The idea that a school-based server is more secure than cloud storage is just an illusion, one expert warns
CREDIT: This is an edited version of an article which appeared on the Tes website, written by Nick Morrison.
The amount of potentially sensitive pupil data collected by schools is growing exponentially. Some experts are warning that it is only a matter of time before state schools, like the NHS before them, face a ‘huge outcry’ as the sector is hit by a data scandal.
However, there are some sensible measures that schools can take to reduce the risk.
United Learning, one of the country’s largest multi-academy trusts, is in the process of encouraging its schools to move to cloud-based storage. The trust’s group director of technology, Dominic Norrish, says that, while a school-based server may seem more secure, this is an illusion.
“The major security risk is that you can’t get to that data when you are outside school. This drives unintendedly risky behaviours, such as teachers taking data out of the system and putting it on a memory stick and taking it home. It’s very rare that anyone has an encrypted memory stick, and very often that they are lost,” he explains.
Keeping data secure
Storing data in the cloud means that it can be accessed securely – there is never an excuse to remove data and the equipment is regularly updated; this means the school does not have to employ someone to do that for them – to operate server rooms or replace the servers every few years.
It also means the school is less vulnerable to ransomware, with robust firewalls keeping out – or limiting – the impact of malicious attacks. In addition, sharing data in the cloud involves granting access – which can be revoked at any time – rather than sending an attachment, which cannot be recalled once sent.
“A fundamental principle of data protection is that you don’t move data; you grant access, and you rescind access,” Dominic continues.
He adds that schools should carry out a data protection impact assessment when partnering with any third party provider. This should look at how they will protect the data, where they are storing it and the strength of their password policy.
Data stored in the EU is subject to strict EU laws, although this does not necessarily mean storage that outside the EU is less secure. Companies can undertake to treat it as though it were stored within the EU, even when it’s not, Dominic says. Risk assessments should also be carried out any time data is shared. “Unless you ask the right questions, data could be shared with people who do not have sufficient security, and that creates a risk.”
Also crucial is making sure staff are aware of the dangers. “The majority of data breaches happen when someone accidentally emails a file to the wrong person,” he adds. “One of the most important things you can do is to educate the human beings. Showing people real examples of emails you have received can be very powerful.”