Schools gather, store and analyse surprisingly large amounts of private data, which is a hot commodity for hackers. Dr. Kelly Calhoun Williams, VP Analyst at Gartner, discusses how to strengthen cybersecurity in primary and secondary schools
There are over 32,000 primary and secondary schools in the UK, which have a wide range of cybersecurity capabilities. Irrespective of the level of preparedness, a robust security and risk strategy remains a high priority for nearly all organisations, not least schools, as evidenced by responses to Gartner’s 2019 CIO Agenda survey. It found that 97 per cent of surveyed primary and secondary school CIOs expected an increase in cybersecurity challenges in the next three years.
With concerns growing, the next generation of school security and risk management (SRM) leaders must address multiple challenges, all in an environment with notoriously limited resources.
Schools are targets for hackers
Like organisations in many other industries, schools are contending with an abundance of security threats – ransomware, DNS data exfiltration, malware and phishing attacks on employees and students, to name just a few. The frequency of these attacks is rising, which makes it harder for schools to deal with them effectively.
What makes schools such appetising targets for hackers? Schools gather, store and analyse surprisingly large amounts of private data, which is a hot commodity for hackers.
The financial and reputational damage that a security incident or data breach can cause any organisation can be huge. Add to the equation the sensitive and personal data of children, and the increased potential value of this data (which has a longer life span), and schools face an even greater risk in terms of liability and loss of trust.
Advances in learning-data collection add to the complexity around this issue. As such, there’s an imperative to increase users’ control and trust, from both the parents’ and the students’ points of view, as ever-increasing amounts of highly personal data are collected.
To address the complex cyber-risks they face, schools should divide their security strategies into four distinct operational areas: cybersecurity, risk management, business continuity, and auditing and privacy.
Tackling the broad scope and ever-evolving nature of cyber threats with a multifaceted approach, introducing new security roles and then using third-party services, is an effective way to address the challenges and reduce risk. However, it’s also vital that SRM leaders develop a risk-based prioritisation mechanism for action items, in which the responsibility for risk acceptance is clearly defined, in collaboration with relevant business process owners.
Introduce privacy management
Privacy management is a big part of the cybersecurity picture, too. The maturing international privacy landscape and the introduction of new regulations, not least the EU’s General Data Protection Regulation (GDPR), add to the necessity for a broad privacy management plan in the education sector. However, UK schools – some of which already have scarce resources – are faced with a challenging task when it comes to implementing a comprehensive security and privacy strategy.
The idea behind a privacy management programme is to establish the trust and resilience that will enable a school to meet its cybersecurity obligations. Whereas conventional classification focuses on data, a privacy management programme focuses on what the GDPR calls the “data subject.” It’s essentially about people.
Given daily news stories about how privacy has been invaded and damaged, and trust eroded, a foundational programme and consistent principles are needed. Core principles are a good way to guide business process engineering, enable desired business outcomes, and support and protect the security strategy implementation.
Create a dynamic SRM strategy
Importantly, next-generation security needs to provide new methods that support today’s digital initiatives, enable innovation and support an organisation’s academic and administrative objectives. To this end, schools that want to enhance their security and risk profile need to embrace a set of strategies that create suitable levels of trust and resilience.
In today’s digital environment, the traditional security objectives of confidentiality, integrity and availability should be expanded to include privacy, safety and reliability. Ultimately, for schools to progress and evolve their digital transformation initiatives, they need to build and implement a dynamic SRM strategy.
Pursue next-generation security as a “team sport”
Next-generation security requires teamwork, which should be a top priority of SRM leaders in schools. They should implement broadly supported and effective security policies and practices by establishing a comprehensive planning and governance group. This group may be composed of a variety of stakeholders – for example, students, faculty, and finance, legal and HR staff. It should devise plans for mitigating risk, building trust, protecting student privacy and using data ethically.
Schools should strive for continuous improvement. In creating a robust security plan, schools need to identify, continuously and objectively, the strengths and gaps in their existing security arrangements. They can do this with the help of a variety of frameworks or third-party providers, such as the National Institute of Standards and Technology (NIST) and the International Organisation for Standardization (ISO).
Offer cybersecurity training
Investing significantly in cybersecurity training and awareness programmes for students, faculty and other staff means that all stakeholders will be aligned on the security strategy. Schools can achieve this by creating a unit specifically committed to consistently and continuously planning, educating and measuring the impact of security awareness training efforts.
Control personal data
Lastly, schools should adopt security and privacy policies that enable administration to evaluate the necessity and purpose of any data being collected, then enable faculty, other staff, students and parents to control what personal data is collected and on what legal grounds processing of it can take place. To achieve this, they must first evaluate and adjust their current practices for collecting and managing organisational data.
The advent of new, intelligence-based enhancements to learning technologies is creating an exciting age full of new opportunities. A new and improved approach to data management, privacy and cybersecurity will be required to rise to meet the requirements of this new age.