Cybersecurity is becoming a growing concern as schools digitise
Protecting data and privacy has become everyone’s concern as it's become a part of the world that we live in. In saying that, we don’t pay as much attention to how schools are handling confidential information about their students, teachers, and parents. To help us understand this topic we had a chat with David Eedle, the co-founder and CTO of EdSmart, which is an enterprise administration system for educational institutions. David had previous SaaS experience managing risk and compliance with an online platform for big companies like Walmart and Costco. He translated that experience into digitising the school administration system. His work has shed light on some of the key areas of concern regarding cybersecurity in schools.
1. Information is power
Anyone who’s capturing and managing personal information is responsible for protecting it, as information can hold value and be used in different ways. Schools are no exception to the rule here as they run the full suite of data capture. For most of the staff members it’s generally typical human resource records such as home addresses, home information, payroll information, and banking account details that are held. There’s access to student academic information such as grades, exam results, and the work in progress (where the actual school work itself is done online). Then there’s the personal information about the students and parents, which schools are often maintaining very detailed records on. “Particularly medical information, because that’s important for the school to know. If a child has an asthma plan or has a history of mental health issues, then that’s information the school does need to have and therefore they’re holding it in their systems.” Time is another factor because schools accumulate detailed data over the period in which a student or staff member is at the school, which is often at least a couple of years.
2. Schools are not technology companies
It’s important to note that schools are adhering to numerous educational standards, their systems are shaped around the goal of helping a student develop. In fact, they seem to sit in a middle ground between non-profits and for-profits in terms of how they’re perceived. Needless to say, they’re not technology companies and this is going to be the primary obstacle in tackling cyber threats as there won’t be a spotlight on the information that the school is collecting and how it can be breached. It’s common to find schools using legacy products that have been around for many years, and it’s safe to assume that most of these weren’t built from scratch with privacy and security in mind, and thus will inevitably have vulnerabilities. What also happens over time is various layers of systems will be added over each other, and this can actually increase risk if not done well.
3. Edtech companies need to have security by design
Edtech companies are playing a growing role by integrating technology into schools so it’s essential that they prioritise security. David explains his own context at EdSmart, “we build technology solutions, we manage data, we’re extremely conscious about what we do and we architect everything from scratch to be focussed around the privacy and security considerations.” However, not all edtech companies are thinking along these lines and it’s evident in the way that schools are engaging with them. Some schools may completely disregard questions regarding risk, privacy, and security, and others may provide long questionnaires. The best way forward is to standardise the process so that edtech companies and schools are adhering to a benchmark. In Australia, the recent National Education Risk Assessment (now Safer Tech for Schools) is a pilot initiative to standardise across states and improve the edtech industry's understanding of privacy and security. It also assists schools in using products safely to reduce risk. This cooperative effort between state government and the education industry creates a robust and detailed audit process for an edtech product.
4. Governance and responsibility
So who should be responsible for cybersecurity measures in a school ecosystem? On a larger scale this is a governance issue. Depending on what type of school it is and what system it’s a part of there may be some slight differences but ultimately it starts at the top. “If that governance function doesn’t have the right attitude, doesn’t understand these issues, and has not put policies in place, then it’s very difficult for somebody down the management tree to get traction in a whole school sense.” As for the school itself, there has to be a whole school approach where privacy and security are not delegated to one group that could be siloed. “It’s not actually the IT department, this is an everyone issue. A big school has got hundreds of staff, it has cleaners, gardeners, facility management, administrators, and sports people – it’s a big organisation. A school has to make sure that every single one of those people understand the risks and that they’re disciplined in their use around online systems.” It’s a big undertaking but taking actions such as implementing risk assessments, incident response plans, and actually simulating exercises can help you navigate a whole school approach.
“This is not a new problem, it just changes, it evolves, and because of the greater volume of data that organisations are maintaining, the risk is around the scale of it.”
As schools digitise further and as work and study from home measures continue to be in place, the vectors for attacks will have to be carefully analysed. It may not be that there are new risks but perhaps more risks, as the attempts to attack or not going to reduce for the foreseeable future. It’s a complex threat landscape, we’re talking about anything from an individual hacking from their home to a full-blown criminal organisation working offshore out of a large building. The tools they all use may evolve but the problems at the core of it are not new. Ultimately, schools exist in service to the students attending and their families. So much effort is put into policies and standards for the quality of education that they receive, so security and data privacy should be added to this service.