Cyberthreats: 10 things schools need to know

David Booth

David Booth is Managing Director of IASME Ltd, which provides security advice and certification for small businesses and the Government.

Website: www.iasme.co.uk Email This email address is being protected from spambots. You need JavaScript enabled to view it.

Getting computer security right in a school is much trickier than doing so in a business. How much money can you spend? How much time can you devote to the problem? Should you have a regime in which you enforce, or merely guide? How do you win the cooperation of parents, principals and students? Security expert David Booth discusses the principles of information security for schools.

[As seen in the June 2014 edition of our magazine]

1. Understand Your Risk

Identify your most sensitive information and mark documents containing this data clearly as “confidential” or similar. Decide who is responsible for managing the risk. Work out how much risk you face and how much risk you want to take. Allocate security responsibilities clearly to other staff and ensure staff understand the importance of working securely.

"Limit who knows the password to those who REALLY need to know."

2. Teach Good Practices

Remind staff regularly about good security practices, especially when the risk or the policy changes. If you use social media, you should ensure that all staff know that no sensitive material should be disclosed and that users behave responsibly while using it, bearing in mind that they directly or indirectly represent the school.

3. Protect your Network and Devices

Make sure that any router supplied by the Internet Service Provider (ISP) has a firewall built in and make sure it’s operational. Limit who knows the password to those who REALLY need to know.Install modern proprietary security software from mainstream suppliers like Symantec, Sophos or Kaspersky on your PC/MAC and laptops. Preferably use a suite of software which includes anti-virus, anti-spam, identity protection and other protection because they are generally easier to manage.

4. Manage IT Access

Don’t write passwords down or share them between users. Use different passwords for each application. Some security software providers offer password ‘vaults’ which allow complex passwords to be generated and then stored in an encrypted form, so you don’t have to remember them. Limit administrative privileges on your network and devices to those who really need them. They might be enabled when software is installed, so be careful.

5. Keep Your IT Up-To-Date

Document your IT assets so you know what you’ve got. IT assets will include hardware, software and even key IT staff.Install current software and operating system patches, firmware updates, etc. immediately when they are issued. Ensure all software is licenced.

6. Use of Removable Media

If you transfer data using CD, DVD, USB, SD or any type of flash memory drive:Only permit school issued and controlled devices in your systems. Issue, retrieve and track the devices - know where they all are, who has them and, ideally, what software is on each. Ensure they are encrypted and scanned for malware on each use. Many commercial anti-malware packages have the ability to scan removable media.

"Remember that all data stored in the cloud or processed using cloud-based applications is available to the bad guys."

7. Mobile Working

The use of mobile devices should require top-level approval. Such devices must, at a minimum, have:

• Anti-malware software installed and updated, daily.
• Pin, password or other authentication installed.
• Encryption, wherever possible.
• Capable of being remotely tracked and wiped.

8. Using the Cloud

Cloud computing can simplify your IT operations, but there are risks. Outages in service are no longer within your own ability to fix. Data leakages are no longer within your remit to control. Security policies are no longer necessarily yours to decide and to enforce. You cannot outsource or “cloudify” all aspects of computer security.Remember that all data stored in the cloud or processed using cloud-based applications is available to the bad guys. Where you use data storage, applications or other services which are provided by another business, you should choose one that has security which has been independently audited.

9. Incident Management and Business Continuity

Document any incident and decide what caused it, how much it costs to fix and whether there is anything you could do better in future. You should ensure that you know what to do on the catastrophic failure of anything critical to your school, such as information, applications, systems or network. Don’t wait for an incident to try out the plan.

10. Further reading

The government has issued cyber security guidance for business most recently online, relating to basic elements of technical-cyber security.

Do you have any essential tips to add? Share them below!

Read More

In order to make our website better for you, we use cookies!

Some firefox users may experience missing content, to fix this, click the shield in the top left and "disable tracking protection"