How secure are your school's IT systems?

Kat Howard, Senior Educational Consultant and Online Safety Lead at RM Education, explains how to keep systems secure and students safeguarded

Posted by Alice Savage | May 11, 2017 | Technology

• #esafety
• #kat-howard
• #kat-howard
• #rm-education
• #online-safeguarding

There can be little doubt that we’re moving towards a cloud-based society; from our banking to our holiday photos, hosting, storing or sharing every aspect of our lives in the cloud is now commonplace. 

From an education perspective, the growing diversity of new technologies is creating a new generation of engaged and inspired pupils who are learning in ways they’re comfortable with. This trend is driven by the increasing affordability and durability of devices, as well as powerful cloud computing tools like G Suite for Education and Office 365.

Schools have a wealth of opportunities for learning to be extended beyond the school gates, as pupils can now take devices home and continue their learning, working online in collaborative environments

Schools have a wealth of opportunities for learning to be extended beyond the school gates, as pupils can now take devices home and continue their learning, working online in collaborative environments. But every new technology inevitably brings risks around safeguarding and security, and schools must stay ahead of the curve to ensure their pupils – and their data – is safe and secure.

The data schools hold on their operations and their pupils is an important aspect that OFSTED look at, and is critical to demonstrating the standards of teaching and learning taking place. Part of managing that data is about clearly documenting where that data sits, how it can be accessed and who accesses it – ultimately minimising or mitigating any risk of that data being exposed or compromised.

The types of risks we see schools face can vary dramatically; we’ve come across cases of financial fraud, where a school’s email accounts were manipulated to direct them to pay invoices into the wrong account; ransomware, where schools have lost access to data on their servers following a malware attack; and general hacking, involving deliberate or automated attacks from the internet as a result of poor network configuration.

We’ve also seen instances where pupils have been able to access sensitive data as a result of incorrect school server permissions, or staff themselves have lost sensitive data as a result of poor staff practices, like losing printed contact lists, using memory sticks and accidentally leaving them on public transport, or not encrypting their laptops.

So, when we visit schools to explore the strength of their systems, we look at three key factors; how do we protect devices, how do we protect identities, and how do we protect data? These questions form the basis for a comprehensive IT security policy, which should clearly outline protocols to block, detect, contain and mitigate any associated risks.

From a legal perspective, there are a number of obligations schools face in terms of data security and online safety. They need to consider where and how they’re accessing data and who can access it, whether it’s on the web or on their servers. 

Permissions and levels of data access, as well as the password security around it, are also critical; we recommend using a strong combination of multiple alpha numeric characters, including capital letters, and changing passwords frequently. We’d also advise schools to consider MFA multi-factor authentication on school systems; MFA reduces the risk of a cyber-attack by adding an extra step to the log-in process when accessing school systems.

Schools should also have a protocol in place for sharing any confidential data that relates to pupils; generally this is done via Common Transfer Files (CTF) and the school-to-school website, but occasionally we see schools sending confidential pupil data via email, which could put schools in a vulnerable position. Their data protection policy should cover this, and should link into all their other policy documentation.

Escalation routes for managing a suspected data breach, or a loss of data should be identified and shared, and policies should be in place to cover things like what happens when a member of staff leaves, and how their access permissions are effectively removed.

Internet service providers and IT support partners will also need to make the security of their systems much more rigorous; we advise all schools to check their suppliers are fully compliant with current security regulations and aware of all the latest threats.

And, whilst the cloud brings tremendous benefits in terms of enabling staff to share information and resources more easily, the security of data when staff are working at home should also be considered. To mitigate this risk, schools should set up ‘acceptable use’ policies for staff in terms of what’s appropriate to access from home and what isn’t.

The safety of pupils is a crucial element of managing technological risks

The safety of pupils is a crucial element of managing technological risks; schools have an obligation to block access to content that could be considered extremist or pornographic, as well as making sure they have an effective, school-wide online safety policy that’s regularly updated to cover new technologies.

The government’s Prevent Duty outlines the importance of tracking what websites pupils are on and how they’re accessing different types of content, so filtering and monitoring tools are also crucial to ensuring pupil safety – as well as enabling schools to identify individual pupils who may be breaching their data protection and security policies.

For schools who are currently exploring the safety and security of their systems, there are various resources and guidelines online that can provide a great starting point, but ultimately we’d recommend that schools conduct a full audit of all their technologies and work in partnership with a trusted IT partner to ensure the safety and security of their systems.