Why education providers must focus on cybersecurity

The global shift towards online learning, accelerated by the Covid-19 pandemic, is having a big impact on educational organisations worldwide. Whether educational organisations have fully shifted to online learning or are taking a blended learning approach, what’s clear is that eLearning is here to stay.

The fast massive adoption of educational technology means that education providers have become exposed to a larger number of risks associated with cyber security. In fact, in a recent study conducted amongst educational providers in Australia, agency Vector Consulting found that over 75% of the respondents thought that the cybersecurity in their institution needed improvement, since a security breach can carry not only financial and regulatory damage, but also brand reputational damage resulting in loss of trust from staff, learners and potential students.

Data hygiene and management

When asked to prioritise the importance of diverse datasets, 80% of respondents to Vector Consulting’s survey identified student data as the most important to be protected, both because of its sensitive nature and because it is usually the biggest dataset that institutions guard. ​​With so many students and staff learning from remote environments, poor data hygiene is one of the other top risks of educational institutions, as remote learners and staff send each other unencrypted documents which contain personal information via unencrypted emails or messaging applications.

While it is a given that education providers follow data protection legislation, like the European Union’s GDPR or California’s CCPA, it is also essential for institutions to have complete control over their data. This includes being able to decide over how and where they store their data, whether it’s using their own resources for hosting and support or hiring external service providers. Such flexibility can most certainly be achieved through open source platforms where, unlike most proprietary software, the choice of product is separate from the choice of hosting provider.

Finally, it is also important that ICT teams in charge of data security also enforce best practices by keeping data collection, retention and access to the minimum possible. For example, in Moodle LMS and Moodle Workplace, Administrators can define different user roles and assign permissions or ‘capabilities’ to them in bulk, ensuring that only users who have ‘trusted’ roles (eg teacher, manager, administrator) have access to certain data – while other users like ‘students’ do not.

Key cyber security threats for educational institutions

In addition to data privacy concerns, with learners and staff using personal devices to log in remotely, user compromise and ransomware are two of the other most common cyber security issues amongst the biggest threats for higher education providers. The way in which ICT teams at educational institutions deal with these issues, such as phishing attacks or threats to release private data accessed by hackers, should include enabling multi-factor authentication in their LMS, encrypting data or performing regular backups. For more details, you can read these Security Tips from Moodle’s Application Security Engineer Mick Hawkins, who shared best practices for Moodle administrators to ensure that their Moodle installations are as safe as they can be.

Embedding security in the institution’s culture 

Developing a security mindset organisation-wide is, undoubtedly, key to mitigate cyber security risks in educational institutions. This goes beyond being technically prepared to respond to potential attacks and providing compliance training and certification for those in roles that have a direct responsibility in data protection: A culture of cyber security needs to train both technical and non-technical staff, even learners, in best practices to protect their data. Some of the initiatives that educational institutions can implement to work on this organisation-wide security mindset are internal phishing awareness campaigns, training to avoid risky cyber behaviours and basic data protection training. If all of these are delivered through the institution’s own learning management system, this also helps users put these trainings in context and understand the privacy tools that their own platform offers.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.