Top 10 Things to Change in K-12

The PowerSchool breach has been a difficult wake-up call for all of us, but it’s not the first breach and it will not be the last. School districts and ed-tech partners have all had the chance to revisit their cybersecurity plans over the last few weeks, and this has afforded us the opportunity to rethink some common practices in K-12 technology.

We’ve put together a list of the top 10 changes we’d like to see in our industry, both within school districts and with our ed-tech partners. We should caveat this by saying that we recognize many of these items will require changing long-standing cultures and practices, and this is meant to start the conversation. Changes of this magnitude, if not carefully planned and communicated, could cause negative disruptions to the classroom.

It’s also important to note that we recognize many of the changes require collaboration between school districts and ed-tech partners. As school districts, we must recognize that our ed-tech partners are often responding to customer requests, and the systems and platforms we use are often a reflection of what our colleagues ask for. As ed-tech partners, we also need to recognize that what is easy and popular may not always be safe for school districts, and sometimes we need your help to move the needle forward. 

With that said, here are the 10 things we’d like to see change in K-12 technology:

1. Multi-factor authentication. Roughly 90% of school districts have implemented MFA for staff accounts, but we still have a ways to go. MFA needs to expand to all accounts within a school district, including students, service accounts, and contractors. The Clark County attack in 2023 was a dangerous reminder of how student accounts can still lead to a dangerous breach, and the PowerSchool breach demonstrated how it only takes one account without MFA to lead to a dangerous situation.

1. SFTP. Building on the need to expand MFA is the need to sunset antiquated SFTP file transfer practices —- after all, many of our SFTP exports just use a simple username and password for authentication! Some ed-tech partners have started moving toward APIs, and data standards like EdFi and SIF have started to improve the data transfer infrastructure —- albeit slowly!

1. Shared accounts. Let’s face it: school staff like to use shared accounts for things like school or department emails. Shared accounts are much harder to protect with MFA and can lead to MFA fatigue if you have multiple users approving logins. In addition to security risk, districts also place themselves in jeopardy with records retention if files and emails exist in a shared account rather than an employee’s possession.

1. Active directory. This may be the most controversial item on the list —- many school district identity systems are built on active directory. But that is changing, and more and more districts are starting to realize AD is not as critical as it once was. Modern identity platforms have surpassed AD in terms of security, logging, and capabilities, but migrating off of AD is easier said than done —- many school districts have built extremely robust systems that depend on AD for wireless, printing, device authentication, and more!

1. Local admin rights. Most districts have restricted admin rights on user devices, but it’s still common to find local admin rights on some of our most critical devices, including those of IT departments. It will be important for us to consider a separation of duty, where critical IT tasks are performed on our most hardened devices that make it hard for a threat actor to cause harm or exfiltrate data.

1. Unmanaged browsers. The internet browser has quickly become the new trojan horse for device attacks by way of browser extensions. We have heard of dozens of Chrome extensions being used maliciously in recent months, and early indications in the PowerSchool investigation point to a browser-takeover as the initial source of attack. But the idea of the browser being owned and controlled by the organization is a difficult change to make —- users feel ownership over the browser, and browser extensions are typically viewed as “safe” by most end-users.

1. Standalone usernames and passwords. I started in a new district this year and was thrilled to hear that they had already rolled out MFA —- until I realized the SIS still required a separate username and password. Every school district uses Google or O365 for their collaboration suite, and the benefits of using this for authentication on all systems and tools will both improve our overall security while improving the user experience. 

1. Personal accounts used in district systems. This can be a difficult cultural shift for some districts, especially when concerns over public records lead to the use of personal email accounts. However, this practice cannot and should not extend to district systems and tools. As districts, we need to create a culture where personal email accounts are not used for district business and authentication. As ed-tech partners, this is where we could use your help with enforcement! The more you can help to limit access to your systems to only district accounts, the safer we both will be.

1. Manual account provisioning. I thought this would be a thing of the past by now, but many ed-tech applications and systems still require manual provisioning and deprovisioning of accounts. While it can be difficult for districts to modernize their Identity Management (IDM) processes when employee data is not always accurate, there is tremendous risk when account provisioning is done manually. Additionally, we need our ed-tech partners to ensure that their platforms use standard rostering options via Clever, Classlink, or OneRoster so we can eliminate manual account creation across all systems and tools.

1. Data hoarding. Educators love to save things—trust me, I’ve had an entire fifth-grade classroom library stored in my basement for 15 years because I might need it someday. We must begin the difficult process of reducing the amount of data we store in our systems. Many school districts are having this conversation right now and asking why student Social Security numbers, historical alumni records, and other sensitive pieces of information are still in our systems. Of all the items on this list, deleting data is probably the most difficult change to make — but hopefully the Powerschool breach is the spark that ignites this conversation!