3 Ways Schools Can Stay Ahead of BYOD Security Risks
April 4, 2016 • Blog Post • BY SUE POREMBA, HPE MATTER CONTRIBUTOR
IN THIS ARTICLE
- As students and teachers become more attached to smartphones and tablets, a policy that addresses personally-owned devices and security requirements is necessary for schools
- Terence Spies, chief technologist from HPE’s Data Security business, provides three best practices that schools can take to mitigate BYOD security risks
HPE’s Terence Spies explains why schools must take a multi-pronged approach to cybersecurity
Not surprisingly, the bring your own device (BYOD) trend has made its way from offices into schools. Classrooms are filled with students attached to their own smartphones and tablets, and teachers and administrators are using their own personal phones and computers for teaching tools, lesson planning and communication with students and parents.
While BYOD allows schools to save money on the latest technologies and to better engage students both inside and outside the classroom, personally-owned devices can also create a data security nightmare for IT departments.
School districts hold a vast amount of sensitive information—from student records to personnel salary and medical information—and protecting this data from any security risk is essential. Unmonitored BYOD use allows unsecured devices to have access to the data on the networks. Developing a district-wide policy that addresses personally-owned devices and security requirements is necessary but school leaders can also go a step further by providing data-centric protection.
Schools often use personal information like Social Security numbers as student or employee identifiers. Even special school ID numbers can be linked back to a specific person. Data-centric security solutions can come up with special codes or identifiers for that personal information without linking to the actual data. This can prevent data leaks through BYOD.
Taking a multi-pronged security approach
Here are three security best practices that school districts need to take according to Terence Spies, chief technologist from HPE’s Data Security business.
- Prevent the spread of malware
One of the more important issues that school districts need to address is malware. When you start mixing a variety of devices together, you also risk malware infections, said Spies. “It’s like sending a kid off to kindergarten and starting the round of a never-ending cold,” Spies said, laughing but also emphasizing just how serious an issue malware spread can be, especially in devices that don’t have autonomous control. School districts need to have an appropriate security system in place that will keep malware from migrating from machine to machine. While malware creep isn’t a concern that is unique to schools, their device-user population is more diverse than the typical enterprise. Schools are also dependent on parents and young children to use good security practices.
- Develop a robust authentication system
A second data security issue that is specific to school is credential management. Using BYOD, students, educators and parents are accessing school resources and services—some that connect to the school’s network, but others to outside vendors. “You don’t want to be propagating passwords all over the place,” said Spies. A solution is developing an authentication system that makes it easy for children to log on but adds a layer of security, such as using a single campus-wide portal system that includes all instructional sites or a passcode sent by text or email.
- Protect the data itself
The third issue concerns the protection of school data. School districts need to ensure that the data collected is isolated and protected with data-centric security tools, such as encryption and tokenization. If the school network is hacked through a vulnerability in a personally owned device, the data will be sheltered from the threat and the risk of the information being compromised is lessened as the cyber attacker will get nothing of value
“The old way of thinking about security often relied on having tight control,” said Spies. It made sense when all of the machines were the same model and ran the same software. Now we’ve moved to an environment in schools where those tasked with handling IT security are faced with securing dozens of different devices all with different types and versions of operating systems and software packages. Yesterday’s endpoint security strategy is unrealistic for today’s BYOD adoption.
“Schools should be thinking about how to protect data that is ‘breach relevant,’” said Spies. Rather than focus on all of the different devices showing up on the network, schools would be better served to concentrate on the data that would be most interesting to an attacker and then encrypt it.
“It’s not about giving up on endpoint security efforts, but instead no longer making endpoint security the centerpiece of the security strategy,” he added. In BYOD in schools, rather than try to control every device showing up on the network, districts should turn the attention to identifying what is actually stored and accessed on the network and how that can be protected.