The second in our series on safeguarding data, we speak to David Tindall, CEO at Schools Broadband.
Q. We’ve all been well schooled now in the importance of data security. But can you outline some simple, practical and affordable solutions for schools and universities?
Firstly, ensure that you have a data security policy. This could include ensuring that users only have access to the specific data they require; not holding sensitive data on servers or cloud applications that can be accessed by anyone on the internet or anyone on your LAN; ensuring that data cannot be freely exported to common file formats from applications which could be emailed to an external email address, or via an application such as Dropbox; investing in a cloud access security broker product which monitors file transfers and data exports from common cloud-based data storage applications; tagging any sensitive data which must be held in common file formats with specific details, that can be read via a firewall using data leak prevention techniques; ensuring that files that need to be viewed by multiple users are only read if they don’t need to be amended; and, of course, backing up all data.
Q. Are schools and universities sufficiently aware of both the risks out there and the solutions available to them?
Adopting robust on-site security technology requires either a specialist security-savvy network manager, or a managed service provider who specialises in data security. We find that only a minority of secondary schools have the required skillsets to manage their security independently and effectively. The picture is different, however, at universities, who tend to have larger budgets, and specialist staff.
Q. How much of this comes down to material solutions (better software, etc.), and how much down to human solutions, such as better training for staff and students?
Both are equally important. Just getting the basics right with staff training can help ensure that your data stays safe. These basics will help to protect against the most common of attacks, such as phishing via emails with a malicious link. Training will solve many problems: however, technology is definitely required too as the first line of defence.
Q. Do schools and universities face a slightly different set of issues from other industries, when it comes to data security?
All organisations, without exception, are now bound by General Data Protection Regulations. Schools, however, are something of a case apart in that they hold details on children, whom we have a duty to protect from harm, because they are amongst the most potentially vulnerable people in our society. All the more reason, then, for schools in particular to adopt a belt-and-braces approach to their security technology.
Q. In terms of its data security, how does the UK education sector compare with a) other UK industry sectors and b) other education systems around the world?
In both primary and secondary schools, generally I would say that our data security is poor. Due, mainly, to lack of investment in products and training. We have also found this to be poor in the majority of Local Authority serviced schools, where the managed broadband services and managed service providers/IT providers for schools are not themselves security specialists.
Without a security specialist, it is near impossible to effectively manage security solutions (even using a good vendor solution) at a price that a school can afford. Basic security measures do exist onsite and on perimeter firewalls, but schools are normally some way behind the security measures adopted by mid-size businesses. That said, we also see that the majority of smaller businesses have exactly the same security issues as schools, due to a lack of knowledge and investment.
Considering today’s threat landscape, if I was responsible for the network security of a school or business, I would choose a hosted security solution that is capable of delivering fast, automated responses to threats anywhere in my school or Multi Academy Trust (MAT) network, and which would give me full visibility of security events and threat intelligence.