Digital Transformation has occurred across all industries – including education. Though the advantages of this are numerous, it has also posed new challenges around data security. Irfahn Khimji, Chief Systems Engineer at Tripwire, tells us what these new challenges are and provides advice for teams with limited resources on how they can create a simple but effective data security strategy.
How has increased digitalisation across many educational institutions created new data security challenges?
The education system has been fairly static for many generations. Students go to a classroom of sorts and a teacher teaches them. The technology may have gotten better, going from the chalk board to the white board, to a smart board, but the in-person aspect never changed. Circumstances have caused an immediate Digital Transformation of the classroom in which we see similar challenges to other industries that are going through Digital Transformations.
First, the primary goal of the digitalisation is to get the students learning online as quickly as possible. Anything that slows down this primary goal gets overlooked. Security, rightly or wrongly, often gets overlooked as it takes additional time to think about and implement. Even if there are some base minimums to maintain compliance with data protection regulations, these are often quickly added or completely overlooked so that the primary goal is attained.
Second, there were significant unplanned costs associated with digitising education. New equipment, software and training were all required without any planning or notice. Unfortunately, when dollars are scarce and cuts need to be made, security is one of the first things to be skipped.
Third, data security, if done correctly, is transparent to the user. If the users do end up seeing the security controls, it is because it blocked them from doing something. If the user is blocked from doing what they need to do, they will try to find a work around or bypass to skip the security control. When going through the sometimes-frustrating task of learning a new delivery method, security controls often get dismissed.
How is this further aggravated by the increase in personal data now processed and used in light of the pandemic?
It’s one thing to deliver educational material over a new digital medium, it’s another thing altogether to process personal and private information of students and teachers digitally. There are multiple regulations and standards that require Personally Identifiable Information (PII) to be protected. If educational institutions are or are going to be processing PII digitally, they must adhere to these standards to ensure they are safeguarding the information of their teachers and students.
The other aspect to consider is that educators who previously only had access to student data within the confines of the school network now may have access to this data on their home networks. Are they accessing it a secure manner? Have they secured their home networks? Are they using personal devices or devices issued and managed by the school board?
How should organisations respond to these challenges?
The first thing to consider is who has access to what data and on what devices. Following the principle of least privilege, are those accessing the data authorised to access it? Are the devices they are using to access the data secured? In order to do this, the IT personnel need to start by taking an accurate inventory of the devices accessing the data. Next, they need to ensure that the devices that are accessing data are doing so within a secure environment. This can be done by implementing VPN connectivity to the data, implementing Zero Trust methodologies and verifying that the devices connecting in are configured securely, up to date with the latest security patches and not running any known malicious software.
In parallel to this, the teachers, students and everyone else involved in the education process need to learn about risks of the new teaching environment. For example, just like how everyone in a school is taught basic physical safety, everyone needs to be taught basic digital safety. Thus, security awareness training should be a key component to the education system.
What are the implications for organisations that fall foul of proper handling of personal data?
Several aggregated stats on educational institution data breaches in the US can be found here: https://www.comparitech.com/blog/vpn-privacy/us-schools-data-breaches/
According to the IBM cost of a data breach report in 2021, the average cost of US$161million per lost or stolen record and the average cost of a breach in the education sector is US$3.79million.
Can you provide any interesting or innovative suggestions on how teams in this industry can instill a strong security culture?
The education system has some great ways to teach safety and security of their physical environments. Students as early as elementary school have activities like fire drills and other education sessions geared towards safety and security. Similar types of activities can be used for digital and online safety.
Culture change is not easy to do, it requires everyone to individually practice what they preach. Thus, practicing safe cybersecurity needs to start from the ministers of education to the school boards, to the deans, principals, councillors, teachers and the students. There will be times when people make mistakes, but there needs to be the appropriate education mechanisms in place to teach and remind everyone of the appropriate safety procedures.
What advice would you offer to teams with limited resources on creating a simple but effective data security strategy?
The most effective thing teams with limited resources can do is to focus on the basics. Spend time on educating the users, monitoring what devices and users are accessing what systems, and help ensure that those systems are configured securely and up to date with the latest security patches to safeguard the integrity of the digital assets.