Education lives in an era of big data and small devices. Smart devices, systems, and services that talk to other devices via the Internet mean educators as well as students can all be more productive. But this new-found freedom and the combination of mobile computing access to always-connected, cloud-based software has created headaches for anyone tasked with the job of securing it all.
An incredible amount of data flies in and out of our classrooms. The cloud and social media have helped districts store and distribute student and faculty data less expensively, but this readily available data can easily expose teachers’ personal information as well as student test scores, social security numbers, and medical history to cyberhackers.
Research conducted by iStorage at the recent BETT education technology conference revealed that 130 of 290 respondents have lost a portable storage device that contained personal or work related data. The same report noted that 97 percent of all respondents carry data on USB sticks, portable hard drives, CDs or DVDs; 73 percent do not encrypt the data on these devices; and 97 percent consider data loss to be a growing concern.
How can educators innovate with technology and still protect faculty and students from data breaches? Here are seven strategies to increase protection.
Secure Every Device
Don’t let hackers walk through the front door. Failing to secure every device that connects to the school’s network provides the ultimate open campus. Secure Mobile Device Management forces people to install a profile to ensure they meet minimum security status. If left unchecked consider the possibilities:
In Greenwood, Ind., teachers and administrators had programmed the school’s iPads to allow only educator-approved downloads. Within hours if receiving the tablets, though, hundreds of students managed to reprogram their iPads to download games and social media apps. In Los Angeles, where the school district has begun giving out a planned 600,000 Apple iPads, entrepreneurial students sold a workaround to classmates for $2 a pop. In each case, these devices could have been used to plant malware or hack into the school network.
The ideal mobile device management tool is compatible with all common handheld devices; can function through multiple service providers; can be implemented directly over the air, targeting specific devices as necessary; can quickly deploy next-generation hardware, operating platforms and applications; and can allow a school district to add or remove devices as needed. If an unauthorized entity tries to log into the school network, it will be denied access.
Encrypting data can prevent information from being stolen or held ransom. Many educational facilities have sophisticated exterior protection such as a firewall, but very few take steps to protect data at rest (the data that sits on a hard drive of a server or desktop computer). All data on a disk should be encrypted so that if a device is stolen or compromised, the data that resides on it is still protected.
Data Loss Prevention (DLP): Monitoring the Flow
Districts must monitor the flow of outbound data and stop it based on policy. Data loss prevention systems can operate at the network level and the host level, these systems are configured with rules to detect important data that an educational facility owns and ensure it is being moved across a network properly and not off-loaded to an unauthorized device. The rules that these systems operate with have to be maintained and alerts for violations of those rules need to be reviewed and acted upon by the Security Operation Center to protect against personally identifiable information (PII) exfiltration.
Web Filtering: A Necessary Nuisance
The Children’s Internet Protection Act (CIPA) is a federal law passed by Congress in 2000 to help ensure the safety of children accessing the Internet over school and library computers. Any organization that receives funding through E-rate or the Universal Service Fund must meet the requirements of CIPA. Among those requirements are a web filter and the blocking of visual depictions that are pornographic, obscene or harmful to minors.
Utilizing standard web filtering technology to block the use of social media sites, or at least allowing viewing of social media but disallowing posting to these sites with policy-based application aware technology may seem like a slam dunk security solution, but will it hinder learning? Providing safe access to dynamic content and collaborative tools while accommodating BYOD and mobile learning programs—all while toeing the CIPA line—is a question that must be addressed internally. Making web filtering policies a collaborative effort between IT, teachers, administrators, school boards, parents, and even students can ensure that all needs and viewpoints are addressed.
Educate Staff: A Little Learning Goes a Long Way
Understanding the ramifications of device safety and what can happen if your device is compromised or stolen is imperative.
For example, a South Carolina teacher was recently forced to resign after a student allegedly stole nude photos from her phone. The teacher claims the student got into her phone and shared private pictures. However, the district blamed the teacher. A crime was obviously committed, but was the wrong party blamed? In this case, secure wireless and device monitoring could have detected and stopped that data transfer from the phone on district WiFi to social media.
If we examine the largest data breaches at companies such as OPM, Target, Home Depot and Sony, it is obvious that technology did not protect them. In each case, hackers successfully exploited human mistakes like accessing the Internet from unsecured networks to steal data. The advent of mobile devices like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link in the cybersecurity chain.
Schools should have policies that are clear about the steps individual teachers must take to secure data. Good places to start are Common Sense Education and Common Sense Media, which provide teachers and schools with free research-based classroom tools to help students harness technology for learning and life.
Educate Students About Cybercrime
In 2000, 77 percent of public schools had Internet access whereas 100 percent do today. Sometimes children don't understand the potential criminal ramifications of cybercrime, be it hacking into a school’s network to steal information for profit or bullying or conduct a DDoS attack as a prank.
Students could potentially piggyback onto unsecured WiFi networks without ever leaving school property, making them susceptible to cybercrime. Providing lessons in “digital citizenship” by securing the network in the first place can go a long way to help protect school assets and the student’s identity.
Seek Outside Help and Funding
Most districts have limited expertise or resource bandwidth to deal with the complexities of digital security and compliance. Third-party security services providers have the ability to monitor, manage and protect control systems to fill that cybersecurity gap. A MSP who employs both technology and an intelligent human network of on-site personnel can monitor and act as a full operations team. Technology, if deployed correctly, is a force multiplier for intelligent human beings.
MSPs can also help districts with compliance so that teachers and administration do not have to double as security officers or IT staffers.
Funding is even available to help cash-strapped K-12 schools, libraries and school districts ensure that their facilities have affordable and secure broadband access. E-rate provides discounts of up to 85 percent to public and private schools and public libraries on purchases of telecommunications services, Internet access, networking equipment and related software and services such as installation and technical support. E-rate information can be obtained here.
Cybercriminals are a resilient species – the more you attack and try to defeat them, the quicker they evolve and find new ways to infect your network. Security is an ongoing process. With the right strategy and implementation, your district can avoid feeding the beast.
Mike Baker is founder and Principal at Mosaic451, a cybersecurity service provider and consultancy with specific expertise in building, operating and defending networks.