Because of the highly sensitive nature of identity data, schools have a major obligation in securing student information. Here’s how to do it better.
Identity data is one of your school’s most valuable commodities. To make matters more pressing, the education sector is experiencing a huge spike in cyberattacks in the form of ransomware attacks.
For example, data collected in July 2021 by Check Point Research (CPR) found Australian schools rank fourth overall on their global tally of the most cyberattacks — behind only India, Italy and Israel, and well ahead of the US, UK, Germany, France and Brazil.
“Education has turned out to be a particular target because it’s seen as a soft target,” explains David Eedle, CEO of EdSmart. “Many schools aren’t prepared to defend themselves against cyberattacks.”
If they’re not already in place, David believes there are three important measures your school can introduce to better manage your identity data and, consequently, minimise the likelihood of falling victim to a ransomware attack or some other form of cybercrime. They are:
- Stronger IT security;
- Keeping your people involved in the management of their data;
- Real-time updates on changes to personal or sensitive identity data.
Stronger IT security
Stronger IT security is the most obvious measure that any educational institution can take to help keep their identity data secure. Given the number of cyberattacks nowadays, it’s also one measure that could benefit many schools.
“Over the last few years, there has been a massive push for all web traffic to be secure traffic, to be protected by some form of SSL (Secure Sockets Layer) or TSL (Transport Layer Security),” he explains. “There are different grades of security within SSL, so you want to be using the highest possible security grade absolutely everywhere. You should do whatever you need to do to secure everything you possibly do.”
The thought of where to start can feel overwhelming but that is no reason not to work on your IT security; in fact, it would be a huge mistake to neglect it. James Lacey, Head of GRC at CTRL Group, suggests that schools start by prioritising security solutions, with the depth of implementation informed by risk presented.
“If you have a web application supporting a critical school offering, you likely can’t afford to have that resource down for long,” he explains. “Have you looked into controls that support its availability? If hosting is outsourced, are you meeting the security obligations that you have in that outsourcing agreement? Are there sufficient controls to protect the confidentiality of data stored in that application?”
“Potential impact against confidentiality, integrity or availability of data is the easiest way to begin exploring what controls should be prioritised in your organisation.”
Keeping your people involved in the management of their data
James Lacey says that all staff have some degree of access to sensitive information, so it’s critical that organisations ensure they understand the security obligations they have when handling that data. Specifically, in a school environment, it’s vital that parents, students and staff have opportunities to verify the information you’re holding on them. This is what David Eedle describes as a right of access to personal data and, similarly, the right to be able to correct it.
“If you’re going to hold information about people, give them access to it; give them the ability to verify it, to check it and, preferably, to check on a reasonably regular basis. Don’t just assume everything’s okay. If a change is made, you tell them. It’s really important that you involve people in the management and protection of that data.”
“That also protects them against inadvertent or bad actor changes,” he adds. “If they have the ability to audit the information that’s being held, the customer then has confidence that the information is accurate.”
Real-time updates on changes to personal or sensitive identity data
As well as involving people in the management of their data, an important process that schools and IT managers should have in place is real-time communication whenever personal information has been altered. Interestingly, CTRL Group admits to seeing a lot of organisations failing in this area, not only for personal information but for payment details as well.
“If a third party has requested a change of payment information, does your team – and the teams of your partners – know the process to verify these changes?” prompts James Lacey. “The majority of breaches are motivated by financial gain and the simplest way to achieve that is to exploit an existing trusted relationship between you and your suppliers.”
“If something changes, you tell the affected stakeholders on the spot. If there is a concern or a suspicion, you need to respond quickly,” David Eedle adds. “It’s not good practice to tell someone a week later that their email address was updated.”
“These days, the banks are a good example of best practice,” he continues. “I know things still slips through but they genuinely try to give you real-time information about what’s going on.”
“I can remember when I had a certain credit card, and I’d use it for an online service, or a tool for EdSmart on an overseas website and, 30 seconds later, getting a phone call from the card issuer saying, ‘Hey, we just saw that you used this card for this thing. We just want to check that it really was you and if the transaction’s okay?’ Most of the time, it is okay but this step is essential for the times when it is not.”
David believes that schools need to do the same as the bank example when managing their identity data.
“When a student or a parent or a staff member changes important personal information, they should be getting an email straight away that says something like ‘We’re just letting you know that a piece of information about you has been updated on the website’. Everything today needs to be water-tight, which means advising on changes as they occur.”
In protecting and managing identity data at schools, there are three important processes that must be introduced.
Firstly, schools need to employ, as David describes it, “the strongest possible security, no excuse”. Furthermore, schools should give their stakeholders the power to manage and update their data, and understand how it’s managed to help instil confidence in that management. And finally, schools need to be able to notify stakeholders about changes to their information in real-time to prevent possible data breaches.
Ensuring these fail-safe processes are executed will go a long way towards reducing the likelihood of ransomware attacks and, even in the unfortunate case that an attack does occur, reducing the chance that valuable identity data is compromised.
Read the first article in this series, Why schools should prioritise the security of identity data.