
You can’t and won’t be able to stop everything, just like you can’t guarantee everything on your network will work all of the time. It’s not that you don’t strive for that 0 downtime, or fight like hell every day to keep your network safe. That’s a given.
In IT, you mitigate risk and work to plan for the day you hope will never come. That’s the last piece of advice.
My colleague Ryan Cloutier from Minnesota likes to say “your data breach is coming…are you prepared for it?” While you’re doing all the work that needs to be done to strengthen and maintain the integrity of your network, make sure you have a plan in place for the instance when data is leaked or information is exposed. It’s not fun to think about, but it’s part of our roll. Be prepared for a disaster recovery situation. Be ready, because when it comes, your actions after the incident will help to limit exposure and provide transparency to those impacted.
About the Author:
Nathan Mielke has worked in ed tech for a dozen years. His experiences include K-12 libraries, desktop/network support, instructional technology coaching, assessment coordination and most recently as a technology director for a 1:1 union high school district with over 1400 students. He specializes in building reliable, efficient systems to support student learning and school operations. He shares his insights and expertise in a variety of publications such as CoSn, ASCD, and his blog, Solution Agnostic. Nathan is a current StormWind Studios student and uses this training to be an even better leader in the K-12 educational technology industry.
Want to become a more efficient IT team with Agile Methodology? Learn how to increase your organizational efficiency in less than an hour with StormWind Senior Instructor Ashley Hunt Quickcast on December 13th!