Over the last weeks, students, professors and caregivers alike have adjusted to the modern-day classroom – many of which consist of a full or hybrid online learning model. This virtual shift brought on by COVID-19 comes with many unique challenges, and one of the most concerning is ensuring optimal online learning security across new and emerging technologies.
Educational institutions across the country have rolled out new technologies to accommodate virtual learning options, ranging from video conferencing tools to educational mobile applications. But, more often than not, deploying these solutions is based first and foremost on convenience and accessibility, with online learning security falling by the wayside.
Making matters worse, today’s sophisticated cybercriminals are well aware of the opportunity presented by online learning, targeting their attacks accordingly. In fact, recently, the Humble Independent School District in Texas suffered a cyber attack during the first day of online learning, disrupting the district’s servers and causing students and teachers to resort to offline measures. Given today’s complex, evolving threat landscape, this may not be the only instance we hear of malicious actors taking advantage of vulnerable online learning systems and software.
With current and future educational systems in flux, with long-term repercussions expected, students, educators, and IT teams should follow these steps to bolster online learning security.
Implement simple steps first
Before diving into the curriculum, ensure that online learning security basics are covered on various devices, including all software and applications. To begin, consider using a Virtual Private Network (VPN), which can enhance the security of a device being used for online learning. The main benefit of using a VPN is that it can turn any system into an anonymous machine that’s harder to track online while encrypting the data that flows in and out. As a result, users can rest assured data is secured as they share it back and forth between students, educators and additional staff – regardless of where they’re stationed.
A recent survey revealed that as a result of COVID-19, 44 percent of consumers have been forced to use new video conferencing tools (e.g. Zoom, Microsoft Teams) and 19 percent have been using new online learning (e.g. Google Classroom) apps. Before downloading such software, take a moment to read through the end-user license agreement (EULA). How will the software vendor be collecting, using, and storing data inputted into the application? Is it made clear? If not, then there’s a strong case to push back on the school district, explaining why it’d be unsafe for all to use such software.
Additionally, it’s important to stay current with all software updates. It can be easy to skip software updates because they can take a few minutes of time, but ignoring them creates an open door for cybercriminals to access information due to existing security gaps. However, don’t be fooled into updating software applications from counterfeit websites. When in doubt, open up the applications themselves and follow the instructions directly within.
Increase vendor vigilance
With students and educators using more electronic communication tools this school year than ever before, cybercriminals have an expanded attack surface on which to capitalize. For this reason, it’s critical for school districts and their corresponding IT teams to conduct proper due diligence when it comes to vetting the new software vendors they’re working with and new platforms they are adopting this year.
Key components to take into consideration and questions to ask include:
● Audit vendor certifications: Is the vendor certified with industry-standards like ISO-27001, SOC 2 or SOC 3? These third-party certifications are highly regarded in the technology industry, and a quick online search for the vendor’s certification history should yield the results needed for an initial inspection.
● Evaluate application security testing: An important question to ask is, does the vendor perform regular application security testing (AST) like penetration testing or static code analysis (SAST) as part of their product’s release criteria? Will they share that report and the findings with the school district’s IT team, to then disseminate onto educators and caretakers, so everyone is aware of any potential security gaps in real-time?
● Consider the security incident policies: Lastly, it’s important to plan for the worst – a security incident. In today’s digitally-connected world, it’s only a matter of time until every organization falls victim to an attack. So, if something does happen, what are the steps that will be taken? What is the vendor’s security incident policy? When and how will schools be notified if a breach happens? What is their mitigation strategy? These, and many others, are all questions that need to be answered before an incident actually occurs.
Overall, the security of a platform should be just as important as its cost, ease of use, and availability when selecting what to use and share amongst educators and students.
Demand policies & regular trainings
If a school district has not communicated cybersecurity best practices to students, caregivers, and staff, it’s time to be proactive about it. Demand an easy-to-access policy of recommended online learning security measures — then physically print it out and virtually bookmark it, regularly referring to the document throughout the semester. For newly-deployed software and technologies, develop separate best practices lists that not only explain how to get started using the platforms, but also how to do so in a secure manner.
Additionally, school districts should ensure regular cybersecurity training across all functions, from the principal to the part-time tutor, which should cover how to communicate safely, top indicators of malicious spam messages, and more. Training isn’t a ‘one and done’ activity; it should be done regularly throughout the semester, especially given how unique the current situation is to students and educators. Penetration testing should also be carried out both on new and old software alike to identify potential security gaps and remediate the issues before attackers have a chance to cause havoc.
This school year is a unique, challenging situation, but with a few proactive measures, increased vigilance, and proper protocols demanded from the top, a more secure online learning environment is something we can all strive to achieve.