Schools hold a myriad of sensitive data, from exam results and personal phone numbers to SEN information and medical records. This means that security of systems and data is paramount and becomes ever more pressing as schools continue to embrace new approaches such as Bring Your Own Device (BYOD).
BYOD is an attractive prospect for schools. It can help free up already restricted budgets, diminish the digital divide, increase the computer-to-student ratio, and improve engagement and motivation.
However, welcoming mobile devices into the classroom in different shapes and sizes naturally brings data security risks and challenges. The sheer range of devices alone – from laptops, notebooks and tablets to SmartPhones and hybrid computers – can be bewildering. Equally, the related data security issues, such as unauthorised access, loss of data, viruses and so on, are uppermost in people’s minds.
Early-adopter schools across the country have already embraced or are in the throes of embracing BYOD. For those who are yet to embark on this journey, in order to ensure the adoption of BYOD flows smoothly, it is best to view the overall process in the same way as the implementation of any other new technology.
While the high-level issues are the same, it is all about minimising potential risks, and the way the solutions are implemented, managed and controlled, along with the user behaviour, is what is important.
Certainly the perceived data security risks can act as a barrier to deploying BYOD and yet the potential of this trend for schools is enormous. So the burning question is whether BYOD really is the data security liability that some think it is?
BYOD is often associated with bringing a whole new set of security issues. Whereas in reality, the issues are exactly the same as schools have faced with other ICT implementations – data security, authentication and authorisation, and data access and privacy are all areas that the education sector has been managing for some time.
What needs to be highlighted are the changes that BYOD requires – the two main areas are cloud services and the mobile devices themselves. Subsequently this gives rise to various questions.
For instance, will the school control what a personally owned device can do? How can you ensure data is safe, secure and available from all the devices a student uses in school? How will a number of different devices on the school’s network be managed? The list goes on, but this gives a feel for the issues that need to be considered.
Two sides of the same coin
In terms of data security, it is about not letting people see things they are not supposed to see and not letting the data get lost, destroyed or corrupted. Equally, it is about making sure people who are supposed to see it, can see it. In terms of e-safety, it is about stopping people who may present a risk or threat from gaining access to staff or students online – right access for the right people – and making sure people cannot see materials they should not see. In essence, data security and e-safety are two sides of the same coin – by protecting the data, schools are protecting the users.
Up in the cloud
A big misconception is that storing data in the cloud is unsafe. In reality, cloud service providers take security extremely seriously and with the right solutions in place, it is safe.
Having said that, it is dangerous to believe that data in the cloud is totally secure. However, losses or breaches of sensitive and personal data occur whether data is on a piece of paper or a mobile device, and this highlights the importance of implementing robust procedures and adequate training to guard against human error.
The human element
Security risks are often as a result of human involvement rather than the technology itself. Therefore maintaining security is as much about individual behaviour as about your technology – educating users about potential threats and how to avoid them is invaluable.
A good scenario to use as an example is the belief that working on an encrypted network is secure. However, if someone has logged in with a password, left the computer for some reason without logging out, there is now unlimited access to potentially sensitive information.
One threat from mobile devices is that they can bring in viruses to a school’s network, but this is avoidable by ensuring that the devices have up-to-date virus protection, or preferably the devices could be logged-on to a separate virtual local area network, with relevant services made available in a secure manner to BYOD users.
Physical security of the device should also be considered. Mobile device management solutions allow aspects to be controlled centrally rather than individually on each device. For instance, password policies can be enforced. It is also possible to lock a device in the event of loss or theft, or even wipe the data from the device where necessary.
A school’s Acceptable Use Policy (AUP) needs to reflect the changes that BYOD brings, and what the students themselves agree to by bringing in their own devices. For instance, to manage access while on school premises, it may be necessary to have a mobile device management solution enabled on personal devices.
Furthermore, an AUP should define appropriate and acceptable usage and behaviour with mobile devices. It is about changing behaviour and best practice, not just for the students, but teachers and parents too.
When considering BYOD, it is important to ensure a balance between the level of appropriate security and what is sensible in terms of usability; to remove barriers and allow students the best possible learning experience. Over-zealous security measures will often drive users to use insecure parallel solutions to make their lives easier.
The key tenets for addressing BYOD data security issues are:
Mobile device management.
Encryption and passwords.
Security of applications and secure connections.
Some schools are hesitating to adopt BYOD. In reality, BYOD is inevitable at some stage, either sanctioned and managed, or with users bringing in devices to use and moving the data and gaining connectivity in other ways.
Implemented correctly with a full understanding of the issues and the right policies and procedures, BYOD can improve the learning experience without posing security risks to the school or the students.
Choosing cloud storage providers:
Consider where and how the data is stored. Is it within the EU and does it conform to “safe harbour” privacy principles? Is the data broken apart or encrypted before storage?
Choose a service whose accounts are created and managed by the school, preferably automatically aligned to the school’s network accounts. This prevents rogue accounts being left active when someone leaves the school.
Ensure the service complies with minimum password policies, preferably mirroring those of your network and possibly exceeding them through the use of a second factor of authentication. Passwords are the key.
Choose a service available from all devices, from anywhere, otherwise users could bypass measures and use something else which may be less secure.
Darren Pepper is head of business development at Capita IT Services.