Schools have a huge amount of data that needs to be kept secure, including: personal information (as defined under the Data Protection Act 1998), sensitive information, contractual and financial information, and more. For this reason it is imperative that the security and integrity of the network and data is second to none.
With that said, we also have to realize that the large majority of schools are already within a secure ‘walled garden’. For example, you may still be a part of a broadband consortia (or grid) such as embc / emPSN, SWGfL, e2BN, which is provisioned by your local authority and a significant amount of security work is done in the background on your behalf, such as the hugely-important firewalls and email spam filters.
Here’s a useless fact for you. Many of us dread opening up our email, willing the Inbox to stop filling up. I often speak to headteachers who are having to deal with 100-200 emails a day. When I worked at a local authority an average of 94% of all email was being prevented from getting to user accounts due to being spam, containing a virus etc. Horrifying when you think about it, but just goes to show how important those email filters are.
So here’s a brief introduction to a few things you may like to consider over a period of time.
Whilst you may reside within a walled garden, the router is still the front door to your school and is therefore a potential vulnerability. I know from first-hand experience that routers have been set up in schools (by the broadband provider) with either the default manufacturer’s login details or the same login details across multiple schools. Whilst you wouldn’t be expected to know, for your own peace of mind contact your broadband provider and ask for their assurance that the default login credentials have been removed.
As the router is the front door, your server is your data hub, and the Administrator access to the server gives access to every snippet of that data. The only persons that should require access to the server (or an Administrator access account) is your IT support. Everybody else should only have access to the particular data they need, ie MIS, financial records etc.
3. Wireless Network
Becoming ever more popular due to a huge increase of mobile devices used in school, wireless networks are a particular vulnerability. However, these can be set up so that they are very secure; for example, only ‘known’ devices can connect. This is sometimes done using the unique identity of the hardware, a little like a fingerprint, known as the MAC address. As with nearly all connected hardware, the most important line of defence (because it’s usually the first line of defence) is the complexity of the password. Ensure your wireless connectivity requires a very strong password and the wireless access points have had their default credentials removed.
Knowing what devices are (or can be) attached to your network is an important security step. For the most part you’ll already know, such as your printers, PC’s and laptops, but what about all of those portable devices? As mobile technology is used more and more it adds extra layers of vulnerability not only from a security perspective, but also from a data integrity perspective.
- Do you allow staff to use their own personal devices? If so, have these devices been checked for up-to-date antivirus? Have the apps on those devices been checked to ensure there are no data leaks?
- Do you allow USB pendrives or backup drives? Are these virus-scanned when the device is attached to the network?
- Do you have CCTV in school? Can this be accessed remotely outside of school? If so, who by?
Ensure all of your devices (where possible) have appropriate and up-to-date antivirus software that includes email scanning. The antivirus software should be set to schedule frequent updates. I have seen it before where a school had very good antivirus in place, but it hadn’t been set to update (by their IT support company). An email was received within the school that turned out to have an attachment which contained a virus. This virus spread so quickly and generated such a huge amount of data that was leaving the school broadband connection, it had a massive knock-on effect to the broadband of a quarter of schools within the county (affecting just under 100 schools). Luckily, the broadband provider had good resilience in place, so the knock-on effect was short-lived.
Despite massive advances in technology, we are still reliant on the password for much of our data security, yet equally it is still one of the weakest and most frustrating aspects. Many people will have to juggle dozens of passwords for combined personal and professional use, and annual research clearly shows the same weak passwords being used over and over again. Although a frustration, for the moment it is still an absolute necessity. Ensure your school has a password policy in place which should include requirements such as:
- How often passwords need to be changed. The industry standard is normally one to two months, but schools commonly have termly changes in place. Children also need passwords, but clearly these need to be age appropriate.
- Old passwords cannot be re-used (commonly the last eight).
- They must be at least eight characters in length, and a combination of upper/lower characters and punctuation.
This cannot be over-stressed. Encryption should not be a ‘nice to have’ it should be a mandatory requirement. Understandably there’s a lot of confusion about encryption and what it is, but simply speaking it is a method of scrambling information so that it is completely unintelligible and can only be unlocked by the use of a ‘key’. If this sounds complicated, it is, but not to the user! Encryption is incredibly simple (and cheap) to apply to the data in your school, for example on newer versions of Microsoft Windows you’ve got BitLocker, and on the Apple Mac you’ve got Filevault. These are an integral part of the software but are turned off by default. Similarly, if staff take work home with them, encrypted USB pendrives are very cheap these days.
Cloud storage simply refers to data that isn’t stored on your own site or server. For example, you may use a VLE or MIS that is provided by a third party; you may use one of the more popular online file storage services such as Dropbox or Google docs. For this reason, storage of data in the cloud is a massive subject in its own right, but in the context of this article there are two important points:
- What data is being stored? For example, is it just curriculum work, or is it more sensitive data? Cloud storage providers will have very strict and complex data security processes in place, after all their business relies on the security and integrity of the data.
- Where is the data stored? Is it inside or outside the EU? The European Union has very strict data compliance requirements, other countries outside of the EU may not.
If something goes horribly wrong, and believe me, it does happen, your backups are potentially all you’ve got. Does your IT support have a backup process which would include:
- Full backups of all data.
- Regular incremental backups.
- Are backups kept on or off-site, and are they stored somewhere that is fire/waterproof and secure?
- Are regular checks made to ensure the backups are working correctly?
10. Data Protection
Most of the above is about protecting our information regardless of what it is, but don’t forget there are statutory requirements such as the Data Protection Act 1998. For example any loss of personal data has to be reported to the Information Commissioner’s Office, and it is possible that there will be an investigation. Consider the data you’ve got on site; does it need to be protected in some way? Just because it is kept behind locked doors doesn’t mean it’s safe. The weeks before Christmas always see an upsurge in burglaries for your nice, shiny, new iMacs and other attractive devices. Get that data encrypted, and don’t forget the cardinal rule: only keep data for as long as is necessary.
One of the most important facts to remember is that whilst there are always technical vulnerabilities, the weakest link of all is the human factor, particularly when it comes to requirements such as passwords. But, as frustrating as all of these things are, they are a necessity.
For most schools there will be nothing wrong whatsoever, but it’s worth asking the questions of your IT support just for your own assurance.
Does your school cover all of these points? Let us know in the comments.