With GDPR now in full effect, the workload has increased in all schools. Auditing data, preparing policies, confirming privacy notices and putting sensitive data under lock and key.
Whilst the regulation as a whole safeguards any identifiable data, whether it’s digital or paper based, there’s no doubt IT has a large part to play. There are multiple considerations from a technology point of view that your school may or may not have considered.
We’ve put together a starting list of items that may have slipped through the net, or at least may need a little more reflection, now that GDPR is in law.
Encrypted E-mail
Any sensitive data sent to third parties, or parents, should be encrypted – guarding against it’s interception. Whilst there are paid applications out there to service this need, you may find your current e-mail already has built in capabilities that just need setting up.
Office 365, in particular, has the capacity for encrypted e-mail. Once setup, users will put a keyword in the subject line (we tend to setup with ‘Encrypt’) and the message will then automatically be encrypted. To open and read the message, only the recipient identified in the ‘To’ field will be able to open the message, either by logging in with their 365 account, or with a one time pass code.
Other services, such as Google Apps, have similar capabilities.
Cancel Send
One of the easiest to commit data breaches is sending sensitive data to the wrong person by mistake. A common, yet hard to guard against, slip of the mouse that could lead to sensitive information sent to an incorrect parent or third party.
Again using Office 365 as our example, is the possibility of setting up cancel send. Once configured, users will have up to 30 seconds to stop an e-mail leaving their outbox, and to review if they have selected the right sender.
As soon as you click send, a ‘cancel message’ button will appear top right, until time has elapsed.
USB Alternatives
One of the biggest security risks on networks as a whole are USB sticks, which are unfortunately still a common device of teachers and other staff. Risk of loss and bringing in viruses are just two of the concerns. Whilst the need is they MUST be encrypted sticks at the very least, the ideal would be to ban these devices and seek alternatives where possible.
The good news is that once users become comfortable with the alternatives, they are much better, more flexible and safer that USB sticks.
Office 365 offers all education users large amounts of One Drive space, allowing you to work on documents in the cloud without downloading them, share with other users in your organisation, and have portable storage at all times – secured with a password and 2-Factor Authentication.
Google drive too has these capabilities, and we’d advise going down the route of whichever platform your school adopts.
Work from Home System
On the subject of USB alternatives, probably the best suggestion is a reliable work from home system. Remote Desktop Services allow staff to remotely connect to their work resources from home, working as if they are using their school computer, with shares and documents, in a self-contained window.
These documents never copy to the home/work computer or device, and literally is a remote session only, meaning work can be completed but never actually leaves school premises.
This situation is the ideal, and with a properly configured and setup system, removes the need for all USB sticks, encrypted or not.
Of course security is paramount with these systems, but with proper passwording, firewalls, and security policies, this is a popular solution in schools we look after.
Encrypted USB’s
A short-term plan for many is getting a stock of encrypted USB’s. Our advice would be to provide these and disallow staff from providing their own. Although these self-bought sticks are more than likely fine, being in control of their setup and distribution means the school knows for certain the adequacy of these devices and has proof of compliance.
When choosing encrypted memory sticks, preferred encryption would AES SHA-256, and a data destruction feature is recommended – such as, get the password wrong 10 times and the USB stick wipes it’s data, useful if stolen.
Of course there is risk of users forgetting their passwords and losing their data. Our solutions have been firstly to always backup data in school AND a system where passwords for these devices are taken and locked in a secure safe.
Laptops Leaving Site
All laptops leaving site should be encrypted, as should any on site laptops that contain data. (If all files are network redirected you can analyse the risk and requirement of this).
Newer Windows versions have Bitlocker, and this is definitely something that should be rolled out in your environment. A simple and secure method for encryption, with options of storing recovery keys.
For older laptops not able to use Bitlocker, third parties options such as VeraCrypt should be investigated – allowing you to ensure should a laptop be stolen, sensitive data cannot be accessed.
Pins on Phones
It may be a forgone conclusion these days that phones have some pin protection, but it is still worth putting into staff policy that any mobile device that has school e-mail connected is protected by a pin. Some organisations also insist on 6 digits over 4 digits to increase levels of security. The more secure, the better.
Most e-mail systems also allows rules to force phones to have a pin code, or it will not receive e-mails, which is a way of ensuring this definitely happens, and the odd user who hasn’t bothered with a passcode doesn’t slip through the net.
Secure Passwords
This one may be a simple rule everyone knows, but it’s worth reiterating to all staff the importance of secure passwords. The recommendation should be, again, at the very least, 6 characters, capital letter, and a number or symbol.
For even better security, words that aren’t in the dictionary, and passwords that don’t have any personal relevance people may know.
Network administrators can put in place system rules to force complicated passwords, and this should without doubt be in place. There will always be a staff member in a rush who uses their username or an extremely easy to guess password and these rules will prevent that.
Staff should all have their own unique login and password (no school standard password) and should not share passwords with children.
Any concerns about password security should be reported immediately and changed.
Folder Security
It’s easy for staff shares to get messy, quite often with years of work and planning stored and the task of sifting through these items extremely daunting. Whilst GDPR means that you really do need to check in there’s any personal data in there you have no legal basis for still having, another consideration is access.
Its quite often forgotten that SEN folders, or HR folders, or anything of that type, is saved in folders that could be browsed by everyone. Without proper folder security in place, you are already not keeping data safe.
Review what folders should and should not be accessible, and to whom, and make sure the correct folder security is applied. Within the windows folder security, once setup correctly, these sensitive folders will not be visible to those without access.
Visitors on the Network
When a third-party visitor arrives at school, quite often they have their own device and make the request for your wireless key. The question to review in house is what exactly can they access once they are connected? Is this a guest wireless? Or if it’s your establishment wifi connected to your network… is sufficient security in place so that anyone with networking knowledge can’t have a look around where they shouldn’t? If they were to open a malicious e-mail attachment – could it reach your server?
Most third-party visitors would never dream of browsing, and wouldn’t have a virus on their work machine, but the target of most of these recommendations is guarding against that rare but potential occurrence.
There needs to be a review of internal permissions, firewalling and guest wireless if your system has that possibility, or if you allow wireless access at all.
The above gives plenty to think about, and hopefully offers the direction of solutions and new avenues to consider. There is plenty more scope for IT questions as GDPR comes in and schools will need to stay aware of actions needed to keep data safe and avoid data breach.
If any of the items raised in this article interest you, and require further discussion, we implement these protections proactively for our customers, and install all the solutions we talk about.
We are also very experienced in network security, offering either consulting, assistance and implementation, either ad-hoc or as part of our support SLA.
