Cybersecurity attacks within K-12 districts have become an imminent threat. Seemingly, a new school district is highlighted every week. Ransomware attacks, which have compromised the most sensitive school district data (e.g., social security numbers and home addresses), put student and staff well-being at risk. Worse yet, hackers target districts of all sizes, posing a threat to small and large districts alike.
As school districts fortify themselves against these attacks, they must not only secure their internal environment, but also their third-party vendor software. As K-12 edtech author and influencer, Carl Hooker, recently observed, “You could have the most safe internal environment, but what happens if a company you are working with gets hacked?” This indicates that pre-procurement and renewal vetting creates an opportunity to improve district security.
Here’s what should be considered during the third-party software acquisition process:
Where is it hosted?
Since it intuitively allows for greater control and visibility, on-premise third-party software seems like a safe bet. But this strategy is likely to fail when you consider how thinly spread out IT staff is in most districts.
Instead, a third-party software hosted in the cloud and integrated with major providers such as Microsoft Azure, Google Cloud Platform, or Amazon Web Services, enables school districts to have scalable native security tools, physical and administrative safeguards, and automatic security updates.
Is there security at the application layer?
Third-party software applications should ideally use a web application firewall (WAF) to prevent ransomware attacks. A WAF filters, monitors, and blocks any malicious traffic traveling to the web application. WAFs also prevent any unauthorized data from leaving the app. As a result, the application and its data are protected from future vulnerability.
Is it externally validated?
A good way to assess how seriously a vendor approaches its security measures is to evaluate its standard compliance procedures. Is the vendor tested and certified by industry-best frameworks like SOC 2 and ISO 2700? If not, data protection should be ensured through routine PEN testing with an external security company.
Is the data backed up and encrypted?
District data should always be encrypted. This is typically achieved by either 2-way or one-way encryption. Additionally, it’s important to evaluate if the third-party vendor has redundancy procedures to backup data in case of a ransomware attack. Redundancy is achieved through multiple offsite data backup sites. Since it is hosted in different locations, data isn’t completely compromised if one location is attacked.
Enough of the technical talk, here are some non-technical factors.
There are some non-technical efforts the vendor must utilize in order to support the district in the unfortunate event of an attack. It’s important to ask: has the vendor made any contractual service agreements for security? Any service agreement that protects the vendor from liability in the event of an attack should trigger additional scrutiny from school districts.
Similarly, districts should understand the vendor’s insurance coverage around cyber-liability. Inadequate insurance increases the risk of harm to the district if the vendor becomes the source of an attack or data breach.
Lastly, it’s important to make sure that the third-party software understands FERPA requirements and has data protection capabilities that are aligned with student and family privacy needs.
Any recommendations for a third-party software that follows the above considerations?
Designed exclusively for K-12 help ticketing automation and asset management needs, Incident IQ has always kept student and district data security top-of-mind. As it integrates with your SIS and SSO platforms, Incident IQ ensures that it meets FERPA compliance standards and doesn’t compromise the integrated data from its end.
As a cloud-hosted platform, Incident IQ integrates with all the most trusted names such as Microsoft Azure, Google Admin console, Jamf Pro, and so many more. In fact, through its default integration with Azure, Incident IQ’s API offers a new degree of security — an adaptive integration. This version of an integration provides multiple levels of firewall (WAF).
Additionally, Incident IQ hosts data through geo-redundancy measures so that data is backed up on multiple offsites. All personal data is protected with best encryption practices, whether it be hashed or 2-way encrypted.
Incident IQ also invests heavily, with time and resources, in internal employee training (e.g., phishing training) and external PEN testing to validate and solidify security measures.
Ready to better safeguard district data? Book a demo with Incident IQ today.