EducationTHE TOP 5 CYBERSECURITY CONCERNS FOR SCHOOLS
Cyber security is now a major concern for schools. News of organisations being hacked becomes ever more commonplace and recent examples have shown prestigious independent schools having the personal data of their pupils leaked online, thus falling foul of the Data Protection Act.
As technology and Internet use pervades through schools, schools are right to embrace the efficiencies and benefits that the Cloud learning tools offer, but with greater connectivity, comes a need for greater responsibility to protect the the sensitive data they hold. Here, Infosec Partners highlights 5 concerns for schools facing increasing cyber security threats and provides solutions to overcome the challenges of protecting children in their care.
Schools are charged with the duty to protect children in their care but given the increasing dependence on connectivity, as well as the use of the Internet as part of the standard learning approach, how can they suitably provide this?
Learning versus Control
Children are naturally inquisitive and curiosity will often lead them to explore areas that they are told not to - the Internet is no exception. Simply withholding access to the Internet is not an answer. Schools have a responsibility to prevent children visiting adult, illegal or otherwise inappropriate websites. Teachers simply cannot oversee every website that each pupil visits, so how can we enable children to learn and still protect them from the dangers on the Internet?
Exposure of sensitive information
Ofsted inspections and audit guidelines relating to esafety have focused only on protecting children from being exposed to bad content on the internet, but there are more issues to worry about and far greater threats to the young and vulnerable than this.
The loss of sensitive data belonging to children and their families, such health and attendance, performance and disciplinary data may have a far greater social and psycological impact on the young and vulnerable, concluded a report from as far back as 2008 when Tanya Byron was engaged by the PM to write a report focused on the emotional impact of technology in schools.
Meet the Ofsted requirements
Web Filtering allows schools to block (blacklist) or enable (whitelist) specific websites and URLs. Content Filtering allows schools to block all known webpages containing content of more than 75 specific categories. It's the IP Reputation and Content Classification provided though services such as Fortinet's FortiGuard that empowers the Web & Content Filtering and keeps it up to date whilst also blocking malicious traffic. FortiClient in turn ensures that each device, whether a laptop of a member of faculty or a pupils' iPad, carries the same protection at home as it does in school.
Safeguarding Sensitive Information
Network security and the separation of curriculum networks from administration networks is a great start. Systems relating to learning tools are segregated from those holding sensitive information ensuring that those who only need to access the curriculum networks, cannot access systems where sensitive data is kept. In addition Next Generation Firewalls such as Fortinet's FortiGate appliances, come with Data Loss Prevention functionality built in. DLP primarily monitors internal network data and uses a variety of digital markers and pattern identification techniques to identify documents containing sensitive data and block them from leaving the school's network.
Competition & Funding
Each year sees an ever increasing competition between schools to attract the best students. Schools with the better reputation, grades and learning facilities always attract the better funding. A security breach could have critical impact on a schools reputation.
Duty of Care
Schools are charged with the duty to protect children in their care, so the loss of sensitive data belonging to children and their families, such health and attendance, performance and disciplinary data could have an enoromous social and psychological impact on the young and vulnerable.
High Net Worth & Influence
Independent schools, looking after children of high net worth individuals and people of influence, also face the added threat that data on these children may be targeted by those looking for leverage.
Privacy & Data Protection
Under the Data Protection Act, schools are their own data controllers and are responsible for complying with the eight principles of the Act outlining the appropriate usage, storage and protection of data. As a recent example of an Independent school in west London will show, there are significant repercussions for a schools' failure to comply with the act.
Safeguarding Sensitive Information
Modern networks must be resistant to modern threats. Bursars, shareholders and IT staff should be worried about network security, such as the separation of curriculum networks from administrative networks.
The loss of sensitive data belonging to children and their families, as well as school financial data, interim unpublished results of inspections, HR issues with existing or past staff etc. may have a catastrophic impact for the individuals and school alike, with legal ramifications for failure to comply with the data protection act.
Suitable cyber and information security protection for schools can be achieved with good security architecture, trusted advice and expertise from a dedicated security partner, and the use of integrated security solutions such as those from Fortinet.
As any Bursar or Headmaster will know, budgets are becoming increasingly squeezed, so how can one equate the spend on security solutions with benefits to the school, especially when all areas are clamouring for more funding?
The Cost of a Patchwork Network
Typically over time, technology is added to a schools' network infrastructure to meet each new security need. From funding to manageability, there are several problems with having technologies from many vendors.
i) Maintenance costs alone can be expensive especially with many vendors choosing a per seat model to charge for licensing.
ii) Running costs such as electricity, cooling and rackspace can add up, with each appliance on the network.
iii) Operational and management costs. Having different devices with different interfaces means more time learning about and trying to keep on top of al the appliances. This is time lost spent of supporting the school and other IT projects.
iv) The impact on security. With the majority of todays attacks using multiple vectors, having disparate point solutions for each technology, could leave the whole collection unaware of blended attacks, and effectively leave your school defenceless.
The benefits of an integrated solution.
An integrated security solution enables better cost effectiveness with lower CAPEX and OPEX, as well as scalability for future growth. Ease of management with fewer disparate interfaces means less time is required for staff to learn and to manage. An integrated solution also means better risk mitigation against blended threats.
Pioneers of unified and integrated security
Fortinet pioneered the concept of network security consolidation a decade ago, and continues to lead the industry. Each FortiGate appliance includes core security technologies such as firewall, intrusion prevention, application control, web content filtering, and VPN, as well as antispyware, WAN optimization, two factor authentication, antispam, and much more. Integrating multiple technologies on a single security platform, increases visibility of applications, data and users, resulting in improved control over your network coupled with increased performance.
