Establishing secure online classrooms is one of the main challenges that school administrators face in K-12 schools as well as in colleges and universities.
It is crucial for administrators to understand how to evaluate the technology and digital platforms they are using to make sure that adequate security measures are in place.
Ensuring that classrooms are secure requires planning and commitment by the institutions. Fortunately, there are steps that schools can take to ensure the tools they are making available to their school communities are safe for their students, teachers and other staff members.
How 2020 Changed the Nature of Online Security for Schools
When schools and higher learning institutions were forced to pivot to a remote or hybrid format following the start of the pandemic in March 2020, school communities – including teachers, students, administrators – had to turn to video conferencing and other apps that were not designed for remote learning.
At the beginning of the pandemic and subsequent lockdown, the priority was how quickly remote learning methods could be implemented. But security protocols were not followed in the early days of newly adopted remote classrooms. As a result, there were vulnerabilities created because of factors like unsecured networks and endpoints. In addition, it was impossible to ensure that devices that were connecting to education networks were secure. Unlike business organizations that typically implement a “bring your own device” policy for their staff, securing all devices used by teachers and students would be difficult to manage.
Cybercriminals quickly moved in to take advantage of these vulnerabilities, in public schools, private schools, colleges and universities. In the U.S., a report on the State of K-12 Cybersecurity noted that although the first quarter of 2020 was more in line with previous year’s trends, remote learning cyber incidents shifted dramatically in the second quarter of 2020. The report states that “the second quarter of 2020—coincident with the rise of COVID-19 and the corresponding adoption of remote learning—marked a sharp departure from the prevailing trend line.”
Meanwhile, cyberattacks on colleges and universities grew during the pandemic, with one report showing that ransomware attacks in higher education doubled in 2020.
The introduction of video conferencing introduced a new threat that was not previously a factor: remote classroom invasion incidents. Cited as “a new class of school cyber threats that plagued districts,” these attacks take place during video conferencing live session, disrupting classes with hate speech; shocking images, sounds, and videos; and/or threats of violence, according to the state of school cybersecurity report.
Live classroom sessions at colleges and universities were also “crashed” by malicious actors on the college, as video conferencing and chat functions were targeted. Incidents were reported in both small group remote meeting settings as well as larger class meetings. Reports of these types of classroom disruptions are continuing in the 2021 school year at various universities.
Response from Federal Cybersecurity Agency and Digital Providers
In an attempt to stop these disturbing security breaches and invasions, the Cybersecurity and Infrastructure Security Agency (CISA) published a set of video conferencing guidelines for IT administrators in K-12 school districts in the US to follow.
CISA’s recommendations include school implementation of security practices such as developing policies for distance learning and virtual meetings and conducting comprehensive research before employing digital tools and platforms. The agency also offered end user recommendations for teachers, students, parents and other participants including:
- Use of school or organization-approved tools and software
- Using measures to protect student and teacher privacy and protest personal information and data
- Use strong passwords for devices and software platforms
For higher education, CISA offers a variety of resources for colleges and universities to develop their own best practices on cybersecurity, based on CISA’s five Cybersecurity Framework Function Areas.
Meanwhile, the providers of meeting tools also released guidelines to follow when teachers and students are using their software, such as using stronger password protocols. But often these recommendations did not go far enough to provide comprehensive security protection.
Secure Classrooms Need Additional Security Layers
Organizations need to learn how to evaluate software company security protocols. This responsibility needs to be met by both IT systems administrators and school administrators.
It’s also crucial for schools and universities to understand that all security features are not alike. For example, one of the most popular industry video conferencing software platforms doesn’t support true end-to-end encryption. Most video conferencing software platforms connect with cloud servers – organizations don’t have control over where their information and/or data is on these servers.
As IT and school administrators evaluate these tools, they need to consider some pertinent questions, such as:
- Does the video conferencing software meet end-to-end encryption standards?
- Does the solution use current industry accepted best standards for transport layer security (TLS 1.3) and strong ciphers?
- Is this security model consistent across all devices, such as mobile, tablet and desktop?
- Is the audio transport secure to prevent eavesdropping?
- Does the video conferencing software give you the ability to deploy your own modules onto your own cloud servers that are under your control?
- Do you have control over your availability and uptime or are you sharing your services with others?
- Can you comply with privacy regulations in your jurisdiction?
- Does your system administrator have control over the level of encryption of your classroom sessions?
- Do the documents, content and recordings of your classroom sessions stay private in transfer and storage?