Back then, I had a hard time understanding the rationale behind those decisions. I felt like the “Department of No” was simply getting in the way of the real work of the district. Today, that experience helps me understand both sides of the equation as I work with CDW clients to develop their security programs.
I know that teachers are only trying to do what is best for their students, but they often don’t understand that they might be putting children in jeopardy if they’re not using safe, vetted applications in the classroom. That’s why I helped develop the K-12 Blueprint for Security toolkit, to better educate administrators, teachers, students and parents about privacy and security risks.
The Foundation for an Effective K–12 Security Program
Today, when I work with a district to build out its security programs, I always start with awareness efforts, and often do so through the use of a simulated phishing campaign. Districts work with security partners to send out fake phishing messages that promise free Chromebooks or other incentives to induce teachers to click a link. Once teachers click, they are redirected to an educational site and informed that they fell victim to a simulated attack. These teachers also learn about the risks to students’ personal information had the attack been malicious. These campaigns help employees build a security mindset.
Once we’ve increased awareness, we help districts put processes and procedures in place to carefully vet approved software vendors. Instead of allowing teachers to use any software they wish, districts should adopt a formal policy that any software used in the classroom must undergo a vetting process that answers important questions, including:
- Who is responsible for supporting the software?
- Does the software collect student data? If so, who has access to that information?
- Does the vendor sell or share data with third parties? Under what circumstances?
- Is the software designed for students under the age of 13? If not, how will its use be limited to older students?
- What contractual protections are in place to ensure the destruction of student data at the end of the contract or at an earlier appropriate time?
We’re all concerned about the security of our personal information, but we often overlook the importance of protecting information that belongs to children. Information such as names, birthdates and Social Security numbers don’t generally change over a person’s lifetime. Personal information stolen when a child is in the first grade might be stored away and used against the child when he or she becomes an adult.
It’s everyone’s responsibility — IT professionals, administrators, teachers, staff, parents and students — to make sure that we contribute to the solution, not the problem.