Aug 24 2020

Tips on Reducing Key Remote Learning Security Risks

As postsecondary schools prepare for various digital instruction models, here are some important tips for securing online, hybrid and remote learning.

The digital transformation of higher education is in full throttle. Spurred by evolving pandemic pressures and bolstered by the benefits of new technology solutions, postsecondary schools are embracing various distance-, blended- and hybrid-learning formats to maximize student success in challenging environments. But are they doing it securely?

Online courses — whether it’s a combination of in-person and online instruction, or entirely remote classes — can create major cybersecurity risks. Especially when in-person classes are combined with on-demand online courses, malicious actors can seize opportunities to compromise critical systems and create operational havoc.

To defend the digital front line, colleges and universities must keep up with evolving security postures in a rapidly changing cybersecurity landscape. As higher education prepares for an unprecedented academic year, here’s a look at some common online-learning security shortfalls, the reasons why they arise, and how to address them.

Lack of IT Funding Leads to Cybersecurity Problems

According to RiskBased Security’s 2019 Year End Data Breach QuickView Report, the education sector accounted for 7.2 percent of total breaches reported. While this number pales in comparison to healthcare sector attacks (13 percent) or general business breaches (69 percent), attacks in higher education are growing significantly as cybercriminals target new online-learning models.

Furthermore, limited funding for IT departments in recent years has created major barriers that prevent colleges and universities from securing distance-learning classes today.

In 2018, EDUCAUSE found that higher educational institutions are spending only 4.4 percent of their total budgets on IT. And there was only a 0.26 central information security full-time equivalent position per 1,000 FTEs on campus. Without sufficient funding or staffing to support the move toward online learning at scale, significant security deficits arise.

As a result, colleges and universities are now facing critical cybersecurity challenges in these four areas: digital trust, online classes, learning management systems and social media.

READ MORE: These are the IT investments securing the future of higher education.

Ensuring Digital Trust in Higher Education

Considering that higher education may never return to the old normal, taking the time to build digital trust is key.

“Trust in your organization’s ability to protect digital information is critical this academic year, since more interactions than ever before will be conducted online,” says Sandy Silk, director of security education and consulting at Harvard University.

Silk, who is also an ISACA cybersecurity speaker, brings up the example of remote socializing —a new dimension for residential campuses this year. This is an important area for cybersecurity professionals to be mindful of.

It is critical that colleges and universities ensure the data stored and shared across new remote socializing solutions are protected. “Make sure contracts for those SaaS vendors have appropriate security and privacy clauses,” Silk says. “And be clear with students about if and how the data they contribute into these platforms will be used and shared.”

READ MORE: To better protect student data, know the difference between security and privacy.

Specifically, security clauses need to cover how data is stored, handled and accessed by Software as a Service vendors. Ideally, schools should prioritize zero-trust contracts that limit access to approved campus staff and students.

As always, it is important to be mindful that regulations such as the General Data Protection Regulation and the California Consumer Privacy Act require privacy clauses for any SaaS app that handles personal or private data. These clauses must include detailed information on which organizations and providers are collecting the data, why they are collecting the data, what data is being collected and how they will use the data. Privacy clauses must also be readily available to users, and students must have the option to opt-out of any SaaS services that collect their personal data.

Sandy Silk
Have your negotiation offices ensure your contracts have the proper security and privacy clauses with the vendors–including service-level agreements for incident notification.”

Sandy Silk director of security education and consulting, Harvard University

Preparing for Cybersecurity Issues in E-Learning Systems

Distributed e-learning systems also pose a potential problem for postsecondary schools, especially as the number of students and staff using these systems fluctuate over time. If colleges and universities suddenly find themselves pivoting back to online learning because COVID cases are surging, it helps to have an infrastructure that can keep up with rapid transitions.

“Consider the ‘availability’ principle of security,” Silk says. “Making sure that all students will have the devices and bandwidth they need to connect to our systems is the first hurdle.”

