Watch Demo×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

How Lax School Device Management Threatens Schools

An image of a man on a desktop for the blog Lax School Device Management Threatens Schools

Every year, students and teachers manage back-to-school stress, but this year, anxieties are up a notch as the specter of a pandemic looms and schools struggle with simply meeting students’ needs. This year, many schools are taking a hybrid approach to school, combining elements of in-person and remote learning. But among the complexity of teaching remotely, one area that hasn’t been looked at closely enough is the school device management practices of newly remote educators and students.

Educational institutions have historically been a target for cybercriminals, especially K-12 schools, which suffered more than 1,000 instances of ransomware since 2019. Over the summer, the FBI went as far as to issue a formal warning to schools that ransomware posed a significant threat for this school year. And in North Carolina, schools across the state saw a record number of ransomware incidents in 2020, including a recent attack that delayed the first day of school.

To better understand the degree to which educators and students are exposed to cybersecurity threats, NinjaOne surveyed 500 educators across various types of schools, including public and private K-12 schools and public and private universities. The survey was conducted on August 28, 2020, with PollFish. 


An image of a graph showing different types of educational institutions
What type of educational institution best describes your workplace?

Despite the heightened risks and threats schools and universities face due to remote learning, some form of remote learning will likely continue even after a vaccine is developed. Now is the time for school IT leaders and MSPs that service education clients to take stock of challenges and work hard to institutionalize changes so schools are ready for a digital world.

“As school districts, teachers, parents, and students have no doubt thought endlessly about how this school year will actually play-out, there is potentially one area that has not received enough consideration,” said NinjaOne Chief Security Officer Lewis Huynh. “The average consumer household, with arguably the weakest levels of cyber-security protection, has now collectively become the largest attack surface available to hackers. This makes it extremely critical that IT, Security, and Networking Teams work together on remote connectivity solutions that focus on a trifecta of usability, performance, and protection.”

A Mixed Approach To Device Management And Security

Devices Used Daily


An image of a bar graph showing the percentage of devices students use on a daily basis
What devices do you use on a daily basis to teach or support students?

As expected in a remote learning world, mobile devices like laptops, smartphones and tablets were among the most used devices used by educators on a daily basis. 56% of educators used smartphones on a daily basis, while 47% used tablets. Perhaps unsurprisingly, 87% of educators were using a laptop or desktop. This finding mirrors recent trends in the increased use of smartphones and tablets in the classroom to enhance lessons and an abundance of apps geared towards educators.


An image comparing the usage of smartphones and tablets
Almost half of the educators surveyed devices to teach or support students on a daily basis.

Printers and webcams also ranked highly among remote devices used by educators. These innocuous-seeming devices contain their own risks, such as spyware to record private conversations or steal personally identifiable information from scanned and printed documents. 


Security Disparities Between Educators Using Own Devices


An image of a graph showcasing a percentage of schools that provide devices
Does your school provide a device, or multiple devices, to you for remote learning or administrative purposes?

Adding more complexity to the issue, many educators use their own devices to teach. In our survey, we found that 15% of educators’ schools don’t provide them with devices while 16% are allowed to use either their own devices or those provided by the school. However, 69% of educators surveyed reported their school did provide them with devices. A BYOD approach introduces additional complexity by raising the risk of a cyberattack or breach, most commonly through phishing attempts.


An image of a bar graph showcasing a percentage of schools that provide devices with additional security software
Are the devices provided by the school installed with any additional security software?

Among those using devices provided by their school, 58% indicated their devices are installed with anti-malware or anti-virus software. Additionally, 43% had a customized web browser installed on their device and 37% indicated they had authentication software installed on their devices. Only 10% didn’t know whether the devices provided by their school contained additional security software.

The numbers told a different story for educators using their own devices. 32% of educators that used their own devices were not required to install any additional security software. Of the 65% of respondents that were required to install additional security software, 44% installed authentication software, 34% installed a customized web browser and 35% installed anti-virus or anti-malware software.

“The lack of authentication protocols on school devices is a liability that multiplies with every additional device connected to the network,” said Coveware CEO Bill Seigel. “Re-used or weak passwords are an ‘oldie, but goodie’ for cybercriminals looking to gain access to a network, and authentication layers, like multi-factor, are the antidote. This will end badly for schools it is just a question of who gets hit, and when.”

Most Network Connections Meeting Industry Standards


An image of a grab showing a percentage and their answers for the question "How do you connect to your school's network?"

