The integration of technology into classrooms has transformed the educational experience. Unfortunately, it has also opened the schoolhouse doors to electronic intrusion by hackers, crooks and thieves. According to one new study, ransomware attacks targeting K-12 schools grew by an astonishing 827 percent in 2022. Phishing, malware and denial-of-service attacks also increased substantially.
School districts are enticing targets due to their large databases of sensitive information and relatively limited ability to prevent, discover and mitigate threats. Budget constraints are also a factor. With education spending down nationwide, few school districts have the IT staff and resources to effectively combat continually evolving security threats.
New tools are available to help. A multinational consortium of educators, administrators, policymakers, IT security pros and software vendors recently unveiled the first-ever international data security framework tailored specifically for the education sector. The Global Education Security Standard (GESS) is the result of a two-year effort by the Access 4 Learning (A4L) community’s Student Data Privacy Consortium (SDPC), a working group of professionals from the U.S., Europe, New Zealand and Australia.
On the Same Page
Frameworks such as GESS enhance cybersecurity by establishing comprehensive and structured approaches for identifying vulnerabilities, detecting threats, assessing risk, controlling access and recovering from attacks. They are essential for helping organizations maintain a methodical and repeatable approach to managing cyber risk and reducing vulnerabilities.
Hundreds of different security frameworks are used globally, with most having a good deal of overlap. However, few of them include language that maps directly to the unique operational requirements of educational institutions.
To create a common security baseline for schools, the SDPC working group modified and borrowed elements of frameworks developed by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) along with international standards from the U.K., Australia and New Zealand. Drawing on these standards, the working group created a single repository of security controls that can be shared among educational institutions across the globe.
All GESS controls can be accessed, searched and filtered through an online portal. Sets of GESS controls and assessment questions may be downloaded to assist in understanding and meeting the requirements. A self-assessment module provides a way to measure and track compliance with GESS.
Guidelines for Vendors, Too
The framework also imposes security requirements on software vendors who serve the education community. Poor development practices or buggy code can introduce vulnerabilities. Software weaknesses can lead to data breaches, ransomware and other attacks that disrupt school operations and compromise student information.
In January 2022, for example, educational software vendor Illuminate Education was the victim of a data breach that exposed the personal information of more than a million K-12 students across at least five states. Students’ names, ID numbers, gender, date of birth, class schedules, special education status and free lunch status were exposed in the attack. Illuminate had reportedly signed data privacy and security agreements promising to encrypt student data but failed to do so. A few months after the breach, the company was purchased by Renaissance, another education software company.
Learn More at FAEDS 2023
Verteks Consulting invites you to learn more about GESS during the Florida Association of Educational Data Systems (FAEDS) conference scheduled for Sept. 17-21 in Orlando. A breakout session led by A4L Interim Leader Steve Smith on Sept. 19 will introduce attendees to the GESS framework and its likely impact.
The FAEDS conference will be held at the Caribe Royale All-Suite Hotel & Convention Center. You can register online here, and you can make hotel reservations here. Verteks Consulting is a Premier Sponsor for the event.
