In the third article of our series with CTRL Group about identity data in schools, we look at what schools should be asking from their EdTech providers.
“I read on Twitter about a business plan from 1995, where the owner of the start-up was trying to raise $15,000. One of the things he wanted to spend the money on was $5,000 for secure service software. ‘This does not seem to be an absolute necessity,’ he wrote. ‘There are a lot of sites on the Web where you can send your credit card number unencrypted. And to date, there have been no reports of the numbers being stolen, but catalogue companies may believe that a secure link is necessary, and spending this $5,000 would give Webgen a much more professional look’.”
“I was reading this and thinking, ‘Can you imagine the notion today of pitching a business plan where you say, ‘We’re not really worried about protecting credit card information’? Let’s just say that we’ve moved forward a long way from where a business in 1995 can say, “Look, we don’t really think that encrypting credit card numbers is an absolute necessity, but we think from a marketing perspective, it’s a good look’.”
David Eedle, CEO, EdSmart
There’s no denying that schools need to place a high priority on the protection of their identity data. Managing that data better can only occur by understanding the realities of cyber breaches and improving your practices. Accordingly, this also means demanding the same standard of diligence from any third party EdTech providers.
For schools who use EdTech products or services – or who are thinking about partnering with such a provider – there are a number of governance issues around the handling of identity data and any other sensitive information that school databases may store.
The reality is that many schools are not asking enough of the safeguarding of identity data from their third party EdTech suppliers, or just assuming that tech companies will have the appropriate practices in place.
As David Eedle, CEO of EdSmart, explains, “I remain amazed at the lack of questioning of us and our product when it comes to our cyber security capabilities. I don’t think our customers – or prospective customers – ask us enough questions about the way we protect their data.”
“What should schools be asking tech providers to make sure they’re getting the right level of data security?” he asks rhetorically. “They should be asking everything. Why should schools be asking tech providers about the protection of their data? So they can stay in business.”
There are three important areas that schools need to pay particular attention to when talking to a tech provider about identity data security:
- Access permissions;
- Eliminating ‘set and forget’ measures;
- Security-focused partnerships.
By prioritising these three areas for discussion, school leaders can enter a partnership with any given EdTech provider knowing that one of their institution’s most valuable commodities is protected.
In a previous era, the school’s perimeter fence was the boundary of the school grounds. In today’s globalised and digitally driven world, a school’s security perimeter is quite literally limitless.
As David explains, “Once upon a time, you had paper files and, in terms of document and information security, you just had to stop people carrying pieces of paper through the gate. Now, there’s no perimeter because it’s online and it’s global. Schools need to understand that, and schools need to understand the realities of investing in tools and services to protect themselves in this new age.”
“Specifically, when it comes to identity data, schools should be asking themselves — and any tech companies they’re partnered with — if they’re absolutely sure that the people accessing the data are supposed to access it,” David emphasises. “A school needs to be 100 percent confident that the people accessing identity data, and any student identity information, are the right people.”
Access to data should always be role-based, and the minimum necessary.
“Not all staff need to see everything,” he argues. “And so, the concept is that you start from zero access — nobody has access to anything — and then the IT manager or the tech provider turns on access to information that people need as roles are assigned. While you are in a particular role, you have access to certain pieces of information. If you move out of that role, your access changes.”
Eliminating ‘set and forget’ measures
In making sure your identity data is protected, you need to regularly review who has access to it and update security permissions accordingly.
“[Permissions] should be a constantly reviewed process of checking who’s actually able to get to all of these pieces of information,” explains David. “You have to go back once a year, twice a year or three times a year and ask questions like: Are these still the appropriate permission levels? What’s changed? Do we need to adjust the role permissions?”
As James Lacey, Head of GRC at CTRL Group, says, reviewing security controls is a point in time exercise. As businesses change, the scope of operations of the security management system must change with it.
“Having a clearly laid out set of rules when it comes to security though policy and procedure ensures that the scope of security controls is not outgrown by the scope of business operations,” he explains. “Verifying that your partners who store and process your critical data are effectively managing these security obligations is essential assurance both for the availability of service and protection of your data”
Mobile phones can be a prime security risk, given they’re considered personal devices but they still store company information. David uses EdSmart as an example of how mobile phones can be incorporated into security measures to protect identity data.
“At EdSmart,” he says, “we maintain an assets register of all our computers and mobile phones. If you’re a staff member, we register your personal device in our assets register because it potentially has access to other peoples’ personal information.”
“Mobile phones can be a point of weakness and cyber criminals will take advantage of any weakness.”
Many of us are subjected to strange-looking emails or phone calls from people claiming to be the police, tax office or our banks requesting our personal information. In the vast majority of instances, these are malicious attempts to gain access to our personal information and then to do who-knows-what once they get that access.
In the case of schools, this is how ransomware is unleashed on unprepared systems. A link is clicked, the downloaded code steals confidential information from your server, which is then uploaded to an encrypted cloud — to which the access key will happily be provided once you deposit a large sum of money (almost exclusively in the form of an untraceable cryptocurrency like Bitcoin). At least, that’s what you hope will happen.
To prevent this from happening, David believes it’s vital that schools approach cybersecurity with their EdTech vendors as a partnership.
“Cyber security and protecting identity data needs to be a partnership between the school and the vendor,” he states unequivocally. “It’s got to be an open conversation between the two parties about how the information is being protected, how it’s being managed and what measures are being taken to avoid a preventable cyber attack.”
“Whatever your school does internally to protect its data should be the bare minimum you require their vendors to do.”
As David notes, “There are some awesome, clever people working in tech in schools, and some of them really do get this and they work hard on it, but not every single school has got an IT director or manager.”
“At EdSmart, we’re pursuing ISO27001 accreditation, which is all about cybersecurity quality assurance. We believe that’s important to us, and it’s important for us around the quality of our business, the quality of our software and our people.”
“As part of that quality assurance, it is required that we schedule regular cyber security training throughout the year. The training has to address awareness, best practice, adherence to policy, making sure that staff understand, for example, about phishing attacks and so on.”
“This means, when a school partners with us, they are partnering with an EdTech company that always has their best security interests in mind.”
Partnering with tech providers who recognise the importance of protecting client data – and opening themselves to external scrutiny on their storage, management and protection of that data – should give schools and higher learning institutions some comfort. But it has to be a partnership; it can’t solely be the responsibility of the tech provider.
Additionally, schools and their EdTech partners need to work together to develop processes that manage the regular installation of security patches and software updates, identify access permissions and regularly review whether these permissions should be altered depending on who needs to have access to this sensitive information.
By working together, we can effectively combat cybercrime and ensure the identity data of our school communities is kept as safe as humanly possible.
Read the first article in this series, Why schools should prioritise the security of identity data, and the second, Managing your school’s identity data better.