I totally understand why you feel that way when I have heard about the shambles of alot of companies in the public sector. The Sony case is an interesting one because they did the hard stuff right for the most part and did the easy stuff wrong. However a cloud based MIS if setup in the right way should not be vulnerable in that way. However nothing is impossible and other things could take the service down. Sony was a high target for many reasons including PCI, political issues, corporate espionage and many others. An MIS system is not such a target however this does not mean security should not be taken seriously.
This is just so wrong. The common problem schools have is to do with the suppliers and their management, either of the infrastructure or of the software. Look at Progresso. Look at historical problems with ParentPay, ParentMail, Capita's hosting in Norfolk (or was it Kent?) - there is a pretty big list of suppliers getting it wrong and customers just having to sit there suffering. There are some real disasters waiting to happen. Sony isn't some small company without the means or (one would hope) the in house expertise to do proper security - yet even they can stuff it up big time for their customers. What makes you so sure your company is better than the lowest common denominator of "only human"? How could it be!
In my opinion schools should always speak to other schools and ask them what there experience has been. I know as a company we spend almost nothing on marketing the only public thing we do is the Bett show. We get over 90% of our school as recommendations from other schools and that is how we are growing. It is ensured our standards are high because we are building our business upon having a reputation for having the best product(including reliability in this because it can be the best product in the world but if you cant get to it it's useless) and support.
Again you are totally correct humans are normally the main cause of security issues. This is why it is important companies train there staff about security most major attacks these days are on the back of social engineering, if you can stop this and flag this behavior you are going to be more secure as a company. The other issue is mis configuration or ineffective setup. This can usually be picked up by good pen testing not just running an automated scan, or putting a WAF on and thinking you are safe makes me cringe everytime. Especially as you can get though PCI DSS with known security flaws if you have a WAF. A company SHOULD have better resources to mitigate these threats than a school.
Again my advice is really drill down into the company that is supplying your MIS ask them every question that is important to you. They should go out of there way to help you at this stage if not that will probably give an insight into there aftercare. Also they should be more than willing to do this as when they buy stuff they should be doing the same thing. After a few conversations you will soon be able to see what there knowledge and services are like. Again talk to other schools see what they are saying. Personally it is pretty rare I buy something in my personal or professional life without reading or getting reviews on that product.
You can also have a cage full of monkeys who know next to nothing about the set-up or particularly your data. And of course you won't know that because the supplier sales folks aren't showing pictures of the cage on their power points. MIS suppliers don't have a monopoly on employing knowledgeable professionals. Sometimes it seems they don't even do very well at it.
A good MIS will do that the advantage of a web based one is 100% reliability with redundancy. At the end of the day that is what you are paying for and that is what should be delivered. If a motherboard goes in a server fail-over should happen and as a school you should never notice. You get that included I have never seen a school system with multimaster servers im sure there is one out there but they are few and far between. You do an update on your school server it goes down you have no MIS till you fix it. If a cloud based system breaks the plus is its somebody elses problem the negative is you have no control over that. However we are back to square one is it a company you can trust.
Some do. Some don't. The question might be which provides the best value to the school. A good MIS system will sit at the centre of a schools management services and provide long term intelligence to the schools teachers and senior management. It is a key/core asset. Companies that outsource their core assets and function often end up paying a heavy price. First the companies that now provide the core services can't help noticing they have their customer by the dingle dangles and if the sales manager wants to hit their bonus, they can always just squeeze a bit. Second, when the service companies do have problems, the health of your business is now tied directly to theirs. You outsourced your expertise but in the process assumed all the operating risk of your own company *and* another, completely alien one. I personally think that is a pretty dumb move. Why would you want to do that?
The smaller cloud based MIS providers are probably all outsourcing hosting, building a data center cost millions so smaller companies just cant afford it. Some are probably doing it better than others. with hosting you normally get what you pay for, from support up time guarantees, disaster plans (including nuclear strikes), support, auditing ability. I would never go with a data center that I couldn't visit and check things are being done well. Again its interrogating the company making sure you are going to get a good service from them. Also when it is business critical using multi vendors and risk assessing those vendors. Also making sure you are left flexible if you get bad service or unsustainable price hikes being able to move without it effecting your customers.
All your points you raise are valid ones and ones I would be asking if I was buying an MIS personally. I would also be looking for schools that are using the product that are similure to the school I was buying an MIS for in size, type and structure.