When asked how they connect to their school’s network, 59% of educators reported using a VPN. 25% of respondents used an RDP connection and 16% used neither a VPN or RDP but rather signed into a virtual school through any browser.

For educators that may be accessing private student data, it is concerning that some aren’t using a secure connection. This poses a significant security gap that should be at the top of any list of security priorities. Ultimately, the security of connections via VPN or RDP are dependent on the vendors offering the service. For this reason, IT leaders should perform a careful analysis of the security standards of every vendor they partner with.

Cybersecurity Training Represents Opportunity For Improvement


An image of a graph showing the percentage of yes and no answers for the question"Have you received any training or advice on how to protect yourself and students from cybercriminals?"

Almost three-quarters of educators surveyed reported having undergone some kind of cybersecurity training. However, 28% had not received cybersecurity training. Routine cybersecurity training is a highly recommended practice that allows leaders to communicate priorities, answer questions and proactively mitigate threats like phishing.


A bar graph that shows different topics

Among those that did receive cybersecurity training, 55% were taught how to identify and respond to suspected phishing attempts, 48% were taught how to prevent computer infection by adware, malware and spyware, and 41% were taught how to configure their web browser to minimize data exposure. Only 2% of respondents did not receive training in any of the scenarios.


More than a quarter (28%) of respondents had not undergone any cybersecurity training.

Based on these findings, security lapses among educators using their own devices could expose schools to new threats and raise the likelihood of data theft. School IT leaders and MSPs working with clients in this sector should focus on ensuring all educators are equipped with a unified security policy that covers foundational elements such as anti-virus and multi-factor authentication to access devices and applications used by educators.


Student Device Management Practices Similar To Educators


An image of a graph that showcases the answers of students

Looking at how schools manage devices among students, we found that 66% of students were supplied with devices by the school, but 20% of students were not provided with devices and 14% had the option to use either their own devices or devices provided by the school.


An image of a bar graph showcasing the answers of student devices that have installed additional software

For students that were supplied with devices, 46% of respondents indicated student devices were installed with anti-malware or antivirus software, 41% of school supplied devices were installed with a customized browser to limit data leakage and 35% of school supplied devices were installed with authentication software. 


An image of a bar graph showing the percentage of students using their own device who are required to install additional security software

However, for students using their own devices, 42% of respondents indicated that students weren’t required to install any additional security software. Among students that were required to install additional security software on their devices, 36% of respondents indicated students’ personal devices had to be installed with anti-malware or antivirus software, 33% had to install a custom web browser and 27% had to install authentication software.

Overall, student device management and security echoed that of educators. When devices were provided by the school, educators and students were more likely to have basic security software installed on their devices. But for both groups, those that used their own devices had much lower rates of additional security software installed on their devices and many weren’t required to install any additional security software whatsoever.

With nearly a third of students potentially using their own devices to connect to their school’s network, school IT leaders must make remote endpoint security a priority to protect school networks and student data.


ChromeOS Tops List of Most Used Operating System On School Devices

An image of the top operating systems used by educators

Among respondents using devices provided by their school, 60% reported their devices use the ChromeOS operating system. 42% of respondents indicated their school supplied devices used the Microsoft Windows operating system and 32% of school devices used Apple’s iOS or MacOS operating system.

Google’s ChromeOS has surged in popularity among schools thanks to its high security standards and user friendly design. For school IT leaders, moving all students and educators to more secure devices should be a goal, but additional steps to properly monitor, manage and secure remote devices must not be forgotten.


Based on these results, many schools appear to lack a consistent device policy that would protect educators, students and school networks. In the first weeks of the school year, we’ve already seen how insecure school networks can be as multiple school districts around the country were forced to delay their school year due to cyberattacks. Ransomware, in particular, poses one of the most significant threats to schools and is a heightened risk school IT leaders must protect themselves against in an era of remote learning.

With schools facing uncertain budgets this year due to the coronavirus and deadlock in Congress, one area that school IT leaders and MSPs that service the education sector can make the most difference with the least amount of resources is educating students and staff on basic cybersecurity training and hygiene. 

Now more than ever, the benefits of having a remote endpoint monitoring and management platform installed across every device are salient. From the increased agility and intelligence derived from a remote monitoring and management platform, school IT leaders can be more strategic in their actions while reducing costs and increasing the security and performance of remote end users.

Read more of NinjaOne’s original research and insights on our blog. There, readers can access free tools and resources to help you build a better MSP.

Read More:


Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).