Since the onset of the coronavirus pandemic, many facets of our lives have moved online—including education. From pre-K to graduate programs, schools and universities have quickly embraced eLearning, which has introduced new cybersecurity risks.
Because of the rapid digital transition to online classes, many schools lacked adequate time to vet new platforms. This, combined with the fact that the education sector is rich with personal data, puts these programs at an increased risk for eLearning breaches and cyber attacks. In fact, the U.K. has warned about a recent spike in ransomware attacks targeting schools and universities, resulting in lost coursework, school financial data, and data related to COVID-19 testing. A cyberattack on the University of California and other schools throughout the U.S. exploited vulnerabilities in a third-party vendor’s software to expose personal student information.
With the announcement of the American Rescue Plan Act of 2021, a $1.9 trillion economic stimulus bill, schools and universities now have increased funding to dedicate to educational technology to support remote and hybrid learning. This funding presents a valuable opportunity for schools to invest in strengthening data security across their platforms. Virtru can help your school secure its communications and protect vital student and faculty data everywhere it’s shared.
Is encryption technology eligible for purchase with funding received under the American Rescue Plan Act?
Yes; Virtru’s encryption technology falls within the scope of this recent stimulus funding. The American Rescue Plan Act dedicates $168 billion to K-12 schools and higher education, as well as billions more to prop up the state and local governments that are critical to funding education. In addition to helping schools and universities meet compliance regulations related to FERPA, HIPAA, and New York Ed Law 2-d, Virtru’s technology can support these facets of the American Rescue Plan Act:
- Purchasing educational technology (including hardware, software, and connectivity) for students who are served by the local educational agency that aids in regular and substantive educational interaction between students and their classroom instructors, including low-income students and students with disabilities, which may include assistive technology or adaptive equipment.
- Purchasing the hardware and software needed to conduct remote and hybrid learning.
Schools across the U.S.—including Brown University and Spackenkill Union Free School District—rely on Virtru’s email and file encryption solutions to protect the personal data of students, faculty, and staff. Here are a few reasons why educational institutions need to prioritize investments in data protection.
Why is eLearning vulnerable to cybersecurity threats?
As students and faculty adapt to the online learning landscape brought on by the pandemic, there are a few primary ways that sensitive data can become vulnerable.
- Bring your own device (BYOD). Personal electronic devices have become critical to eLearning. Rather than using school-owned computers and tablets, students and faculty alike are now storing, downloading, and uploading potentially sensitive data to and from unprotected devices. With many different brands and operating systems (such as iPhone and Android) being used, there isn’t one unified way to protect all devices—so security best practices can be challenging for administrators to communicate and enforce. Additionally, the constant software updates of mobile devices, tablets, and portable internet devices can result in bugs and security vulnerabilities that could impact an entire school district or university system.
- Social media and lax data security habits. Viruses spread quickly through social media sites and apps, and school-aged students are some of the most frequent users of these platforms. As social engineering threats become increasingly sophisticated, the risks of a busy, distracted student or faculty member become greater. Additionally, students may be less vigilant about security when using their own personal devices, even though those devices are used for eLearning.
- Lack of training and existing processes. Because of the rapid switch from in-person to online learning, many schools ended up selecting eLearning programs with substandard security features. On top of that, lack of training on these programs for both students and teachers has amplified the risk of human error in using these platforms. These new platforms have also led to the establishment of new workflows and processes, as paper-centric processes (such as faxing) are not easily accessible in a remote environment.
What types of cybersecurity risks is eLearning up against?
With these vulnerabilities in mind, what are some of the key risks that students, teachers and administrators are likely to face?
- Software attacks. The age-old risks surrounding viruses, worms, macros, and denial of service (DoS) attacks are still very much in effect. These attacks can block users from their programs, infect software, delete files, or damage programs—potentially creating costly and complex problems for a school or university system.
- Espionage. With this type of cyber attack, a hacker gains access to computer networks to retrieve confidential information. With schools harboring student and faculty personally identifiable information (PII) and personal health information (PHI), this presents a risk not just to the educational institution, but also to the students and families it serves.
- Acts of theft. Attackers may commit acts of theft, stealing anything from data to intellectual property. This can be incredibly costly to educational institutions, both materially and in terms of brand reputation and trust.
- Authentication. Video conferencing tools generally provide a URL and meeting information via email. It’s great when this information is easily accessible to students, but that means it’s also easily accessible by other individuals. This can lead to insecure communications and even what has been called “Zoombombing,” the sharing of meeting information with others on the internet who gain unauthorized access to classes or meetings.
How can schools and universities better secure their data?
So, knowing these threats exist and are very real to educators and students, how can they mitigate the risks of compromised systems or data?
- Protect the sensitive data increasingly being shared through Gmail and Google Drive as well as Microsoft Office 365 and Microsoft Outlook. With Virtru’s email and file encryption, data can be shared freely with the confidence that it’s protected everywhere it travels. So when a college admissions department needs to collect PII from prospective students, or an alumni association collects financial information from donors, those communications remain secure.
- Ensure compliance with HIPAA, FERPA, and other regulations like New York Ed Law 2-d. Steep non-compliance fines are the last thing schools need right now. By putting a layer of encryption like Virtru in place, schools can maintain compliance without making drastic changes to staff, faculty, and student workflows. Schools possess a sizable amount of sensitive student health information—for example, special education departments often need to share PHI with other educators or partner organizations in order to create individualized education plans, or IEPs. Encrypting those communications is critical to maintaining compliance and protecting students’ privacy.
- Improve authentication, authorization, confidentiality, and accountability. By carefully managing user identity, you can ensure that everyone accessing the system is meant to be there, and that no unauthorized individuals can access sensitive information. Consider a secure single sign-on (SSO) provider or using dual/multi authentication to validate that students and faculty are who they say they are.
- Support common workflows. In order for faculty, staff, and students to adopt new technologies, they need to be easy to use. Virtru’s email and file encryption capabilities implement seamlessly with Google Workspace and Microsoft Outlook, adding a layer of security that protects data far more thoroughly than native email and file encryption.
- Use digital rights management. This ensures that digital information is copyrighted and can prevent unauthorized distribution of information.
- Install firewalls and anti-virus software. Whenever possible, devices should be equipped with virus detection software to lessen the risk of compromise.
- Provide training for security and teach employees and students how to detect risks before an attack occurs. Educate students and faculty on how to detect potentially harmful applications, emails, and downloads. Continuously training and educating your users is increasingly important, particularly as phishing attacks and social engineering become more difficult to recognize.
Want to learn how your educational institution can better protect data in a remote learning environment, or how to apply funding from the American Rescue Plan Act of 2021 to your school’s eLearning and communications platforms? Contact Virtru today to see how our solutions can integrate with your school’s existing email and data sharing platforms.
Advances in technology have begun to transform education, allowing educators to implement distance learning initiatives that extend the reach of their curriculum beyond the physical classroom. While these trends bring significant opportunities for student learning and development, they also carry significant risks regarding preserving student data privacy. Download this checklist to explore best practices and key considerations for protecting student data in digital workflows.Get the Checklist