The gathering storm: Student data security in the Digital Age

How can student data security be guaranteed when faced with a threat that can neither be detected nor predicted?

In the not-too-distant past, banks represented the ultimate in inviolability. Housed in buildings that were designed not only to resist actual attack but to suggest the safety of a fortress, they looked capable of withstanding wars or even natural disasters. The message was clear: Your hard-earned money is safe here.

Of course hits on single banks still occurred, but an occasional robbery was like a flea next to the banking empire’s mountain range. Any attempted heist was a headline-grabbing affair: a mesmerizing sideshow oddity.

Then everything changed. The tangibility of the physical world counted for less. The flow of real money and data did not happen in face-to-face exchanges but in an alternate world of 0s and 1s where it had suddenly become vulnerable to exploitation.

Disturbingly, the exploiters cannot be observed in any traditional sense. They cannot be seen or heard; their existence is really not felt at all – until it is too late.

Initially, it was smaller-scale hacking activities that brought data security to light. Email phishing scams and links that introduced malware, viruses, or trojan horses to personal computers were common, obvious, and easily avoided, relatively speaking. But in the last decade hacks have become more sophisticated. They now occur at a scale and frequency that is dizzyingly, terrifyingly vast.

While huge retailers have been routine prey for hackers in the past, attacks have since broadened in scope to encompass everything from car insurance companies to online dating sites.

High-profile data hacks on the likes of HBO and Sony have given the problem of data security mainstream attention, but data breaches such as these are merely scratching the surface.

For context, consider the following: from 2014 to 2015, data breaches cost the healthcare industry an estimated $6.2 billion as 90 percent of all healthcare organizations suffered at least one security attack. Though a less obvious target for hackers, oil and gas companies have also suffered major losses at cybercriminals’ fingertips with breaches costing the energy and utility industries some $13 million per year.

Yet even these figures do little to convey the full scale and severity of the threat of cybercrime.

The uncomfortable reality is that if you are a regular user of web-based services, then there is a strong chance that at least some of your details have been illegally obtained by someone, somewhere.

This is certainly true for Yahoo users after it emerged that the web and email services provider suffered a huge data breach in August 2013. The initial estimate of those affected was revised from 500 million affected users in 2016 to three billion users in a report in October 2017.

That means that the accounts of all existing Yahoo customers in 2013 were exposed by the hack.

While Yahoo’s example indicates the scale of cybercrime, it fails to indicate the sophistication of hackers’ activities, or the gravity of their impact.

This is more apparent in reports on how the banking and finance sector has lost its aura of invulnerability. Victims include the likes of JP Morgan Chase, SWIFT, and credit card giants Equifax. In fact, even the federal government and IRS have had vulnerabilities exploited by cybercriminals.

The point is that no one is immune to data breaches because the best hackers are evolving in line with technology. As they identify lucrative new targets, they develop and employ techniques that will allow them to better expose and exploit existing vulnerabilities.

A good example is the recent ransomware attack WannaCry, which affected public utilities, companies, and millions of customers worldwide.

For all the chaos the attack wrought, it’s alleged that the EternalBlue code it used was, in fact, an NSA (National Security Agency) exploit of an unreported vulnerability found in Window’s file-sharing protocol.

“So what?” you might ask.

Well, the point is noteworthy because it seems to indicate that dedicated cybercriminals are capable of successfully breaching the defenses of even government intelligence agencies to access tools they can then use for their own intelligence-gathering purposes.

Student data security in education

Bearing all this in mind, many of those in the education sector may well wonder whether student data security is actually possible, particularly as technology becomes a more embedded part of learning at all levels.

It’s a legitimate concern, especially since the sector has not been without its fair share of cyber attacks – from SAT breaches and university ransomware attacks to school literacy tests being shut down by denial of service attacks.

Part of the concern arises from the fact that learning is becoming increasingly quantified. This is to facilitate better analysis of inputs (such as funding and new technology) and outputs (student performance). An unintended byproduct of this is that by generating and storing more data online hackers are given greater opportunity to harvest yet another trove of stolen information which they can then monetize.

Such data breaches can assume a range of guises: viruses, spyware, malware, ransomware, trojans – some of which can appear so innocuous that their threat often goes completely undetected even after they have entered the system.

“Security breaches are unavoidable,” writes Charlie Osborne for ZDNet. “It can take months or even years for the enterprise to discover a security problem. By this point, stolen information may have already traveled worldwide.”

A 2017 report by Mossé Security supports Osborne’s claim. The cybersecurity firm claims the average intrusion detection time by a system engineer is 6 months. Fixing the root causes of security breaches can take a further 18 months.

Prevention is better than cure

Few system administrators in education (or elsewhere) have the time or resources to undo the damage that such a breach could potentially cause. It therefore makes sense to dedicate more time, resources, and energy to preventing attacks rather than dealing with their consequences.

“Data has become a hugely valuable commodity in the digital age,” says Denis Hoctor, Learnosity’s Director of Product and Business Intelligence. “It’s one reason why cybercrime has grown into such a genuine threat. As an edtech company with a product that’s used by many millions of people, we’ve got to take data security extremely seriously. To not do so would undermine the trust we’ve spent years building among our customers. To handle the security of the students’ data itself, we employ a range of pre-emptive measures.”

“For one thing, we store data in an orphaned, anonymized manner. This means that it’s the clients who set user identifiers rather than us. They’re essentially the ones who are in control. We don’t own users’ data; we’re just custodians.”

Which is in itself a huge responsibility. So how can the company ensure the data’s security?

“Security is about keeping things tight. Reducing the surface area of exposure is more about consolidation. It’s easier to secure 1 thing than 50. So as a general rule, we isolate everything and keep critical networks separate. For instance, we silo off client data and keep it separate from the web-facing infrastructure.”

“In addition, we undergo regular penetration tests to ensure that the system is properly shored up. Once we’ve had the auditors stress test our security, we invite them back to run workshops with the team so that they can address any vulnerabilities they found and teach us how to prevent them in future. Obviously, this helps improve our security in a literal sense, but it also serves another important function in that it helps create a culture of security among the team.”

Given the growth and sophistication of cybercrime, creating company-wide awareness is a vital part of improving security.

“It’s important that the team understands that security is not just about networks and firewalls or bits and bytes. It’s about people, processes, and mindsets as much as it is systems.”

The challenge, however, is maintaining this as the company scales its assessment technology.

“I’ve learned that success brings challenges of its own,” says Denis. “The more Learnosity grows and the more high-profile clients it adds, the more likely it is to attract the attention of hackers who are capable of implementing more complex attacks.”

“So apart from the external security measures we take, we restrict access to all systems and data on a need-to-know basis; unnecessary access is reduced to a minimum and regularly reassessed.”

“Additionally, we require background checks in advance of hiring for key roles in production and data, and we remove all access if the person moves on from the company.”

Such measures are the result of an attitude that’s informed as much by respect for privacy as concern for security.

“Learnosity is also a member of the Student Privacy Pledge, which guarantees that we’ll never give or sell student information to third parties unless a client specifically requests that we do so.”

“Data security is an area that’s in permanent flux in many ways. It’s a lot of work, but protecting our customers’ security is incredibly important to us.”