As educational facilities return to the new normal, it is important to update cyber and physical security defences to protect learners in a new environment
As educational institutions return to normal it is important to highlight some of the biggest security risks that the sector is facing. One of the biggest being cybersecurity, as a lot of work will continue to be communicated and completed online.
A major priority for educational institutions is defending networks from intrusion and protecting the personal information of students, alumni and employees. Why do school administrators and educators need to know this? Because schools of all kinds – from primary through secondary and higher education — now have databases full of personal information about faculty, staff, and students. To cyber criminals, who are not fussy about whose data they steal, these repositories of personal data make an appealing target.
An additional priority is meeting the auditing and reporting mandates for a potential patchwork of federal and state privacy laws. The key for educational institutions to meet all of these information security demands is to proactively implement security controls and best practices, rather than taking a reactive approach and responding to short-term requirements.
With such a broad range of large, small, public and private institutions, there is no one solution that is right for everyone. There are certainly a range of information security products and services to help meet regulatory requirements and reduce the risk of a data breach. Educational institutions without a dedicated security operations center can rely on managed security monitoring & compliance services to provide the expertise to meet regulatory requirements and implement industry best practices.
Here are our 5 security considerations that are key:
- Layered defences
Do not expect one security product alone to protect you against every possible threat to your systems and data. Of course you want to make sure you have an anti-malware suite on all parts of your network (don’t forget smartphones, Android tablets, Linux servers, and Mac computers along with your Windows machines). But you should also have a firewall at the gateway to your school’s network and on all your individual machines –those you own, those owned by grants, and those owned by your students, faculty, and staff. Any important data, such as grades, finances, or personal information, should be encrypted both in storage (both on servers and workstations) and any time data leaves your machines, like via email or on devices like smartphones or USB sticks.
- Implement the principle of least privilege
The principle of least privilege simply means that no person, machine, or system should have access to things they don’t strictly need. For instance: student financial data should be in a different part of the network, and completely cut off from people who don’t need to access it. And very few people, if any, should have administrator-level access rights on their own machines (some people are shocked at this suggestion, but that’s one way we manage our machines here at ESET – and if they must have admin rights, they shouldn’t be using that account except when they need to do admin tasks). Any time you can restrict access without disrupting people’s ability to do their jobs, you should.
- Update, update, update
Applying updates and patches for all software is one of the most important things you can do to minimise the vulnerabilities criminals can use to silently get into your machines. When managing complex systems there may be a case for testing updates before rolling them out, but keep delays due to this process to a minimum. The bad guys are constantly probing for unpatched vulnerabilities. And don’t forget that it’s not just your operating systems and applications you need to keep patched; there are the helper apps that your browsers run, from Java to Flash to Acrobat and beyond.
Indeed, the risks of not patching as quickly as possible probably far outweigh the benefits of testing. If an immediate system-wide rollout is not practical, at the very least initiate a rollout of patches immediately on a small set of representative machines, then expand to greater subsets as soon as practical until all machines under your control are patched. [Getting the machines you do not control patched is a wholly different problem; consider blocking logons to your networks (with appropriate notices beforehand and when actual blockage occurs) to any machines that have not been patched, at least for critical vulnerabilities.
- Passwords are not enough
If you’re protecting lots of personally identifiable data, a password alone may not be enough. Consider implementing two-factor authentication or 2FA. This can be a biometric, like a fingerprint, or a one-time pass code that is provided to users via a small digital key card or fob. A more recent development is the use of smartphones to deliver one-time pass codes to users and these systems can be relatively inexpensive yet highly secure. Students who use social networks like Facebook and Twitter should already be familiar with the notion of 2FA, as those services use it to prevent unauthorised access.
- Make a clean break
When employees leave and students move on, be sure to adjust their credentials accordingly. In many cases this will mean terminating their access to school systems. The use of “lingering” credentials that should have been revoked is one of the most common forms of “insider” abuse of systems. In addition, a review of authorised user accounts should be done at least once a year to weed out access that is no longer appropriate.
Surveillance and security
The safety of students and staff is vital for every school. The distinctive quality and flexibility of network cameras effectively reduce the threat of harassment and violence. Suitable for monitoring school playgrounds, hallways, gyms, lunch areas and classrooms, they ensure the safety of students and staff, and prevent damage to school property.
With an increasing focus on everything from bullying, to medical emergencies and vandalism, campus security is more important than ever. Administrators understand that they’re not only responsible for protecting school property, but must also provide students, teachers and personnel a safe-yet-nurturing environment.
What protects people isn’t alarms or cameras, it’s integrated access control and communications. Security system experts can help identify the best configuration and layout for your security surveillance system by building custom, flexible plans for schools or district needs, now and into the future.
IP-based network cameras and recording devices are engineered to integrate seamlessly with existing security systems, thanks to “open format” systems that’s easy to implement and manage. Outdoor and vandal-proof cameras can withstand even the toughest environments. Multi-format network video recorders offer a complete network solution for simultaneous recording, remote access to live views and playback of critical events.
