WHITEPAPER / Why K-12 Cybersecurity Involves More Than Just CIPA Compliance / PAGE 1

Cybersecurity is one of many considerations teachers now juggle as they seek to get the most out of digital transformation in the classroom. But when the weight of assuring cybersecurity conflicts with the litany of everyday issues that teachers are faced with on campus, enforcing digital best practices often falls by the wayside.

Why K-12 Cybersecurity Involves More Than Just CIPA Compliance

At the very foundational level, schools are held to a standard of compliance enforced by the federal government – The Children’s Internet Protection Act (CIPA) – that makes it law for all schools administering internet access on devices provided by the district to put an Internet Safety Policy in place. At the very least, the policy must include the use of web filters that block potentially threatening content that could reach students by means of email, chat rooms, or other electronic communications.

But what exactly qualifies as potentially threatening content in the realm of academia?

The answer is both simple and complicated. Malware and other threats that pose the potential for a data breach are of course at the top of the pool of considerations in almost any digital environment. But more nuanced, personal threats that pose a less tangible harm to students’ wellbeing are just as pervasive in academia, opening a new avenue for stress and distraction in the classroom that could actually hinder learning rather than enrich it. Cyberbullying, for instance, is reaching what many educators would call epidemic levels at schools across the country.

Teachers are already tasked with having an extra set of eyes in the back of their heads when giving a lecture. And while districts employ IT teams that are tasked with assuring cybersecurity protections are always in place, these entities are themselves tasked with juggling a bevy of network priorities.

For all the good that digital learning can bring to a K-12 setting, without a solution that can help make sure cybersecurity in schools goes beyond just CIPA compliance without putting too much strain on educators and administration, the benefits can be hard to reap.

In fact, students polled in a recent DoSomething.org survey found that 68 percent of teens consider cyberbullying a serious concern.

WHITEPAPER / K-12 Cybersecurity: More than Just CIPA Compliance / PAGE 2

Without compliance, funding falls by the wayside

The reason so much pressure falls on CIPA is because compliance ties directly into the federal E-rate program, which is the only source districts use to receive discounts necessary to connect to the commercial internet.

Without this assistance, digital learning and maintaining school networks can become altogether too costly for many districts, especially poorly funded ones that might benefit most from innovative learning tools delivered via connected devices.

IT has a bevy of web filtering solutions to choose from that might make their districts compliant, but many fail to skim more than just the surface of the web traffic that cyber-savvy students might be generating.

And while it’s reported that one in five students admits to being bullied online – by peers and strangers alike – only about one in 10 actually tells an authority figure about it.

Where standard web filters fall flat

Many basic web filters that are targeted toward school districts only offer domain-based filtering. These solutions are both overly simplistic and highly restrictive in that not all web domains are all-bad in the context of academia. Craigslist, for instance, might not be billed as harmful or dangerous domain in a filter’s registry since the majority of site content is innocuous sales listings. Students might still find workarounds that could grant them access to adult sections of the site, for instance, if the web filter’s domain registry isn’t detailed or granular in its restrictions.

On the flipside, schools may block social media sites like Twitter or Facebook to go beyond CIPA to fight cyberbullying.

However, because the school districts aren’t taking a granular approach to web filtering that can block specific functions of a website or application, they are missing out on the chance to leverage social media as a learning tool while blocking access to messaging over the channels that could breed cyberbullying.

Signature-based malware prevention and breach detection, however, looks at traffic on the data packet level, analyzing the SSL signature – the go-to certification for the majority of internet traffic – to vet the content entering a network based on its port of origin.

These filters leverage malware registries that can flag known SSL threats entering the network. But just like domain-based solutions, SSL-based protocols can’t act alone if they want to deliver comprehensive protection and prevention.

For a school’s Internet Safety Protocol to be considered compliant, it must specifically block access to content or pictures that are deemed obscene, child pornography or harmful to minors – again, the latter consideration being a somewhat gray area.

WHITEPAPER / K-12 Cybersecurity: More than Just CIPA Compliance / PAGE 3

More regulations than just CIPAWhile CIPA may most directly impact school districts when compliance isn’t assured, there are a bevy of other regulations that educators need to be mindful of before bringing new technology into the classroom.

