While the numbers are constantly changing based on fluid circumstances and data, it’s safe to say that millions of students across the U.S. are engaging in virtual learning. This has largely been the way of life since COVID-19 caused school shutdowns nationwide in March 2019, and the path forward toward in-person school as we knew it is still unclear.
As most institutions and school districts are well aware, remote learning brings with it a host of cyber security threats and considerations. These concerns have brought the idea of encrypted data to the forefront of the discussion, because student data is now being stored in, and accessed from, a variety of locations.
While a lot has been written about students being impacted by remote education, K-12 and higher-ed administrators and educators are impacted, too. For instance, every time a teacher transfers a file from a piece of personal technology to a school device, and then back again, there’s risk. And, with teachers and administrators working from their own homes as well as from schools and district offices, the mobility of data is nearly constant.
Security weaknesses abound
To best see the value of encryption, we need to first explore the cyber weaknesses that can be exploited as a result of remote learning.
Education has always been a popular attack vector for data theft, but now that 93 percent of the country’s school-age children are learning remotely, security holes have become as numerous as the number of student households. Not surprisingly, education has become an even more frequented target for all varieties of attack types. For example, ransomware infections, delivered through effective phishing campaigns, are growing rapidly, and have resulted in a number of outcomes such as one public school in Connecticut having to postpone the start of school while it managed the successful attack.
First and foremost, distraction is everywhere–parents are working at home and can’t effectively maintain their children’s focus the way an in-person teacher can. To compound matters, students learning at home have access to a host of additional online temptations that take their attention from their school work, and attackers are relying, to a degree, on taking advantage of the fact that we are not paying attention as closely as we would like to be.
Additionally, students are learning at their own homes, outside of the school network, which has expanded exponentially the attack surface that school IT and security teams have to manage. Most parents are not as security-savvy as is needed to take basic precautionary measures to protect their home network and private information, such as changing the settings on their router. And, in a surprise to no one, social media screen time has increased dramatically since the spring, leaving kids vulnerable to unsavory predators on the other end of their Instagram or Snapchat accounts.
The value of encryption
Given the level of distractions and complexities at home, at schools, and at the district level, the need for district hygiene and solid backups has never been stronger. Furthermore, considering the way in which educational institutions are being targeted, the need for encryption in securing student data is non-negotiable. Policies like the Family Educational Rights & Privacy Act (FERPA), Children’s Online Privacy Protect Rule (COPPA) and the Children’s Internet Protection Act (CIPA) dictate how student data must be carefully protected.
That leaves us scratching our heads asking, “How?” Encrypting valuable or sensitive data will enable organizations to manage increased data security risks. So, to start, your institution should review its policies around data security. Do you require encryption of all data held on removable media? Do you encrypt all information as standard on all removable media?
What about your guidelines around transferring files between home devices and district ones? In such a scenario, using a self-encrypting flash drive that also meets FIPS 140-2 requirements is typically the best option to avoid violations. Or, if you have large stockpiles of sensitive data, the best course of action is oftentimes to take it offline and archive it to hardware-encrypted drives. Remember, too, that encryption should be expanded to all devices possible–including USB sticks, laptops, desktops, mobiles, and portable hard drives.
There’s no better time than now to take encryption efforts seriously. Put relevant policies in place to include the mandated use of a FIPS-certified, software-free hardware encrypted mobile storage device, incorporating practices such as user pin pad authentication and device whitelisting to lock down USB ports to accept only corporate approved devices. Furthermore, employees must be educated on an ongoing basis. They should know how to use available solutions to avoid a breach, and what can happen if protocols aren’t followed.
Considering that employees unintentionally putting data at risk is the leading cause of data breaches, training and encryption can go a long way in reducing the likelihood of such events. And because all forms of attacks are on the upswing in the education space, it’s imperative that institutions use these strong security measures to protect themselves and their data. None of us can predict or control what 2021 will bring in terms of cyber threats, but we can certainly live by this motto: If you can’t afford to lose data, take it offline and encrypt it.
- Schools and districts that ignore TikTok’s lessons are bound to fail - December 5, 2023
- Excite, expand, equitize: Using data to support reading - December 5, 2023
- 9 ways collaborative learning benefits teachers and students - December 4, 2023