Are these myths impacting your ability to protect your district from cyber-attacks?
Cybersecurity is trending – and not in a good way. Education has accounted for 32% of all cyber-attacks in the last year, and that number is only growing. It is predicted that cyber-attacks in education will increase by 86% this academic year. It is widely known that student information is a treasure trove to malicious hackers and identity thieves. As cloud-based applications such as Google workspace and Microsoft 365 become the standard for learning and collaboration, the threat level only grows. So, how can you combat myths to stay ahead of the curve?
Myth 1: Security is the Cloud Provider’s Responsibility
Fact: You are in a “shared responsibility model” when using cloud-based applications, and that means that the responsibility for securing the data in the cloud lies with you.
This is one of the most dangerous cloud security myths that schools fall prey to because it convinces technology leaders that data is secure and doesn’t need to be addressed in any other way – but that couldn’t be further from the truth.
To secure your cloud-native infrastructure, it’s critical to understand how your organization uses cloud services and what responsibilities lie with you. The definition of responsibility will vary by the provider, but it’s essential to realize that the provider is only responsible for protecting the hardware infrastructure you use against disaster. Meaning, the provider is responsible for securing their servers and transferring data between your computers and theirs.
This leaves us with the user’s responsibility: to protect the application’s data from accidental deletion to unauthorized distribution to cyber-attacks. It is up to technology leaders to ensure that settings are correctly configured, possible incidents and investigated, and data breaches are remediated.
Myth 2: Securing Your Network is All the Cybersecurity You Need
FACT: Data stored in third-party cloud apps such as Google and Microsoft are “outside” of your perimeter and not secured by your network security technology.
It isn’t a surprise that such a large group of people believe cloud security myths like network security. Given the speed with which technology is changing, it wasn’t so long ago that network security was all you needed.
If you’re like the 99% of districts that have moved most of your data to Google or Microsoft 365, your perimeter is dead. As a result, you need to transition from protecting your network to safeguarding the data you have stored, regardless of its location. This is generally called zero trust security and is cybersecurity experts’ preferred methodology across all industries.
For example, firewalls have long been in use for a long time to protect network entry points. This is still a great protection layer. But, the sheer number of entry points to your network has exploded in recent years. Much of that growth can be attributed to cloud computing and IoT. You’re not just looking at entry points from your staff, servers, and maybe a handful of teachers. Today, basically everyone in your district accesses data systems—primarily via cloud apps. Students with Chromebooks and iPads, teachers, staff, and contractors. Plus anyone who uses their personal computers and/or devices. Then you have your servers, security cameras, smart classroom tech, point-of-sales (yes, POS in schools are critical as this school district suddenly realized when they were hit with a ransomware attack). Then you have all your access points from vendors and software providers, and the list goes on.
Don’t get me wrong; you still need a firewall and network-level intrusion security and detection. But, today, you need a multilayered cybersecurity tech stack that goes beyond the network and focuses on securing your actual data, not just your perimeter.
Myth 3: Content Filtering is Cybersecurity
FACT: This E-Rate compliance check doesn’t seriously even begin to touch what is needed to comply with FERPA, CIPA, and a litany of state-level data protection laws.
A pervasive—and baffling—cloud security myth that we hear from district leaders often is that web content filters are cybersecurity tools.
When Congress passed the Children’s Internet Protection Act (CIPA) in 2000, it made web content filtering a legal requirement for schools. And schools that want to take advantage of the E-Rate program are required to have web content filters.
Filters are helpful for one thing: blocking inappropriate content before it reaches a student’s monitor. That is helpful to prevent students from being exposed to many pieces of content or images that would be disturbing. However, it doesn’t protect data. Its primary purpose is to manage cyber safety in schools by preventing students from viewing harmful content.
It can be argued that content filters help block students (and teachers and staff) from visiting phishing websites that can cause cybersecurity problems. This is true, but it’s also a very narrow data security use case.
In addition, most content filters can’t monitor school-provided technology, such as a Google Doc. Students are very creative when using those Docs for cyberbullying, discussing self-harm, threatening violence, and sharing explicit images and videos. A lot of inappropriate content is beyond the reach of a content filter—and, I can assure you, it’s sitting in your schools’ shared drives.
It would help if you had both content filtering and cloud security tools to protect students, secure data, and comply with state and federal regulations.
Cloud security tools allow you to:
-
Comply with FERPA and COPPA
-
Monitor activity inside cloud apps like Google Workspace and Microsoft 365
-
Protect against cyberthreats such as phishing, ransomware, account takeovers, data breaches, and more
-
Limit the dissemination of confidential information
-
Protect students and staff from sharing or viewing explicit content, even by accident
-
Respond to reports of unauthorized activity
How to Handle Cloud Security Myths
As one smart Director of Technology Services recently put it, “Ignorance can’t be a security policy.”
You may be tempted to let these cloud security myths persist. But that isn’t going to protect your students, faculty, and staff from the many harms of a data breach. Ignoring these facts will continue to leave your district vulnerable to:
-
Cyberattacks that can disrupt learning and cost the district time and money
-
Safety and privacy issues with students, faculty, and staff
-
Budgets that aren’t structured to provide the cybersecurity tools that are desperately needed
As the saying goes, “seeing is believing.” Dispelling these and other cloud security myths in your district is perhaps most effectively done by seeing the risks in your domains.