This piece was originally published here by Educating Modern Learners.
With increasing adoption of computer technologies, schools must do a better job addressing two important issues: privacy and security. Here, education security advocate Jessy Irwin offers some first steps in learning about security. And this isn’t just a lesson for students — it’s for teachers and school leaders and parents as well.
If digital citizens have learned anything from the web in 2014, it is that this year is the year of the hacker. While malicious black hat hackers compromised hundreds of millions of accounts across the web, their ethical, white hat counterparts uncovered code flaws like Heartbleed and Shellshock that weakened parts of the critical infrastructure of the web. In this new web order, the question is no longer “if” you will be hacked on the web, but “when.” In many schools, the primary goal of digital literacy education is to give students the skills they need to find, remix and create content on the ever-expanding worldwide web. In the quest to unlock the potential of the web and its troves of boundless content for learners, however, many educators overlook the weakest aspect of digital literacy for the average web user: security.
Because security breaches are the new normal on the web, it is more vital than ever that that educators and students are equipped with the skills they need to protect data, privacy, and personal identifying information shared with web services.
Risks and Threats for Educators
When it comes to assessing security risks and modeling threats to student data, many educators and education technologists are of the opinion that “No one is going to bother hacking some kid’s homework. For the vast majority of students and educators around the world, the stereotypical malicious hackers or cybercriminals portrayed in the media will never be a direct, persistent threat to school data or classroom assignments. Nonetheless, it is still important to identify and reflect on motivations that could lead to a targeted security breach. In schools across the world, direct and targeted attacks have been carried out by:
- Students. Over the past few years, high school and college students throughout the US have been caught hacking into school systems to change their grades.
- Parents and relatives. As a potential side-effect of high-stakes testing culture, some parents will do anything to give their students an advantage, including gaining unauthorized access to student records to change grades.
- Politically motivated groups. In 2012, the hacktivist group Anonymous unearthed videos, photographs and social media evidence at the center of a high school rape case in Steubenville, Ohio.
- Foreign governments. Major research universities focused on technology, science and medical innovations have uncovered evidence of surveillance and hacking aimed at stealing information about their valuable discoveries.
Though the security needs of certain educators, schools and students will vary, the biggest security issue facing education today are more commonplace, opportunistic security threats. Attacks with malware, ransomware and adware install malicious code on a computer, giving control of the infected computer to an attacker. Email based attacks like phishing and spoofing steal account credentials and send virus-laden emails to everyone in the contacts of a compromised account. (Spoofing can be particularly embarrassing for an educator who stands to lose credibility with parents and coworkers as there is no way to prevent emails from being sent by an attacker.) For schools, especially those running on aging technological infrastructure, these wares and viruses may escape detection while compromising network stability and student privacy by capturing data and transmitting it back to an attacker.
Security Tools and Tactics for the Classroom
Though security breach fatigue has left many feeling as if there is little that can be done to prevent being compromised online, there are steps that can be taken to minimize negative repercussions of getting hacked.
To help students become better digital citizens, it’s important for educators to rethink their own online habits in order to model strong online security practices for students. To get started, educators can adopt these security practices in the classroom to help protect their data and that of their students:
- Separate personal + professional accounts. Enforcing a strict separation between professional and personal email and social media accounts reduces the likelihood of a security issue or an accidental breach of student privacy.
- Use a password manager to create unique, random passwords and to end the insecure practice of using the same login credentials in multiple places. A password manager will keep track of online accounts, audit your passwords and store secure notes which can be used to keep track of student passwords.
- Turn on 2-factor authentication wherever possible. This security feature requires a second piece of information (generally, a 6-digit code) before granting access to an account.
- Enable screen locking and PIN codes. The majority of privacy and security breaches that are reported every year are breaches in physical device security, not brute force attacks. For mobile devices and computers, prevent unauthorized access to a machine by enabling a screensaver that requires a password.
- Avoid using predictable formulas for student passwords. More often than not, any formulas combining parts of a students’ name, initials or graduation date will be cracked by students, who will do their best to guess a classmate’s password information.
Many ed-tech applications do not offer SSL or two-factor authentication. Schools should press for these before agreeing to adopt the products
To increase security at an organizational level, administrators and IT staff can also set up a virtual private network for educators to use when accessing student data, especially in places with open public WiFi access that is open to being monitored or intercepted. In terms of instructional technology, educators can choose to use tools with built-in security measures like site-wide HTTPS/SSL encryption to protect student privacy. By modeling best practices for students and working to break technical concepts into comprehensible terms, educators can give students an opportunity to learn important digital skills that will protect them from harm in the future.
Building a Culture of Security Awareness
In the classroom, instructional time is golden: usability and unimpeded access to online tools is a necessity. While it may not be feasible to unleash password managers and 2-factor authentication for every student, exposure to solid security habits and activities that encourage students to be proactive about online security is invaluable in the current web climate. To raise awareness among students and build critical thinking skills around online security:
- Require students to show proof that they’ve changed passwords once a semester. In the K12 classroom, this could be a small extra credit opportunity, a quiz grade or an opportunity for free time. At the university level, requiring students to show proof that they’re using a strong password manager could be built into a course as a requirement or small assignment.
- Conduct quick security checkups. Whether you’re in a room of colleagues or a bunch of students at work, walk around and check for unlocked screens on computers. After being caught unprotected once or twice, most will take the necessary steps to fix the issue once they are aware of it.
- Take a phishing quiz as a group. Many online security companies that study phishing and spoofing attacks regularly create and post online quizzes to help users learn how to identify compromised email. This can be a fun way for students to use their collective knowledge to determine whether they would be tricked by these convincing attacks.
- Get students involved in regularly updating their devices. “Bug fixes” and “security improvements” may not say much about the severity of a patched security issue, but they are important for taking care of a computer and the software inside of it.
More than anyone else modern educators understand the impact that thoughtful classroom rules and policies can have on encouraging positive habits in the classroom. To prepare students for the future of technology, it is our responsibility to teach students how to think about online security, to weaving important digital habits into classroom routines and activities, and to arm them with critical thinking skills for the digital world. As we encourage our students to find their voices and create online identities, it is vital that we give them the tools to protect themselves, their identities, and the content they create that will follow them online for years to come.
School leaders: how secure are your computing devices? How up-to-date are your security practices?