Nearly half of the more than 1,200 education technology vendor websites used by teachers and students, and checked in an October audit, did not include a secure log-in, according to a new survey.
This makes these programs vulnerable to a security breach – a school leader’s nightmare.
“We want people to fix this,” said Bill Fitzgerald, director of the Privacy Initiative at Common Sense Media, a nonprofit organization that provides tools to help schools and parents assess the merits of technology and media use. “We don’t want to talk about encryption. We want to talk about pedagogy.”
Some might think that hackers only target high-profile groups such as politicians and banks – but that’s a mistake. Schools, both K-12 and higher education, have been victims, too. More than 780 breaches in schools, resulting in the disclosure of more than 14,790,000 records, have been reported since 2005, according to the Privacy Rights Clearinghouse, a California-based nonprofit consumer advocate.
The survey by Fitzgerald’s team sought to find out how many programs support the use of encryption, which helps protect information online. The report found that only 51 percent of the educational program websites checked provided this protection. Both small and large companies that offer programs to schools provided websites without encryption. And in some cases the companies provided the security only for districts in states that mandate it. (To avoid compounding the problem, the report does not disclose the names of which programs have security problems.)
The consequences of a security breach can be devastating. Parents trust that school leaders are being careful, and even a small-scale problem can cause them to doubt if it’s worthwhile to use online programs in the classroom. And if teachers are using the same username and password across multiple sites – a no-no, but some do it regardless – then one breach on one site can lead to widespread security issues.
So what can educators do? Schools should check to be sure the websites being used by teachers and students are encrypted, Fitzgerald said. This can take some time, sometimes 30 minutes to an hour, but it’s worth it to put in the work before there is a problem. It can cost 10 to 20 times more in time and money to clean up a crisis than to do the prevention work, he estimates. (Common Sense media provides tips on how to do this.)
“Most of the time it takes a breach or a news story for districts to step up their game,” Fitzgerald said. “When that happens it’s already too late.”
The tests run by Common Sense Media set a very low bar – meaning the problems could be even worse than reported. They tested the websites by running an automated program that checked to see if the log-in page was secure. It was not able to see if that protection carried over once users were logged in – another area where some websites can have problems.
Fitzgerald and his team plan to run their audit again in the coming months to see if companies have fixed the problems they found.