Roundtable: Save the data – Graham Glass

Are our schools and universities doing enough to safeguard student and staff data? Steve Wright quizzes some experts in the field

The first in our series on safeguarding data, we speak to Graham Glass, CEO at         Cypher Learning e-learning platforms.

Q. We’ve all been well schooled now in the importance of data security. But can you outline some simple, practical and affordable solutions for schools and universities?

I wish there were an easy answer to this. The thing is, though, that educational institutions of all shapes and sizes have to manage a lot of sensitive data, whether related to their students, or the faculty body, or anyone who ever sets foot on the school’s premises. We’re talking about sensitive private information, such as social security numbers, financial information, healthcare information, intellectual property, and so on. Solutions do exist to protect all this data at any given time – but they are hardly ever simple, practical and affordable at the same time. 

Something’s always got to give. What, exactly, depends on the priorities and resources of each educational institution.

Q. Are schools and universities sufficiently aware of both the risks out there and the solutions available to them?

I do believe that people are very much aware of the threats that can be associated with storing and modifying sensitive data online. There are, in fact, many rules and regulations around digital security, with which any educational institution must comply. However, it’s very hard to keep up with everything, since most of those norms have been adopted from other industries (students’ financial data must comply with financial laws, students’ healthcare data with healthcare laws, etc.). 

Relying on a powerful antivirus programme or on a cloud-based infrastructure can sometime be enough – but taking extra steps to ensure online safety can go a long way. That’s especially the case when it comes to higher education institutions, which are targeted by cybercriminals more often than many other types of organisation.

Q. How much of this comes down to material solutions (better software, etc.), and how much down to human solutions, such as better training for staff and students?

There’s always room for improvement, on both fronts. Even the most secure software can be hacked. Technological advances are constantly being made to ensure that any system has the smallest possible chance of being accessed by people with malicious intent. Some of these have produced some really impressive results – but things are not always perfect. On a different note, a significant number of data breaches in educational institutions are due to negligence by staff. From sharing passwords to compromising files via losing devices and everything in-between, staff and students should start to get better training on how to be responsible digital citizens.

Q. Do schools and universities face a slightly different set of issues from other industries, when it comes to data security?

To some extent, they do. When a student’s file is compromised, the malicious party gets a bird’s-eye view on the life of that student, not just on one particular area of it: there are academic results, financial records, health data, family details and more. This affects the victim in more than one way, and this data breach can ripple out to other people beyond the school or university. What makes it harder for educational institutions to prevent any kind of data breaches, compared to banking companies or organisations from other highly regulated industries, is the fact that it needs to balance a secure environment with an open one, because access to education and to new research should be open to everyone.

Q. Is there one particular area (such as loss of sensitive information, malware, phishing etc.) where schools and universities are particularly at risk?

One recent report placed education lowest, in terms of online safety, among 17 industries. I believe that nobody is particularly proud of these results. The various examples I have already cited are all aspects of digital security in educational institutions that would benefit from more targeted measures.

Q. In terms of its data security, how does the UK education sector compare with a) other UK industry sectors and b) other education systems around the world?

Online security is obviously a global problem. The UK may be above many other states in terms of ensuring digital security across all industries, but this does not mean that the fight against cybercrimes is won. The education sector continues to suffer from a lack of awareness of the variety of such attacks, problems adapting different security solutions to each institution, and poor responses to vulnerability notifications. 

To end this on a paradoxical note: things are not that bad, but they could definitely be better. It all depends on your point of comparison.