Parents and school officials must collaborate to operate schools like a digital native start-up instilled with a security culture
Parents have long held a special duty to protect their school-aged children from bad actors on the Internet.
Now COVID-19 has dramatically and permanently expanded that parental responsibility, as well as extended it to ill-prepared school officials in K-12 campuses all across the nation. The prospect of remotely-taught lessons remaining widespread for some time to come has profound privacy and cybersecurity implications, going forward.
Overnight, those in charge must learn how to operate all of our elementary, junior high and high schools as if they were digital-native startups. Students, parents and teachers at each K-12 facility, henceforth, need to be treated as the equivalent of remote workers given to using a wide variety of personally-owned computing devices and their favorite cloud services subscriptions. And it must be assumed that many of them are likely ignorant of good cyber hygiene practices.
School district officials will have to adapt and embrace a bold, new paradigm – and they’ll have to do it fast. The stakes are very high. Organized hacking groups will be quick to single out — and plunder — the laggards. Here’s what all parents and school officials need to spend the summer thinking about and planning for:
"Zoom-bombing" entered our lexicon soon after schools began their first attempts at using the suddenly indispensable video conferencing tool to conduct classes online. Attackers quickly figured how to slip obscenities and even pornographic videos into live classes.
This was an early indicator of how far most schools have to go in adopting an appropriate security posture. No one enforced the use of passwords, nor insisted on strict teacher control of those lessons. To Zoom’s credit, password protection and a "waiting room" feature, which allows the host to control when a participant joins the meeting, are the default settings
for its free and single license paid accounts. Yet it’s understandable that a teacher, in the absence of school policy, might disable the password and waiting room functionalities to keep the class open to last-minute stragglers.
"What people have to keep in mind is that using a cloud service to hold a meeting or call is kind of like having a meeting out in the middle of a city where anybody can potentially join or listen in to what’s going on, or just cause problems," observes Kowsik Guruswamy, chief technology officer at Menlo Security, a Silicon Valley-based supplier of malware-blocking technology. "However, these inconveniences of enforcing passwords and using waiting rooms are completely reasonable if you want to ensure a secure, private meeting."
Clearly, school districts need to set basic security criteria for Zoom classes, including processes for making sure participants only use the latest, fully patched version of whatever collaboration tools are being used and reporting any malicious, or even suspicious, activity to school district security.
Zoom-bombing is comparatively easy to get under control. However, operating more like a digital-native company presents a host of complex exposures school districts will now have to come to grips with.
For one thing, the youngsters are apt to be light years ahead of the adults in terms of their digital aptitude. "The fact is that K-12 students are social media savvy, incredibly comfortable on the internet and willing to stretch the boundaries of common sense, to a greater degree than the faculty," says Colin Bastable, CEO of Lucy Security, a cybersecurity training company based in Zug, Switzerland, that does a lot of work with schools.
And yet, school districts, now more so than ever, must take proactive steps to mitigate the same privacy and data security risks as any other small- to medium-sized business (SMB.) This begins with securing sensitive school district records, belonging not just to students, faculty and staff, and includes monitoring and protecting online payment systems, now sure to come under expanded Business Email Compromise (BEC) attacks.
The thing that most alarms Jesse Norton is the exposure to kids. Norton is a security consultant at Spirent Communications, an 82-year-old British supplier of network performance testing equipment. "This brings the possibility of pedophiles getting access to these lists," Norton says. "This can result in long-term consequences, like identity theft ten years from now, or even the use of childrens’ identities in human smuggling/sex trafficking rings. Criminals can be ingenious when it comes to utilizing the resources they get their hands on."
When I asked Norton how he would grade the security posture, generally, of K-12 schools, in the U.S., here’s what he told me: "I can't speak for all schools, the only one I know about is where my kids go. They are ill prepared for configuring a network to work, let alone securing it; definitely getting a D minus."