A version of this post was originally published on April 9th, 2019, in Education Technology, as the first part in a series regarding safeguarding data in educational institutions. Check out the following parts of the roundtable managed by Steve Wright here, here and here.
Q. We all know about the importance of data security. But can you outline some simple, practical and affordable solutions for schools and universities?
I wish there’d be an easy answer to this. The thing is, educational institutions of all shapes and sizes have to manage a lot of sensitive data, be it related to their students or the faculty body and everyone who ever sets foot on the school’s premises. We’re talking about sensitive private information, like social security numbers, financial information, healthcare information, intellectual property, and so on, and so forth. Solutions do exist to protect all this data at any given time, but they’re hardly simple, practical and affordable at the same time. Something’s gotta give. What exactly, depends on the priorities and resources of each educational institution.
Q. Is all the existing technology being made sufficiently available, and easily adoptable, to schools and universities? Are they sufficiently aware of a) the risks out there and b) the solutions available to them?
I do believe people are very much aware of the threats that can be associated with storing and modifying sensitive data online. There are in fact many rules and regulations that any educational institution must comply with in terms of digital security. However, it’s very hard to keep up with everything, since most of those norms have been designed based on other industries (financial student data must comply with financial laws, while healthcare data with healthcare laws, etc.). Relying on a powerful antivirus program or on a cloud-based infrastructure can sometimes be enough, but taking extra steps to ensure online safety can go a long way, especially in the case of higher education institutions, that are targeted by cybercriminals more often than many other types of organizations.
Q. How much of this comes down to material solutions (better software, etcetera) – and how much down to human solutions (better training for staff and students in correct and responsible use of data)?
There’s always room for improvement, on both these fronts. Even the most secure software can be hacked. Technology advancements are constantly being made to ensure any system has the smallest possible chance of being accessed by people with malicious intent — and some have really impressive results — but things are not always perfect. On a different note, a significant number of data breaches in educational institutions are due to negligent actions from the part of staff. From sharing passwords to compromising files to losing devices to everything in between, staff and students should get better training on how to be responsible digital citizens.
Q. Do schools and universities face a slightly different set of concerns, when it comes to data security, than other industries?
To some extent, they do. When a student’s file is compromised, the malicious actor gets a bird’s eye view on the life of that student, not just on one particular area of it: there are academic results, financial records, health data, family details and more. This affects the victim in more than one way and the situation can be exert influence on other people that are external to the school or university as well. What makes it harder for educational institutions to prevent any kind of data breaches, compared to banking companies or organizations from other highly regulated industries, is the fact that it needs to balance a secure environment with an open one; because the access to education and new findings of research should be open to everyone.
Q. Is there one particular area – e.g. loss of sensitive information such as pupil profiles or exam results; malware; phishing; etc, where schools and universities are particularly at risk?
According to a rather recent report, education has scored the lowest place in terms of online safety, from a total of 17 industries. I believe nobody is particularly proud of these results. All the above examples are aspects of digital security in educational institutions that could use more attention and more targeted measures in order to decrease both their number of instances and the one of the most serious consequences.
Q. In terms of its data security, how does the UK education sector compare with a) other UK industry sectors and b) other education systems around the world?
Online security is obviously a global problem. The UK may be above many other states in terms of ensuring digital security across all industries, but this does not mean the fight against cyber crimes is won. The education sector continues to be negatively affected by a lack of awareness to the variety of such attacks, a challenge to adapt different security solutions to each institution and poor responses to vulnerability notifications. To end this on a paradoxical note: things are not that bad, but they could definitely be better; it all depends on your term of comparison.