4 Steps to Balance Student Privacy Obligations with Transparency

4 Steps to Balance Student Privacy Obligations with Transparency

by David Lenz

Schools have an urgent reason to put data security and backup at the top of their agenda: the rising threat of ransomware. According to Sophos, education institutions – both higher and lower education – are increasingly being hit with ransomware, with 60% suffering attacks in 2021 compared to 44% in 2020.

The increase of attacks is evident in Australia. Xavier College in Melbourne came under a cyberattack in June 2022 and students’ personal information including birth certificates, visa applications, parenting arrangements and financial information, were stolen. The threat of disclosure remains at large, with the hackers threatening to publish the information online. In November, technology company PNORS, a contractor for six different state agencies including the Department of Education and Training, suffered a data hack, potentially exposing the personal data of thousands of students.

A successful cyberattack on a school does not only come with a high financial cost, but it also disrupts the core function of education by making resources inaccessible, potentially leading to a loss of sensitive information such as HR and MIS data. It also diverts valuable time and resources away from the primary goal of educating students.

Schools face competing obligations

Schools are required to comply with legal regulations that protect student privacy—and at the same time, they must be transparent. For example, Australian public schools must comply with state and territory privacy legislations and respond to Freedom of Information Act (FOI Act) requests within a specified timeframe or risk facing noncompliance penalties. To meet these competing obligations, schools must have access to reliable data backup solutions that secure their information and provide quick and easy access to the requested data.

Many schools have limited resources to invest in data security, which makes them more vulnerable to cyberattacks. While they can’t afford to hire top-flight technical experts to manage and secure their data or buy the latest security tools, there are strategies that schools can embrace to protect themselves, their students, and their data. Here are four ways that every school can build a robust, cost-effective data security strategy.

1.      Build a culture of security awareness

Educating staff and students on best data security practices and how to identify and respond to potential threats is critical to promote a culture of security awareness and protect sensitive data. Schools can conduct regular training sessions and reminders, discussing past security incidents and improving best practices to prevent future incidents. Schools should also offer training on identifying phishing emails, choosing strong passwords, and taking other basic security steps. Schools can build a strong security culture through processes, policies, standards, and technology tools that enforce those standards.

2.      Embrace zero trust

Zero trust is a security concept that assumes all users, devices, and networks are untrusted until proven otherwise. It dictates a “just enough privilege, just in time” approach to protect systems. So in a school context, students logging into a system are only granted access to the specific resources they need to complete their task and no more.

For example, students may need to access their grades and class schedule. The zero trust model would only grant the student access to that specific information, not other sensitive information such as other students’ grades or school financial information. Once the student has completed viewing their grades and schedule, their access is immediately revoked. This approach to security limits the attack surface and potential entry points for malicious actors.

3.      Maximise savings with data tiering

Data tiering involves storing data based on its importance and usage frequency. Schools on a tight budget can save money by using data tiering to move their less-critical and less-frequently-used data to lower-cost storage options.

By managing their data this way, schools can reduce the storage they need to purchase and maintain and minimise the computing power required to store and access their data. In addition, by following good data hygiene practices, schools can keep their data organised and ensure that they’re not storing unnecessary or duplicate data, a common practice that takes up valuable storage space and consumes resources.

4.      Conduct regular risk assessments

Schools are constantly dealing with new and complex threats but often have no idea about the ability of their existing security measures to combat those threats. Regular risk assessments will help them pinpoint potential security threats—and determine their level of preparedness to defend against them.

By conducting these assessments, schools can keep up with the latest threats and take the necessary steps to mitigate them. Regular risk assessments are vital because they help protect valuable data assets and ensure the safety of their students, staff, and facilities.

As schools embrace more and more technology in their day-to-day operations, it is essential that they also prioritise data protection and educate students and staff on the importance of security. By taking proactive measures to defend sensitive information, schools ensure mandatory compliance with current laws and create a safer and more secure learning environment.

By David Lenz is Vice President, Asia Pacific at Arcserve