In the world of cybercrime where hackers are generally one step ahead of everybody else, good security practices can literally be the difference between protecting critical computer data and exposing the personal and confidential information of school staff, students, parents, and third-party contractors.
For IT service providers with education clients, the best practices and bad habits list below is worth a review as you strive to educate school personnel about simple ways to make data protection a priority.
No. 1 Habit To Break: Leaving Mobile Devices Unlocked
No. 1 Habit To Make: Lock Your Screen Every Time
The idea of not sharing our smart phones, notebooks or other mobile devices with colleagues is a hard one to get our heads around. We trust all of these people so what could possibly go wrong? Many times we don’t intend to share these devices, but by leaving them unlocked they are available for anyone to access the moment we step away from them. This opens the door for someone with harmful intentions to gain access to school data, plunder school bank accounts, and/or steal confidential information and personal identities. Or, they could foolishly (without permission) post the device owner’s personal pictures, videos, and so forth to a social networking site, thereby creating the possibility of criminal attacks, public embarrassment, and more.
For an added measure of protection, there is the option to install software on a mobile device that takes a photo of any individual who tries to unsuccessfully access it. An example of this may be a student who has seen a teacher unlock a tablet/iPad and wants to try to unlock it. If the unlock attempt is unsuccessful, the software will take a photo of that student using the device’s built-in camera. The image will then be emailed to the device owner, or uploaded/saved.
No. 2 Habit To Break: Leaving Your Workstation Accessible To Exploits
No. 2 Habit To Make: Again, Lock Your Screen
In the classroom, leaving a workstation unlocked is the easiest way for others to access the educator’s applications, files, and network identity. Screens should be kept locked even if they will be left alone for just a few minutes. A smart thief can steal files in those few minutes by storing them on a USB stick, downloading them to his or her computer, or simply emailing them to another computer or cloud-based storage service, such as Dropbox.
The other issue is many students, mainly at the middle and high school levels, may be much more tech savvy than their teachers or administrators. Cases in which these students are caught hacking into their schools’ computer systems to change grades, schedules or other information are on the rise. That’s why the act of simply securing a workstation makes sense, because once you leave your desk you can never be sure when you will return to it. A meeting can take longer than anticipated or the instructor can end up being sidetracked by a conversation with a colleague. To make securing systems easy, workstation screensavers should be configured to activate after a very short period of inactivity, maybe three to five minutes.
No. 3 Habit To Break: Giving Your Passwords To Colleagues
No. 3 Habit To Make: Don’t Give Those Passwords To Anyone
While many teachers trust their colleagues unreservedly, it is always best to err on the side of safety. In a situation in which school data has been stolen or compromised and all of the evidence points back to the trusting teacher — their workstation, their tablet, their device — they will be held accountable. Or, if a password is given to a colleague who later left the organization and then transferred sensitive or confidential files to an external hard drive, the school employee is placed in a situation in which they are responsible for a breach in the school’s IT security policy. The administration’s trust in the employee, as well as in their reputation, will also take a hit. The risk is too great: advise all school staff to just say no to requests for a borrowed password, even from their closest colleagues.
No. 4 Habit To Break: Assuming All Employees Are As Savvy About Security Threats As You Are
No. 4 Habit To Make: Train And Educate
Instead of assuming school staff has wide-ranging and deep knowledge of security issues and cybercrime, consider most people might be quite unaware of these matters. Work with school IT staff to conduct regular training sessions spanning everything from passwords to spear phishing scams and send out ongoing educational emails about core facets of IT security. If this is an undertaking you can get a staff volunteer to head up, even better. An ounce of prevention is worth a pound of cure, as the saying goes.
No. 5 Habit To Break: Thinking The School Does Not Need To Worry About A Breach Or Data Loss
No. 5 Habit To Make: Keep All Endpoint Protection Software And Firewalls Up To Date And Initiate Data Loss Detection Techniques Right Away
In general, schools are not at the top of any cybercriminal’s list of targets. Nevertheless, attacks do happen, often because hackers exploit schools’ security barriers knowing many of them to be weaker than those in the corporate world.
To guard against the usual array of problems — ranging from data loss to extensive network downtime, financial theft, and compromised or stolen identities — those with responsibility for IT should ensure all anti-malware/endpoint protection software and firewalls are kept up-to-date. The endpoint protection should also include built-in, CIPA- (Children’s Internet Protection Act) compliant web filtering active on that endpoint. This eliminates the possibility of teachers or students browsing inappropriate sites on a district-owned device being used away from school.
In addition, it is wise to implement an effective Data Loss Protection (DLP) strategy to manage data transfer mechanisms such as removable drives, network sharing, web applications, cloud services, and system clipboards. While the punishment for violations of school/student privacy policies are not as harsh in education as they are under HIPPA standards, school districts as well individual teachers and administrators still face consequences for such breaches, including legal action.
While many of these best practices sound basic, cybercriminals are always looking to find the easy way into an organization. Data from the Ponemon Institute shows the employee is often the weakest link when it comes to cybercrime. The Institute found employee negligence was responsible for 80 percent of security issues for those responding to a 2012 survey on data protection.
The threat is real and, as an IT service provider, it’s no doubt in your best interest to work throughout the year to build awareness of, and enforce where possible, the security habits of school employees, students, and contractors alike.
Farokh Karani is Director, North American Sales & Channels, for Quick Heal Technologies, a leading global provider of IT security solutions. Quick Heal’s SEQRITE data security product line is specifically targeted at small to midsize enterprises and is sold in North America exclusively through channel partners.