My first experience with cybersecurity in education took place on a warm day in May over 20 years ago. I was a middle school student and had been offered a challenge by my teacher that I couldn’t pass up. “Do you think that you can hack into our school network?” My teacher knew that I had an interest in technology especially in the area of security. After ten minutes of poking around the network and identifying an open admin account, I was in. The school district office was called, a brief interview took place in which I shared what I had found, and the next day I was offered a job as a student worker. The rest is history. So, what have I learned about security through my roles as a Network Administrator, Manager of Technology, Assistant Director and Chief Strategy and Innovation Officer?
The basics never stop being important
There is a lot to think about in terms of security in education, however, if your organization isn’t doing the basic things right, a lot can go wrong. When it comes to the basics:
• Make sure that you have an inventory of your network equipment. You can’t update and monitor devices that you’ve lost track of.
• Create a realistic update cycle. Perhaps you can’t commit to weekly updates, but at least once a month, make sure everything is up to date. It’s not just servers! Don’t forget about load balancers, routers, switches, and other firmware-based devices.
• Join the mailing lists that keep you aware of critical patches for your software and equipment. Have an additional update procedure for timely items.
• Put the time in to change shared passwords when people leave. Remove permissions that are no longer needed and make sure that accounts are appropriately disabled upon employee exits.
• Backups. Have them. Make sure that they work.
"If students are brought into the conversation then they become allies in a mutual effort towards cyber safety and security"
Security through obscurity doesn’t work
With limited resources, there will always be a temptation to take the quickest path. I once worked with a school district who had rolled out a large number of student accounts and decided to preset their passwords. Instead of randomizing these passwords, they used what was thought to be a complex algorithm. Student ID numbers were multiplied, divided and otherwise shifted into a new form which became the password. It did not take students long to reverse engineer this process which quickly forced the reset of all passwords utilizing a random character based process. Shortcuts utilizing this type of secrecy to generate a facade of security tend to have a short life in the face of day-to-day practices.
Your students can be your greatest ally
Technology is for students, so why do we so often treat students as the enemy when it comes to cybersecurity? What we’ve found time and time again is that if we ask our students what we need to know about security on our network, they’ll tell us. Students have shared with us how they and their peers bypass our security. They’ve shared the best proxy sites that may be used to bypass the web filter. They will even walk us through bugs that they find in educational software which we forward directly to our partner’s engineering department. If students are systematically treated suspiciously for their curiosity then it becomes an arms race for which we don’t have the time or budget. If students are brought into the conversation then they become allies in a mutual effort towards cyber safety and security.
You can utilize a red team/blue team mentality even with limited staffing
In the ideal world, red and blue teams can make for a powerful innovation mechanism when it comes to securing your network. Picture a red team crafting custom packets meant to probe your student information system for weaknesses while your blue team is on the lookout with a packet sniffer and both teams ready to collaborate over new processes and policies. Awesome right? In reality, educational institutions rarely have that level of staffing. Even so, committing time for network admin and other staff to “think like a hacker” while having a security mindset can have a profound impact on the security of your network. Giving permission to spend time outside of the day-to-day responsibilities to reflect and learn is essential.
Secure your network, but trust your users
Of all of the dangers that I’ve found within the realm of security in education, the one that haunts me the most is an ever-present temptation to put into place policies that negatively impact our users and the education of our students. When we go into “security” mode, we have a tendency to restrict apps, block websites, and tighten the firewalls in the name of safety. Suddenly, teachers and students have trouble accessing the resources that they need for expansive and self-directed learning. When this goes on for a while, a black market is created. Teachers even start to look at ways to bypass these restrictions. Is there a better way?
When our teachers look to use a new app, we ask them to ask just two questions:
1. Is it legal?
2. Is it good for kids?
If the answer to both is “yes”, they are allowed to use the app. We’ve found that by creating a policy of trust with our users and carrying on active collaboration regarding their needs, we keep our system more secure and allow for them to access the resources that they need. Perhaps counterintuitively, more access has created fewer security issues than the workarounds that were born in a locked-down environment. It’s not a perfect system, but I would fight for trusting our users over excessive technology-based restrictions any day.
Simply put, master the basics and build trust
Security in educational institutions can be challenging. There is a tightrope to walk between freedom of access and the protection of incredibly valuable resources. Even so, applying the basics well and building strong and trusting relationships with your students, staff, and stakeholders can make all the difference.