The Children’s Online Privacy Protection Act (COPPA), for instance, regulates the collection of PII about children under 13 by websites accessed by children over a school Internet connection.

Under the regulation, all website hosts must have a clearly stated privacy policy that states the requirement of parental permission before collecting PII about the student.

If a website or a provider is breached and student data protected under COPPA is compromised, the district can be held liable. With 1:1 policies putting devices into the hands of students that they can take outside of the classroom, schools need to make sure that websites that don’t comply with COPPA are blocked when students use their devices outside of the school network. This requires a robust ecosystem of security that goes beyond web and content filtering, but gives school IT insight into all mobile devices distributed by the school and that leverage school connectivity.

New systems require innovative solutions

Regulatory compliance goes well beyond just digital learning, as schools are embracing digital transformation across their systems. Electronically stored student records are now commonplace, with many districts utilizing Student Information Systems or Learning Management Systems housed at the district datacenter.

Under FERPA, parents and students have the right to inspect and review educational records maintained by the school, request that the school correct records that they believe are incorrect or misleading, and decide when – and to whom – their educational records are released.

If a student record is compromised via a breach, the district is held directly responsible, and could result in costly remediation, legal fees and loss of federal funding. Even regulations that don’t traditionally connote with EDU apply.

The Health Insurance Portability and Accountability Act (HIPAA), for instance, governs how school health services store and share student health information with other parts of the school community. The same violations that apply to FERPA apply to HIPPA since health records fall into the same bucket of educational PII, meaning systems can be doubly liable if they aren’t effectively covering their bases.

A teacher’s reach can only go so far in making sure students act safely online in the classroom, let alone when they leave campus. Equally restrictive for many school districts are the capabilities of IT, who often employ multiple solutions to meet the varying layers of compliance that schools are tasked with adhering too – not to mention assuring network performance as bandwidth demands explode under 1:1 initiatives.

For schools to be compliant and comprehensive, they need to be able to manage all the devices using the school network – along with the devices students take off campus – from a single pane of glass. Taking a holistic view of all network activity rather than splintering control among different interfaces and consoles keeps IT more aligned, which is a great starting point in keeping network management tenable as bandwidth grows.

A distributed solution that checks all the boxes

WHITEPAPER / K-12 Cybersecurity: More than Just CIPA Compliance / PAGE 4

About ibossThe iboss Distributed Gateway Platform is a web gateway as a service that is specifically designed to solve the challenges of securing distributed organizations. Built for the cloud, iboss leverages a revolutionary, node-based architecture that easily scales to meet ever-increasing bandwidth needs and is managed through a single interface. The iboss Distributed Gateway Platform is backed by more than 110 patents and protects over 4,000 organizations worldwide, making iboss one of the fastest growing cybersecurity companies in the world.

To learn more, visit www.iboss.com or contact iboss at sales@iboss.com

The iboss Distributed Gateway Platform leverages a node-based platform that allows schools to implement cloud-delivered web gateways without having to rearchitect their security infrastructure. Physical gateways can be delivered as a drop-in replacement to legacy appliances to help assure records are stored within a district’s database, for instance. iboss’ cloud gateways help vet mobile traffic when students and teachers take their devices off the school network.

By leveraging a cloud-based gateway architecture, schools don’t need to invest in costly MPLS and VPN technologies to backhaul mobile traffic. And because all management takes place from a single pane of glass, there’s feature parity among the protections delivered through all gateways to all devices, meaning consistent cybersecurity wherever digital learning takes students.

iboss, Inc.· U.S. HQ 101 Federal Street, 23rd Floor, Boston, MA 02110© 2018 All rights reserved. iboss, Inc. All other trademarks are the property of their respective owners.

Ensuring cybersecurity goes well beyond compliance, iboss helps the nation’s largest schools protect students from all cyber threats. Learn how Boston Public Schools took a proactive approach to cybersecurity.

The iboss Distributed Gateway Platform employs many advanced threat detection and prevention capabilities in a single platform that academic IT can deploy cost effectively and with minimal interruption to network performance.

JC -

01 •1

8