The data security challenge — and what to do about it.
GUEST COLUMN | by Steven Grant
The shift to electronic records, without a doubt, has allowed schools to operate more efficiently. Digital records keep student information accessible and in one place. They allow for better communication and flow of information between teachers, students, parents and administrators.
However, digital records complicate data security. Modern hackers have the tools to get around most schools’ security software because the technology it is based on was developed in 1985 and has been hacked ever since – over and over again. Even sophisticated and tech-savvy institutions, in many cases, are more vulnerable than they know.
The importance of protecting the privacy of students and faculty has been a hot topic this year.
In some cases, lack of knowledge is the problem. Data security is a complex issue, and the technology is rapidly changing. It’s difficult to sort through what’s available to find the best options. In other cases, budget constraints, lack of policy, or a shortage of IT staff lead to holes in security.
The Impact of Data Breaches on Schools
If a data breach does occur, the impact can be devastating. Sensitive student information – from social security numbers to grades to medical records – is compromised. Trust and reputation are eroded. The audits and damage control that follow can be wildly expensive.
Most of the high-profile incidents have been in higher education. According to the Chronicle of Higher Education, a University of Maryland cyber attack reported in February compromised more than 300,000 student and personnel records, and cost the school millions. Within the same few weeks, major data breaches were reported at Indiana University and North Dakota University. The average cost of an education data breach, also according to the Chronicle, is a whopping $111 for each record compromised.
K-12 schools can be targets, too. A November breach exposed some 15,000 records of Long Island elementary, middle and high school students. A March incident at a pair of Catholic schools in Seattle put social security numbers of employees and school volunteers at risk, and led to fraud. The schools had to temporarily close to address the issue.
Four Tips for Better Protecting Your School’s Data
The importance of protecting the privacy of students and faculty has been a hot topic this year. The U.S. Department of Education issued guidelines in February that address security and privacy concerns relating to software, mobile apps, web-based tools and more. Congress is debating the issue now, and many states have introduced education privacy bills.
There’s truly not a simple answer, but security experts – from government employees to private technology companies – seem to agree on some shared best practices. Some are more procedural in nature, while others focus on the technology you should choose:
Set clear policies and procedures: Many data breaches are strictly the work of hackers, but sometimes a breach is caused by something as simple as an employee mistake or the lack of a defined policy for how data should be handled. If your school or district doesn’t have a comprehensive policy in place for how to handle data and protect privacy, it’s time to put one together. Can teachers work on confidential data at home? Are hard drives erased when computers are recycled? Does the faculty understand when confidential data can and cannot be used? The practices should be in writing and part of training.
Switch to two-factor authentication: Many schools are still relying on an outdated method of one-factor authentication to allow students and faculty to log on to secure networks, apps, email and more. In simplest terms, that’s just using traditional user names and passwords. However, experts have long said something known as two-factor authentication is a much safer alternative. And the recent news of a major Russian hack has energized that talk. Two-factor adds an additional layer of security by combining something the user has, say a key-like token or mobile app, with something they know, like a password. Look for security software that relies on two-factor – these products are increasingly hitting the market.
Encrypt and fragment data: Whether it’s a document storage system or security software, look for products that encrypt your data. The Department of Education also recommends only sending sensitive data over email via an encryption program. New technologies have also emerged that fragment your stored data, dispersing it in the cloud across multiple locations to prevent hackers from getting all the puzzle pieces they would need to commit identity theft.
Be cautious when outsourcing data storage: Not all schools have the IT expertise to store and manage their data, so many turn to third-party vendors. That’s inherently OK, but it’s crucial to know what these companies are doing with the data. The Family Educational Rights and Privacy Act (FERPA) bans selling the data, but there’s some murkiness about whether that’s being enforced. Always ask for a written contract that spells out data use procedures.
Steven Grant is vice president of operations at EduLok, which has created a security package for the education industry unlike anything on the market. The technology is based on a new method of multi-factor authentication that encrypts, fragments and disperses sensitive data in the cloud across 12 locations. Even if a server is hacked, the technology prevents hackers from getting all the puzzle pieces they need. EduLok’s technology does not require IT expertise, so it’s convenient and simple for schools use.