The bogeyman is an imaginary being often employed to scare children. For many of us, the use of a contrived creature served as a tool to foster good behavior. Our childhood experiences are littered with tales of the bogeyman, whether it be a nondescript creature that lurked under the bed, just down the hallway or lingering among the shadows, we all have tales of a creepy brute that almost got us.

In making the case for information security, the bogeyman takes many forms and lurks just within reach.

There is no doubt that data is an institutional asset. Data, when used properly, can produce positive effects. Among educational entities, the power of data is life-altering. Consider student success. An array of seemingly disparate data elements, collected from registration, financial, health, attendance, collaboration and performance sources has the ability to reveal student potential, to offer deep insight into each students’ abilities. Proper analysis of the data can highlight opportunities for enhancements, remedies of educational gaps. Similarly, data orchestration and reporting will reveal strengths and foster expansion of those efforts that are successful.

The adoption of educational technology, often referred to as EdTech, has exploded in the United States. The staggering growth of technology in the learning environment, coupled with rampant data collection will present privacy, safety and regulatory concerns.

EdTech is no longer limited to a handful of computers situated in the library or media center. In our modern era, The Oregon Trail’s ever-present fear of digital dysentery isn’t the bogeyman that I speak of.

Rather, EdTech’s opportunity for personalized learning environments, constructed through massive data collection, combined with administrative and learning software platforms are the recipe for a new fear: data exploitation.

Information security is not a singular activity, nor is it the sole responsibility of IT. Information security is an institution-wide mandate.

In the fall of 2018, the FBI released a public service announcement that offered caution related to educational entities’ collection of student data and potential for exposure, theft of the data. The FBI report appeared after a series of notable events in 2017 and 2018 and served as a reminder that we should never forget about continuous security efforts.

In 2017, across the United States, numerous K-12 information management environments were compromised. The successful attacks exposed massive stores of data. Among the data elements were personally identifiable information on students and parents, academic performance records, medical histories, and some financial information. Later in 2017, two large EdTech companies suffered incidents which resulted in public access to millions of students’ data.

In October 2017, the U.S. Department of Education released a Cyber Advisory Alert suggesting that cyber criminals were systematically attacking school districts and EdTech firms, attempting to exploit weak security practices or well-known vulnerabilities. Among the reasons for the attacks were financial benefit (sale of the sensitive data) and harassment.

During the aftermath of the attacks, the bogeyman appeared.

Some security researchers and reporting agencies attributed the school district attacks to a cybercriminal group known as Dark Overlord.

Extortion, accompanied by harassment surfaced among the parents and students in affected school districts. In some instances, school districts closed for safety purposes after the threats escalated and panic paralyzed the local communities. One school district spent several thousand dollars to retrieve its ransomed data.

Clearly, school districts did not willingly allow the bogeyman into their data stores. The ensuing attacks against children were unfortunate and terrifying.

The increased use of connected technologies and data collection introduces cybersecurity risks. Parents, guardians and children need to be aware of the risks associated with these efforts.

Cybersecurity resources are scarce. One of the best tools available is awareness campaigns.

School districts should inform their constituents of the major requirements of three Federal Acts: Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and the Children’s Online Privacy and Protection Act (COPPA). Additionally, a seemingly endless series of state laws and breach notification requirements should be reviewed.

A well-designed awareness campaign also includes open discussions and announcements about the deployed EdTech solutions – what is collected and how is it safeguarded. In particular, during this phase, schools should review their practices with a watchful eye; collect the minimum amount of data needed and purge that which is no longer needed or required for regulatory compliance.

Among the states that experienced harassing communications as the result of a cyber attack, an Alabama school district’s experience in 2018 may have been associated with the Dark Overlord campaigns. The event had striking similarities to those in other states; however, no direct correlation has been established.

Safety of our children shouldn’t be a single concern. In our modern world, attacks aren’t only physical. Our data reveals intimate details – misuse of the data will harm children. Protect the information properly and you will protect our children. Follow security best practices and be proactive: inform your community of your collection and protection efforts.

Close those security gaps and be proactive or the bogeyman might get you.