The Security Considerations in Education Technology Strategies
Data breaches & leaksA breach occurs when you lose control over data that is supposed to be kept secure, either by accident (sending an email to the wrong recipient) or, which is more worrying, through intrusion and theft. This is more common than you might think, particularly from internal threats (pupils and disaffected staff); and from staff losing control of online accounts, generally through being ‘phished’ via a convincing email prompting them to log in to what purports to be their Microsoft/ Google account.The breach risk extends far beyond traditional stores of school data like a Management Information System. For example, many teachers will have used an app that helps organise seating charts and presents information about learning needs. The app needs to know contextual data (name, form, age, gender) to function at even a basic level.Schools also routinely create personal data about pupils using a range of software – notes on attitude, behaviour, learning needs, pastoral incidents, assessment grades, etc. These proliferate through multiple MIS add-ons for assessment, behaviour, safeguarding, reports, and are accessible over the Internet on any device. Are you certain about how these data are secured, retained and deleted?
Want to keep
Chartered College of Teaching online course,
Leadership of Education Technology in Schools
Technical actionsSchools are under constant bombardment (via email) from attempts to extort money in order to unencrypt data that the attackers have locked. The software that does the encryption is referred to collectively as ‘malware’. Encryption is devastating because pupils’ work, your SEF and the MIS are critical to the operation of the school. The key thing to remember is that no technical tool can totally prevent these attacks and that therefore schools must develop layered protection in depth from malware:
- Network managers should take technical action to stop malicious software entering and propagating through school systems – one of the most effective and least popular is to ban USB drives! This is known as hardening and will differ based on email provider and other facets of your IT landscape;
- Ensure that anti-virus systems detect known threats and prevent infections spreading, on every device, using the latest definitions with zero exceptions. Many is the infection begun on a head’s laptop because “Antivirus makes it run slowly”;
- Ensure that data are safeguarded through reliable, secure back-up regimes. People who pay ransoms do so because they have no backup and thus no option;
- If using laptops and other mobile devices, encrypt their hard drives;
- Move key systems and data from on-premises systems to the cloud, to limit the impact of infections. Cloud systems such as Office365 and G-Suite allow schools to hold all user documents in the cloud and access them securely from anywhere. The other critical system to consider off-siting is your Management Information System. This isn’t a guarantee of avoiding encryption, but it’s an order of magnitude better. It also obviates the perennial, weed-killer-resistant threat that is staff taking data out of secure systems using USB drives to ease their access to them.
Management actionsThere are several management actions which school leaders should consider/ check are in place:
- Include Information Security on the SLT risk register and document your actions to mitigate this risk. This will ensure that it will continue to be monitored as new threats/ mitigations emerge.
- A named member of SLT should manage this risk, reporting to Governors, and operational control should sit with the Network Manager.
- Move away from risky practices (have we mentioned USB drives?) to safer ways of sharing access to sensitive data (e.g. links to hosted files rather than attachments);
- Stop implementing new systems or working with new external partners without a robust DPIA process;
- Use line management processes to hold technical staff to account on critical activities. Some key questions include: –‘Are all our servers patched with the latest security update for their operating system?’ –‘How do you know that every PC and laptop is automatically installing Windows and Anti-Virus updates?’ –‘Can you demonstrate that backups are working and are secured from themselves being encrypted?’
- Implement annual security training for all members of staff in better security practices (passwords, shared accounts), how to spot phoney emails and to create a culture of accountability in all. Even if an email with malware evades all technological defences, it will fail because a properly trained user will not action it. The best and last line of defence is a user who feels responsible for their own IT security. This will also prevent them becoming a victim at home, and the additional stress and wasted time that would bring.
GDPR guidanceDepending on the approach your school decides to take with education technology will affect the kinds of considerations you’ll need to make about GDPR. This toolkit from the Department for Education is a useful starting point no matter what your approach.
Safe home learningCurrent events with COVID-19 around the globe have seen many more schools and pupils learning from home. This resources, from SWGfl can support with adapting to safeguarding and e-safety in home learning situations. Safe remote learning
Leadership of Education Technology in Schools
Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.