| | November - 20189· Join the mailing lists that keep you aware of critical patches for your software and equipment. Have an additional update procedure for timely items.· Put the time in to change shared passwords when people leave. Remove permissions that are no longer needed and make sure that accounts are appropriately disabled upon employee exits.· Backups. Have them. Make sure that they work.Security through obscurity doesn't workWith limited resources, there will always be a temptation to take the quickest path. I once worked with a school district who had rolled out a large number of student accounts and decided to preset their passwords. Instead of randomizing these passwords, they used what was thought to be a complex algorithm. Student ID numbers were multiplied, divided and otherwise shifted into a new form which became the password. It did not take students long to reverse engineer this process which quickly forced the reset of all passwords utilizing a random character based process. Shortcuts utilizing this type of secrecy to generate a facade of security tend to have a short life in the face of day-to-day practices.Your students can be your greatest allyTechnology is for students, so why do we so often treat students as the enemy when it comes to cybersecurity? What we've found time and time again is that if we ask our students what we need to know about security on our network, they'll tell us. Students have shared with us how they and their peers bypass our security. They've shared the best proxy sites that may be used to bypass the web filter. They will even walk us through bugs that they find in educational software which we forward directly to our partner's engineering department. If students are systematically treated suspiciously for their curiosity then it becomes an arms race for which we don't have the time or budget. If students are brought into the conversation then they become allies in a mutual effort towards cyber safety and security.You can utilize a red team/blue team mentality even with limited staffingIn the ideal world, red and blue teams can make for a powerful innovation mechanism when it comes to securing your network. Picture a red team crafting custom packets meant to probe your student information system for weaknesses while your blue team is on the lookout with a packet sniffer and both teams ready to collaborate over new processes and policies. Awesome right? In reality, educational institutions rarely have that level of staffing. Even so, committing time for network admin and other staff to "think like a hacker" while having a security mindset can have a profound impact on the security of your network. Giving permission to spend time outside of the day-to-day responsibilities to reflect and learn is essential.Secure your network, but trust your usersOf all of the dangers that I've found within the realm of security in education, the one that haunts me the most is an ever-present temptation to put into place policies that negatively impact our users and the education of our students. When we go into "security" mode, we have a tendency to restrict apps, block websites, and tighten the firewalls in the name of safety. Suddenly, teachers and students have trouble accessing the resources that they need for expansive and self-directed learning. When this goes on for a while, a black market is created. Teachers even start to look at ways to bypass these restrictions. Is there a better way?When our teachers look to use a new app, we ask them to ask just two questions:1. Is it legal?2. Is it good for kids?If the answer to both is "yes", they are allowed to use the app. We've found that by creating a policy of trust with our users and carrying on active collaboration regarding their needs, we keep our system more secure and allow for them to access the resources that they need. Perhaps counterintuitively, more access has created fewer security issues than the workarounds that were born in a locked-down environment. It's not a perfect system, but I would fight for trusting our users over excessive technology-based restrictions any day.Simply put, master the basics and build trustSecurity in educational institutions can be challenging. There is a tightrope to walk between freedom of access and the protection of incredibly valuable resources. Even so, applying the basics well and building strong and trusting relationships with your students, staff, and stakeholders can make all the difference.
< Page 8 | Page 10 >