John Michael

BYOD: Stronger encryption needed

John Michael discusses the security implications of BYOD as teachers take work home and carry confidential data on their devices

Posted by Stephanie Broad | February 02, 2016 | Technology

Bring your own device is a growing trend in educational institutions and according to an Ofsted survey carried out during school inspections, 30 per cent of secondary schools now operate a BYOD policy. Although this brings many clear benefits, as it provides flexibility and cost savings, it also has a darker side. If not fully understood and regulated, it can threaten a school’s security and put sensitive information at risk. As a data controller, it is a school's responsibility to make sure any personal data taken home by staff, or accessed on site using a personal device, is kept safe and secure. 

Teachers hold a host of confidential data, from personal contact details, photographs of students to SEN information and medical records. While it is acceptable and common place for data to be transported to and from a school site on a member of staff’s personal device, it would breach the Data Protection Act 1998 if adequate steps were not in place to ensure the security of the data.

Ofsted’s most recent inspection documents appear to lack any reference to the inspection of how data used by schools is encrypted. However, the ICO, which is responsible for enforcement of the Data Protection Act, has a code of practice for data sharing which says that having inappropriate security measures in place could lead to the "loss or unauthorised disclosure of personal details". This might occur if data is stored on an unencrypted device which is then lost or stolen, resulting in unauthorised or unlawful processing of the data. 

It is necessary to view the overall process of implementing BYOD in the same way as the application of any other new technology into education. The first and best defence in securing personal devices is to approach it with the same requirements you apply to devices that are already in the school network. This should include:

• Having clear policies in place - Make sure you have a clearly defined policy for BYOD that outlines the guidelines and states up front what the expectations are. This should lay out minimum security requirements as well as including what is not acceptable and why.
• Enforcing strong passcodes on all devices - Such policies should include controlling access to the data or device using a password or PIN, and encrypting the data. You should remember that the loss or theft of the device is not the only means by which unauthorised or unlawful access may occur. For example, a device may be shared amongst family members in a way that is inappropriate if personal data is stored on it.
• Monitoring devices in use – All members of staff should log which personal devices they will be using for work purposes and identify the type of storage media on the device. Some devices may use an easily removable memory card, such as a micro or mini SD card, meaning that a loss or theft of data may go unnoticed for some time. Monitoring what is in use will ensure all devices can be accounted for.

Certainly the perceived data security risks can act as a barrier to deploying BYOD and yet the potential of this trend for schools is enormous. So long as the right processes are in place, BYOD can lead to countless benefits including improved uptake in the use of new technology, overall morale increase, increased job efficiency and increased flexibility.

iStorage provides its range of hardware encrypted USB flash drives and hard drives to educational institutions which have been specifically developed to provide peace of mind over the security of data. The devices are protected from unauthorised access even if the drives are lost or stolen, making them ideal for transporting confidential and sensitive data.

John Michael is CEO of iStorage.