Encryption: use it or lose out

Mark James, Technical Director at online security solutions business ESET, looks at the benefits of understanding data encryption

Technology has reshaped the classroom in just a few short years. Textbooks have been superseded by iPads, the whiteboard has evolved into a vast touchscreen and instant messaging has long-since replaced the traditional scrap of paper passed from one amorous pupil to another during lessons. A school’s network – and the data it carries – is now one of its most important assets and it needs to be secured as such.

Whether it’s the result of poor network security or human negligence, the loss of data from an educational establishment can cause catastrophic reputational, and thereby financial, damage. Recognising the changing relationship between technology and education, Ofsted recently revised its inspection guidelines[1]. It now states that personal data being unsecured and/or leaving the premises without encryption is an indicator of inadequate performance, so it’s vital that both school IT managers and teachers are aware of the new rules. But how should adherence be addressed?

As a first line of defence, the Information Commissioner’s Office (ICO) recommends the use of encryption software to prevent data leaks. Encryption refers to the process of encoding information in such a way that only the intended recipient can read a file’s contents. In accordance with the ICO, specialists such as DESLock recommend using encryption software to cover full-disk, file and folder encryption, as well as email and portable storage media. Portable storage media is taken to mean laptops, USB devices, memory cards or any other form of storage that isn’t part of the computer itself.

This is a particularly important point; there have been a number of occasions where school laptops containing personal information have been stolen from workplaces, vehicles and houses, or even left in public places. The ICO’s latest revisions stipulate that, where such thefts or losses occur and encryption software has not been used to protect the data, enforcement action will usually follow.

Putting in place firm security measures such as these is a vital first step, but it doesn’t negate the need to educate staff and pupils on the importance of IT security. With digital cyber threats increasingly prevalent, the end goal of any educational institution should be to create a ‘security-aware’ staff and student body. This attitude needs to be instilled from a young age for future generations as well. Recent research by ESET UK examined the attitudes of young people towards cyber security, and found that 50 per cent of those aged nine to 16 have had no formal internet safety teaching in school.

With Ofsted ratings at risk, managing access to confidential information effectively should be a key focus of any school’s IT security team. It only takes the theft or loss of one device to a put pupils at risk, and the combination of a firm security policy, strong encryption and thorough IT education for all users represents a simple yet effective solution.

[1]Briefings and information for use during inspections of maintained schools and academies, September 2013