She also notes that many schools have been shipping laptops and mobile Wi-Fi hotspots to students in need of connectivity support. While this can reduce economic disparity and improve technology access, it introduces potential hijacking risks. This poses significant security risks, especially, for systems that are managed by very few staff.

MORE ON EDTECH: Learn more about how to solve evolving security challenges for remote campuses.

The key, in this case, is access management. “Once everyone can get online, restricted access to verified users via two-factor authentication will minimize the risk of gate-crashing,” she says.

It is also critical to implement permissions-based access management tools that can identify users by their location and behavior. Because many students access e-learning systems from multiple locations — such as home, work and campus — universities need solutions that can assess both current and historic access requests, deny or approve logins, automate incident reports and terminate connections.

Tips on Securing LMS for Online Learning

Many colleges and universities already have reasonably robust learning management systems, thanks to increased student demand for more flexible learning experiences.

“The security and privacy of the core LMS used in the organization is probably in good shape already,” Silk says.

The challenge, however, lies with securing the Learning Tools Interoperability add-ons.

“Secure the myriad assortment of LTI add-ons that faculty and teaching fellows can likely connect via a click-through agreement,” Silk says. “The risk of data leakage or breach through that attached module can be greatly reduced if you have a ready method — and practice — to pass an opaque identifier and no identifiable student information to the integrated system.”

It is also worth considering vulnerability assessment tools, which can unearth potential LMS issues before colleges and universities roll out these systems at scale.

READ MORE: Does the LMS of the Future Need to Be Mobile, Social and Open-Source?

Back to Basics: Securing Social Media

As more and more faculty turn to social media to engage students during online learning, this entails some security risks. Social media can open a door for viruses and malware to infect educational infrastructure. The good news is, basic security measures can significantly reduce most risks.

“Make sure your systems have up-to-date patches and that you’ve backed up your important data to an off-network location for restoration if needed,” Silk says.

She also speaks to the need for regular training for both staff and students. “Anyone can be tricked by a scam on a bad day,” she says. “Taking a breath, and considering if the message or request sounds reasonable from the alleged source, helps a lot.”

By creating a culture of security awareness — especially one that prioritizes safety over speed — schools can mitigate growing social media security risks.

Ways to Secure Third-Party Vendors

There are two key areas that are becoming more challenging for higher education cybersecurity teams to manage effectively: third-party services that process data for schools, and the growing number of Internet of Things and Industrial IoT devices on campus.

As schools turn to more third-party services for managing online and in-person classes, vendors can pose major security risks.

“Sussing out realistic vulnerabilities in technology and processes that could allow significant incidents is key,” Silk says. “So is having your negotiation offices ensure your contracts have the proper security and privacy clauses with the vendors–including service-level agreements for incident notification.”

And considering that many legacy systems were not designed to handle the continuous connectivity that IoT solutions require, this can create large cybersecurity gaps.

MORE ON EDTECH: See how Arizona State University built a smart campus.

“With increasing demand from students and faculty for smart classrooms and smart buildings, the rate of installation of new devices that were not designed with security in mind — because they won’t handle sensitive data but can control the environment — can introduce new attack vectors onto your network,” Silk says.

“This becomes a challenge for both sides of the equation, the device manufacturers and your own security professionals,” she adds, highlighting the need for modern infrastructure.

Solving this security challenge requires both initial network assessments and new infrastructure deployments that are capable of handling IoT connectivity at scale. Trusted third-party evaluations can provide the foundation for new frameworks. They can identify applications and services that contain potential points of compromise, paving the way for cloud-based technologies that can handle the volume and variety of device connections.

On Securing Higher Ed’s Online Classrooms

For IT security teams, cybersecurity is now critical for ensuring that new online learning initiatives do not compromise existing infrastructure.

To defend the digital front lines, schools can start by identifying spending and staffing shortages. They should also prioritize common challenges such as digital trust, distributed e-learning systems, expanded LMS frameworks and social media security.

Last but not least, it is critical for colleges and universities to address potential risks surrounding third-party vendors and IoT implementation. This way, distance-learning environments can deliver the intended results.

your_photo/ iStock / Getty Images Plus

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.