Simply seeing what has already happened isn’t always the most valuable use of video surveillance. Video analytics can help to prevent damage and interpret the visual information and inform relevant people in case of unexpected incidents.
For example, facial recognition software means that unwanted people can be identified and prevented from accessing the premises. Equally, people counting, age and gender statistics can help to understand who is currently on the premises and monitor where they are.
- Facial detection – helps you to remove unauthorised people from your premises.
- Age and gender recognition – helps you to prevent unwanted access to restricted areas.
- Movement detection – when areas are closed or typically out of use, you can receive alarm information and visual confirmation whenever movement is detected.
- Theft – video records allow you to identify when and where items have been lost or gone missing.
- Loitering detection – receive automatic alerts when groups of people are congregating in unauthorised areas.
- Illegal parking – use video recognition to register all cars in your parking zones. Car number plate recognition allows you to identify unregistered cars.
CCTV not only allows you to protect people on your premises but also reduces damage and theft.
Because the world has been on a global lockdown for over a year, it is a necessity to return to the ‘norm’, however organisations and educational facilities must remember that the ‘norm’ has changed, and security systems and processes must be adapting to meet those growing needs. Lockdown has caused a number of issues, such as mental wellbeing being disrupted, which can bring the threat of school shootings, cyber dependence which increases cybersecurity and data risks and unsolicited intruders.
Commentary: Philippe Niederhauser, Head of Sales & Marketing, Touchless Biometric Systems AG
The education sector involves a great number of professionals and alumni. With so many people in the makeup of a campus, accounting for who is present, when and where is fundamental for best management practices. Hence, security and attendance systems provide a way to track people in time and space. When these systems are biometric based, they provide accurate information and an extra layer of security. These are strong arguments to adopt biometric identification systems.
Through a network of devices, students can easily be registered and have their attendance in class accounted for – even if a student is in another campus elsewhere in the world. Furthermore, specific attendance to exams or mandatory modules can be tracked. The attendance data can be shared with teachers, parents and students alike.
Both the teaching and administration body of schools benefit from the data integrity coming from a biometric time and attendance system. It tracks working hours regardless of user location, extra hours from permanent or temporary teachers, and allows direct linking to payroll systems. It thus provides the base for more efficient workforce management, identifying potential needs to hire new staff or adjust schedules.
TBS has a vast experience providing biometric systems for Access, Time and Workforce management for the benefit of educational institutions across the world. With accurate devices and seamless integration to other systems, TBS helps creating the perfect conditions for modern school in the age of digitalisation. We invite you to visit our website to know more about our solutions.
Commentary: Amr Alashaal, Regional Vice President at A10 Networks
Even before the COVID-19 pandemic, connectivity played an important role in university life. In recent years, it has become a routine practice for students to attend lectures virtually. A wealth of online learning resources is available both within university networks and on the internet. Meanwhile, online retail, banking, health services, gaming, media, and more are mainstays of student life.
Now a global pandemic has radically accelerated this trend. Universities everywhere have been forced to create and expand online remote access for their students, including many of which had not yet begun the evolution. More than just a convenience, connectivity has become a lifeline for students—and network admins to meet their needs. For university IT, this means making a fundamental shift from on-campus networking to supporting a distributed network across the globe.
The pandemic has been a wakeup call for university IT: Improvisation and patchwork of legacy infrastructure and security will no longer suffice. Institutions of higher education need a well-thought-out plan for moving to a more resilient, on-demand model. With current on campus traffic relatively light at many universities, the best time to upgrade is now.
Commentary: Mark Orchinson, CEO, 9ine
Our recent research tells us that taking the following steps will significantly reduce the risk of a school being subjected to a successful malware attack.
More than 50% of vulnerabilities that we identify in our cyber vulnerability assessments and penetration tests relate to update management or end of life systems. These weaknesses provide an attacker with a platform to exploit publicly known vulnerabilities to escalate their privileges once within your school network. Understanding the total number of devices, systems and services that are not up to date, and bringing them up to date, will reduce your risk by 50%.
A further 25% reduction in risk can be achieved through robust operational processes to manage risks associated with security misconfiguration. This is where systems have been updated, but the security configuration of the system has changed as a result of the update; however the change in security protection has not been picked up by IT personnel. Think about your phone when it gets a large update. More often than not certain settings change that you weren’t aware of, the same is true for school systems and services.
Lastly, a further 10% reduction can be achieved through strong authentication methods. We regularly see default accounts and passwords being used for peripheral system devices – yet these devices have access, through their configuration, to the school’s core systems. Default accounts and passwords are often one of the first checks for a hacker as the information on built-in accounts is publicly available on the internet. Our favourite is uninterruptible power supplies. The accounts and passwords for these are rarely changed. This gives us access to power off all services, and in some cases, gain control of the server and all data on it. It takes less than six seconds of someone’s time to change these settings and in doing so, it will protect your school.
To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922