Survey: What School District Tech Leaders Are Saying About Cybersecurity
District tech leaders have different concerns about cybersecurity, and different strategies for addressing those concerns, which vary by the size of their school systems. Compared to their rural counterparts, administrators from big-city districts are more likely to say their worries about protecting their K-12 systems are on the rise—and they’re more likely to have begun implementing formal password-management policies and measures.
That’s according to a survey conducted by the Consortium for School Networking and the Education Week Research Center of more than 300 ed-tech leaders.
Overall, 68 percent of leaders say that student-data privacy and security is a somewhat or much more important priority this year compared with last year.
That share rises to 82 percent for administrators from urban school districts. By comparison, it’s 68 percent for suburban leaders and 64 percent for their rural peers.
This is not to say that student data privacy and security are unimportant to leaders from rural districts. They may have more basic concerns—like accessing the internet in the first place. Even as the percentage of U.S. schools with WiFi skyrocketed from 30 percent to 98 percent between 2013 and 2018—according to data from the nonprofit EducationSuperHighway—many rural schools continue to face challenges merely getting connected.
But within the biggest K-12 systems, cybersecurity is seen as an urgent problem.
One hundred percent of leaders from large districts with more than 50,000 students report that student data privacy and security is a somewhat or much more important priority this year compared with last year. That percentage falls to 63 percent for those from small districts with fewer than 1,000 students.
Across the country, worries about cybersecurity among tech leaders from districts of all sizes have soared over the past few years, notes Keith Krueger, the chief executive officer of the Consortium for School Networking. But the challenges that rural school systems face in protecting themselves from cyber threats are especially acute, he said.
If the largest school K-12 districts are scrambling to keep up, “one can only imagine the challenge for small school systems with no technical staff,” Krueger explained. “The best you can do is [find out] what best practice is, implement that, and make sure your school board and your superintendent understand that these are the steps worth taking—and that even with those best steps, bad things can happen.”
Shunning Password Protections
All districts face hurdles in responding to threats and in creating safeguards that are both effective and reasonably easy to manage, said Keith Bockwoldt, the chief information officer for the 4,500-student Hinsdale High School District in Illinois.
This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.
Larger systems, for instance, face more complex challenges in protecting data and training staff because of their size and getting everyone on board with their policies, said Bockwoldt, who serves on CoSN’s cybersecurity advisory committee.
“The threats are there, whatever classification you’re in,” Bockwoldt said. In that sense, “everyone is in the same boat.”
Concerns about student data privacy and security are not the only aspects of cybersecurity in which large and urban district leaders differ from their small and rural peers.
Large and urban leaders also approach password management differently than do their peers from smaller, rural and suburban districts.
For example, just over half (56 percent) of all K-12 leaders say their districts have formal password policies that are widely followed. Seventy-two percent of urban leaders say they have widely-followed formal password policies. That’s compared with 62 percent of suburban administrators and less than half (41 percent) of their rural counterparts. In fact, nearly 1 in 3 (29 percent) of rural leaders report that their districts do not have formal password policies although staff members are regularly encouraged to use best practices for password management.
‘This Is Crazy’
Timothy Smith, the supervisor of instructional practice and technology integration for the Red Lion Area School District in Pennsylvania, said tech leaders in rural K-12 systems may have a harder time than their urban peers imagining that malicious actors will target their schools.
District officials in smaller districts may think, “Why would they focus on me? Why would there be a hacker or someone who wants to dig into the data that we have?” said Smith, whose district has 6,100 students.
Smaller districts are much less likely to have full time chief technology officers than larger districts, according to federal data. Because rural tech leaders are juggling so many duties, making progress on even relatively simple cybersecurity steps can be difficult, said Smith.
K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.
Despite those odds, his district has taken steps to tighten the security reins.
Three years ago, his school system put in place stronger protocols for password security. Smith had assumed everyone would be on board with the measure, but he still gets resistance.
“I was really surprised by that,” he said. “Every 120 days, without fail, I will get one or two or three staff members who will reach out to me and say this is crazy [to change passwords].”
‘Protect Data at All Costs’
The COSN/EdWeek survey found that 100 percent of large district leaders have formal, widely-followed password policies. That share falls to 43 percent for administrators from small districts.
In addition to examining formal password policies, the survey also asked leaders if their districts had implemented 13 different types of security measures related to passwords, including requiring passwords to be of minimal complexity and/or length (84 percent); prohibiting password sharing (73 percent) and locking accounts after a specified number of unsuccessful log-in attempts (62 percent). Urban leaders are more likely than their rural or suburban peers to have implemented 11 of the 13 measures. For example, 96 percent of urban leaders say they require minimum lengths and levels of complexity for passwords, compared with 86 percent of suburban respondents and 76 percent from rural areas.
Similarly, 87 percent of urban respondents said their districts prohibit password sharing, compared with 78 percent of suburban leaders and 66 percent of their rural counterparts.
Leaders from larger districts are also more likely than those from the smallest districts to report that they had implemented the 13 security measures.
For many districts, no matter what their size, effective cybersecurity means thinking differently about the obligations they have to protect students, said Smith.
Just as schools establish physical barriers to make sure access to their campuses are controlled, he argued, “we need to be the beacon that will protect data at all costs.”