The back-to-school season is in full swing, so students, teachers, staff, and parents have a lot on their minds – from balancing course work with busy schedules to the challenges of keeping everyone safe under district health and safety protocols as the pandemic rages on. In addition to managing the devices and technologies needed to keep students and staff connected, education IT teams have yet another thing to be concerned about: student data privacy. When the world went home to work and learn last year, the massive shift to remote learning captured the attention of cyber criminals, and, as a result, K-12 has unfortunately become a top target.
To understand the IT and security challenges exacerbated by remote learning, Absolute spent the summer studying anonymized endpoint data from over 10,000 schools and districts. The recently-released Absolute Endpoint Risk Report: Education Edition both offers a unique look back at what transpired in addition to shining some light on the key priorities for this school year and beyond.
Schools, and the devices they deploy, have an enormous amount of data that cyber criminals consider highly valuable. Despite these devices being ‘school’ machines, the types of data stored on them can be quite surprising. This can include social security numbers for students and teachers, medical records, school financial information, and even credit card data. In fact, according to our K-12 report, nearly one-third of education devices studied contained sensitive data and 39% of that data was protected health information.
When many K-12 schools accelerated their digital transformation plans and went fully online in 2020, cyber criminals saw – and quickly seized upon – their opportunity. According to the FBI, 57% of all reported ransomware attacks in the U.S. in August and September of 2020 targeted K-12 education. This was more than double the 28% reported during January – July 2020.
While cyber criminals were zeroing in on education data, IT was struggling to manage more and more devices located off the school’s network and in the hands of young students. Between 2019 to 2020, K-12 environments increased the total number of devices deployed by 74%. And students brought these devices further away from school. By spring of 2021, 47% of devices were located more than 25 miles from their school or district, and some wandered even further with 21% logging in over 500 miles away.
Adding to the complexity for IT teams, more applications were installed on devices in an effort to support these newly remote learning models, which inevitably expanded the attack surface even further. According to the findings, each device now has an average of 6.7 applications installed on it. 5.4 of those are security applications.
One thing we know is more applications per device add significant friction to any operating environment. That friction increases the likelihood that applications will collide, decay, and eventually fail.
Underscoring this point, just 53% of anti-virus applications were found to be operating effectively on school devices. Additionally, most devices were found to be running operating systems more than two versions out of date. Pair this data point with the fact that patching delays are averaging 177 days and you have a recipe for significant risk to student data privacy. When devices are kept inside a school network, these may be manageable risks, but when devices are primarily used outside the protection and visibility of IT administrators, these gaps give hackers the open door they are looking for.
If student data privacy is to be protected, education IT teams must shift their thinking and approach to security as an imperative rather than an afterthought. It must become a top priority.
When considering what is needed for this school year and those that follow in the remote learning era, persistent visibility and control over the entire endpoint environment is a critical first step. Schools should look at measures to identify and secure sensitive data, find better ways to keep devices patched and up-to-date, and ensure that their endpoint security controls are working at all times. Investment in platforms that make devices and applications resilient – that is, self-aware and capable of automatically monitoring and maintaining their effectiveness — are more important than ever before.
The Absolute Platform for Endpoint Resilience® for K-12 education enables a secure, unbreakable connection to every endpoint, delivering unmatched visibility and intelligence into devices, data, and applications across the endpoint environment. With Absolute, security applications such as anti-virus, anti-malware, VPN, and disk encryption are autonomously monitored and maintained to ensure they are always installed, active, and working as expected.
The accelerated digital transformation we’ve seen across K-12 has opened many opportunities as schools have embraced this new digital reality. It has also presented a number of challenges districts must address to keep students and staff safe, connected, and productive. To learn more about key trends in education IT and security, and for practical guidance on how to manage and secure any 1:1 device program, download the 2021-2022 Absolute Endpoint Risk Report: Education Edition.