Computer and network security is probably the most important topic that information-technology managers in school districts face. It’s not glamorous work—and the results are difficult to measure and reward—but the assets that good security practices protect are ever more important to the successful operation of the educational enterprise.
Two primary aspects of security—the protection of confidential and sensitive data, and the stability of computer systems—have come to play an increasingly prominent role in K-12 education.
The most important challenge is to protect the confidentiality and integrity of personal data, primarily student records but also including employee information. Such data are governed by some of the strictest privacy laws in the United States. At the same time, systems used to manage such data, which just a few years ago would have been relatively safe within districts’ computer-network firewalls, are now expected to be accessible 24/7 by parents, students, and staff members, which significantly increases exposure to potential attacks.
Second, as schools become more and more dependent upon technological systems, any significant disruptions in the availability of computers, networks, messaging systems, databases, or Internet access can cripple much of the work of education. That dependence means, in particular, that a district’s network infrastructure of servers and hardware needs to be completely up to date, with all current patches maintained to ensure close to 100 percent availability and reduce vulnerability to the new viruses, spyware, and other such threats that arise each day.
The increasing reliance on computers and computer networks has also increased exposure of those systems to attack because of more widespread Internet access, ad hoc Wi-Fi networks, and portable devices, all of which increase possible entry points into a network. With the wider distribution of systems, physical security and effective procedures and training need to be distributed more widely as well.
Many of the threats that security managers need to address have existed for more than a decade, but several new and worrisome methods of attack have emerged, and the sophistication of the attacks and attackers is advancing rapidly. So while the basics of anti-virus software and a good firewall are still important, new threats appear constantly, requiring additional measures and training to defeat them. One growing threat that worries security professionals is phishing, which is the use of e-mail to impersonate officials or institutions to obtain personal information.
In the end, district management at the highest levels, starting with the superintendent and the chief technology officer, needs to understand the importance of computer and network security. Districts must dedicate adequate human and financial resources to such security, and audit their systems and procedures regularly to make sure they remain safe against any new threats.
And with the growing distribution of computing power in schools and classrooms, administrators need to communicate the importance of this issue throughout the school community—to teachers, students, and even parents. Regular education and training are vital so that management and users at all levels understand security threats and the steps they can take to minimize them.
Cyber security is serious business and requires serious time and effort. The alternative—vulnerability to intrusion, data destruction or compromise, or systems rendered unusable—can be much more expensive and carry serious consequences.
Paul Hyland, the executive producer of edweek.org, has worked in the technology field for 20 years for companies such as America Online, IBM, and Verisign.
A version of this article appeared in the June 20, 2007 edition of Digital Directions as Protecting Data is Paramount