More and more schools are adopting their own platforms that their students can access online to view their records and grades, conduct surveys, see their schedules and remaining classes, and even enroll. These platforms are sometimes called the student portals or student information system, either way, whatever they may be called, this portal allows ease of communication, especially in these current situation.
Now, the information of these students may only be accessed using personal accounts that each student have, and have been given to them upon their first enrolment to school. Given these recent events where hacking is just another incident where personal data may be leaked, it becomes all the more important to protect these systems, being accessible online. We would look at how to protect these systems by employing some best privacy practices.
Implore the students to change the passwords to their accounts and keep student numbers confidential.
First, the major flaw of most student system is that the passwords are often the birthday of the students to whom the account belongs to.
This is understandable since it is for the ease of use of the student. However, birthdays can easily be known if one has a Facebook account. It does not take a really good hacker to piece information together. Schools and universities must take a proactive approach to inform and request their students to regularly change their passwords.
Same goes with student numbers, these must not be presented or shown that would lead to know who the student number belongs to. Since most portals need only a student number and birthday to be opened.
Invest on a robust cybersecurity system.
Schools and universities handle thousands of students, whose grades are but one part of a multitude of sensitive personal information they hold about the student. It is important they have technical security in place since these portals are directly linked to the internet.
Cybersecurity software comes in many forms, it can be encryption tools, network security monitoring tools, web vulnerability scanning tools, network defense wireless tools, packet sniffers, antivirus software, firewalls, PKI services, Managed Detection Services, and Penetration testing. Your I.T. team or department must make sure that these systems, if you have multiple, actually work together and not unnecessarily hinders each others’ performances.
On top of these, your I.T. team must also make sure that these softwares are always updated. An outdated security system might have backdoors that have been found and can be exploited by hackers.
In cases of cybersecurity, always heed the advise of your I.T. team. Back-up whatever they think is best for the current you have in place.
Teach your teaching staff and administrative staff how to properly use these portals.
In most cases of hacking incidents and data breach, it is the fault of human error. Your staff that would be handling the data and entering it into the system must know at least basic privacy and security best practice,
Have a protocol or rules in place, for the access of the portals. A teacher or staff may unwittingly connect to a compromised wifi connection, whilst entering the school portal. In that case, a hacker would have been able to acquire enough information to exploit the whole system.
Especially nowadays where you can connect and have access online, anywhere at anytime, proper regulations should be in place.
Do not forget to physically secure your servers and registrar office as well.
A part of securing personal data includes physical security to. What good is your technical cybersecurity if a thief can just easily physically access your servers. Keep in mind these servers contain your whole system, meaning, that data are not just pulled and placed in the cloud. It is always on some physical servers. Even the files in your google drive, dropbox and other cloud services are just stored in servers in some other country.
Breaches, also, does not only come from hacking. An availability or integrity breach can also occur. That means your data may no longer be available or that it has been tampered with, in one way or another. So you must secure your servers physically since it can be destroyed either by fire, flood, or even other persons.
It goes without saying that the registrar office holds the physical copy of all the data entered into the portal, among the other offices for each colleges, that may hold the physical copy of the information of the grade. Keep secure these offices physically, since these too, hold sensitive personal information of your student, staff and faculty.
Play an active part in the security of your system.
In case you outsource the creation and maintenance of your system, regularly check-up on your provider. It helps to be updated with your provider so you know exactly what has been going on and what kind of security they are implementing in place.
Again, a security system put in place is only as good if it is regularly being monitored. It is never a one time fix and then you forget about it.
In cases of this outsourcing, make sure you have a data-sharing agreement in place with your provider. This ensures the obligation of your provider to notify you in case a breach occurs. This in itself is a security measure, that must be put in place.
Is your school ready for all these increasing online presence that needs securing?