Districts that started the school year remotely are leaning on technology to deliver lessons to kitchen tables, bedrooms, and learning pods across the state. Like Zoom and other virtual collaboration tools, remote learning platforms can open district networks and student data to attacks or exploitation by malicious cyber actors. There are hundreds of platforms on the market, so providing specific recommendations and security guidance is difficult. That said, some selection criteria and vulnerabilities are common among most platforms.
When selecting a remote learning platform or assessing the security of your existing platform, vetting your vendor is one of the most important things you can do. Many new companies are rushing to fill the market space that the pandemic created. Be wary! Not all companies make your security their priority. Low-cost software sold by a company with no reputation might not be such a bargain if your network is compromised or the software malfunctions.
Select a business with a long history of tight security and responsive support. Start by consulting resources such as the Better Business Bureau, Yelp, or Google reviews. Then, dive deeper by searching the name of the company or software, along with keywords like “lawsuit,” “breach,” and “complaints.” Before long, you’ll have a robust profile of your potential partner to use when comparing them against other companies.
Evaluating platform security
- Secure socket layer (SSL)/Transport layer security (TLS) encryption - If the platform you are considering is accessed primarily through a Web browser, ensure your connection is encrypted. SSL is an older version of encryption, and TLS the newer version. It’s likely any platform that incorporates encryption uses the TLS version. If you aren’t sure, ask your vendor point of contact for clarification, or check their information security policy. You will know if your connection is encrypted when you see HTTPS rather than simply HTTP at the front of the Web address.
- Encryption states - Most software will indicate when data is encrypted. Ideally, data will be encrypted when “at rest,” “in transit,” and “in storage.” Encryption at all three stages will go a long way in preventing successful breach of sensitive data.
- Least privilege access - The company’s policies should state that only their employees who need to see sensitive information will have access to that information. Additionally, only vendor staff who need administrative privilege to their (and your) systems will have that access. The fewer eyes on sensitive data and the fewer people with administrative-level privilege, the safer the platform.
So, you’ve confirmed that your chosen platform is using the latest and greatest security features and prioritizing your data security. What’s next? Now you can focus on configuring the platform to ensure the security settings you control are fully engaged. We will focus here on settings that are common to most software.
- Passwords - Hopefully, students and teachers will access remote learning platforms with passwords, but are the passwords unique? If 300 students are using the same password to log into a system, malicious actors could get their hands on those credentials. Look for security settings in your software that create individual passwords for all users.
- User IDs – Each user should also have a unique ID for logging into any system. If all students in a class are using a generic ID like “5th grade,” hackers will find it much easier to infiltrate that program. The more specificity and uniqueness your users employ when accessing the platform, the safer the virtual space. Look for “login” settings on your platform, and configure them accordingly.
- Multi-factor authentication (MFA) – Requiring users to enter unique passwords and IDs before accessing your platform is essential. However, you could gain an additional level of security by employing multiple means of verification for administrators and teachers who have access to sensitive information. Just like other spaces where you use MFA (your VPN, smartphone email), this might require a login code sent by text message, a link sent to a second email address, or a code-generating app or device to gain entry.
- Least privilege – In the same way you want your vendor to exercise least privilege access, you should do the same in your district. Minimize the number of staff who have administrative control over how your platform is configured. Decreasing the number of administrative targets will make it more difficult for hackers to reconfigure your security settings. Additionally, designate as few staff members as possible to be keepers of any sensitive data associated with the software. Limiting access to this information decreases the “attack surface” for malicious actors who are intent on stealing your valuable data.
These tips should help you to find a reputable vendor and secure your existing online learning platform. If you have concerns or questions regarding software in use or platforms you are considering, feel free to reach out.
Expert help from the Fund
The Fund provides cybersecurity and data privacy coverage, guidance, and resources to members of the Legal Liability program. To report a Privacy and Information Security claim, call the Fund at 855.295.8344. For more information about cybersecurity or to request guidance, contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.