Attracting and keeping hold of talent is an arduous enough task for the large Enterprise, so how are schools supposed to ensure they have expertise on-hand, especially for something as critical, complex and as fast-changing as cyber security?
Resources at breaking point
Given the increasing dependence on interconnectivity, and the use of the Internet and computer systems as part of the standard learning approach, there has been an exponential increase in the responsibilities of the average school IT manager.
So how can you ensure that the IT manager, and any internal staff they might have, maintains and supports the growing demands of pupils, faculty and staff - as well as hold expertise on something so critical, fast-changing and complex as cyber security? Often the answer is they cannot.
Fire-fighting (the process of dealing with the highest priority problem first amidst lots of shouting, wailing and general gnashing of teeth) is all too familiar for a school IT manager, especially for those with limited budgets.
Reaching out for Expertise
Outsourcing the schools' IT systems maintenance and support has become a popular way to try and balance the need for skilled resources and limited budgets. And whilst many may do a great job for general IT requirements, the vast majority are simply not skilled, certified or knowledgable enough to be able to ensure the comprehensive security which schools need.
A recent article in TeachingTimes.com states that "Dedicated security companies that manage the latest technologies to combat trends in Internet use are worth considering..."
Security today permeates an entire organisation. It cannot be provided by simply buying technology off the shelf. Expertise is required to shape a schools' security posture. From security awareness programmes (for pupils and staff), and devising a security strategy, architecting and maintaining a security infrastructure, to making well-informed decisions which prevent attackers from accessing the vast amounts of sensitive information a school has to offer, if the person tasked with creating the security programme only knows part of the picture, this could be catastrophic for the schools and its pupils.
Expertise in Cyber & Information Security
By working with high-performance integrated security solutions like those from Fortinet, supporting the Schools IT manager, and working in tandem with any outsourced IT support organisation, Infosec Partners provides the proven Security expertise to safeguard the school and its pupils.
In the new normal, where users including pupils, faculty and staff may be mobile (working away from school), and utilising online education tools stored in the cloud, how is the school's IT department able to provide support to its users?
'Bring Your Own Device' has become very common in the workplace and because of the operational and financial efficiencies it affords. Consider the cost of keeping the school’s own equipment up-to-date, or issuing pupils with school-bought devices, versus allowing pupils to bring in their own laptop or tablet. However unless sufficiently secured, BYOD can have a significant impact on the security of the school.
Making learning materials and tools accessible to pupils via the Internet can be invaluable whether it's for the provision and receipt of homework, sharing class schedules, or providing online test-exams and other learning aids to prepare for GCSEs and A-Levels. However many schools choose to simply connect their Internet facing servers where the 'cloud learning' iultilities are kept, connected to their operational network - something which could have a detrimental impact in 2 ways. Not only could insufficiently secured servers be attacked, but they could also be used to gain access into the internal network.
Mobility and working from home
Working from home (mobility) has been embraced by schools looking to benefit from the financial benefits and efficiencies of having a mobile workforce. However unless sufficiently secured, the online access of key operational systems could mean the exposure of the school's sensitive data.
Security vs flexibility. From a security perspective, it is worrying to find that many schools still operate with open WiFi networks. The concept is that it is too demanding on IT staff to manage each and every device. Unfortunately this leaves the school open to attack from anyone in the nearby vicinity that can pick up the signal. If not enough effort was spent on securing the wireless perimeter, imagine how tempting it would be to test the rest of the schools cyber defences.
Securing the New Normal and enabling ease of support
These trends and technologies that have become the new normal all provide efficiencies and benefits to schools and pupils alike. However these technologies also provide additional attack vectors to those who are keen to exploit the comparatively weak defences schools are known to have. For attackers looking to target company directors, and people of high net worth and influence, the independent schools which may teach their children of their targets could typically have weaker defences than that of the large organisation they run or are a part of. Or perhaps these weaknesses are simply targeted by those looking to hold the school to ransom for any sensitive data they might steal.
Mobility, Cloud and BYOD might be a new normal for schools, but it's been the norm for a number of years for the corporate enterprise. The key is developing suitable mobile, cloud, and digital security policies and practices that enable the adoption of new technologies and efficiencies, but maintains the security levels that the school demands. To get this right, takes a combination of proven expertise and experience which Infosec Partners precisely delivers.
Working with Education Industry clients led to the development of the Infosec Partners Teachers Portal, powered by Fortinet. A portal which enables teachers to directly manage and control the Internet usage and content access of their class. Enabling the teacher to directly allow and revoke the Internet access of students and groups in the classroom, the Teachers Portal also allows teachers to manage access to specific sites or those with certain types of content for the duration of the class. When combined with the relevant technology implementations, the Teachers Portal also also allows teachers to manage lighting, and audio-visual systems within their classroom. Technology that was previously restricted to Executive Boardrooms, is now available to schools meaning that teachers can use theit tablet or smartphone to take control of their classroom.
It's also important to also appreciate that Security in Education is not just about children. As fully functioning organsiations, full spectrum security needs to constantly be monitored and optimised. From Physical security, to Human Capital Management, and Intellectual Property, security in Education is a fundamental concern. Contact us now for strategic advice and technical expertise.
Contact us arrange an appointment
For assistance and advice, please contact us today to speak with a trusted advisor.
By phone: 0845 257 5903 in the UK
or +44 1256 893662 from outside UK
By email firstname.lastname@example.org
Infosec Partners Ltd. Registered in England, company number 05380851