Helping children learn to cite photos and resources from the web is but one aspect of digital citizenship. A less easy topic, but perhaps more important because of that, is actively modeling digital safety and privacy. Recent attack vectors have left educators reeling from massive data breaches due to ignorance and a lack of consistent procedures for safeguarding sensitive data.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’
– IRS Commissioner John Koskinen (2/7/2017) (Source #1 | Source #2)
Recent attacks employing this approach against Texas school districts include those at:
School districts are convenient targets because of the following reasons:
- Data availability (including students who may not yet enter the workforce, so their identities can be stolen).
- School districts often lack the funding to pay for sophisticated systems to defend against attacks, as well as the people to pay for them. In fact, regional service centers may lack adequate funding and staffing as well.
- End users are untrained as to how to best protect against social engineering, phishing, and other types of attacks since it’s not their job to learn data encryption.
To address the final bullet, some actions educators can take to minimize risks are given below.
#1 – Avoid Phishing Attacks
Phishing, which has grown by 33 percent over the last year, involves fooling someone into providing their login credentials and/or confidential data.
Recommendation: Do not provide your login credentials to anyone and NEVER send unencrypted confidential data via the Internet. Encrypt data first and then pick up the phone to speak to the other person FIRST. This is true even if you know the other person well (Source: New Gmail Phishing Attack). It cannot hurt to ask the other person first why they need access to this sensitive data. At the very least, you must exchange the encryption password.
#2 – Secure Confidential Data
Just as hackers employ encryption to deny access to data on an ransomware-infected machine, so can educators and students learn to use encryption to prevent unauthorized access to data. Popular data encryption tools are available that enable educators, regardless of device, to secure their data from prying eyes. And in the likely event that data is stolen or accessed, the thieves will be unable to do anything with the encrypted data.
Recommendation: Establish procedures for handling sensitive data in your classroom and/or office. Ensure that data containing personally identifiable information (PII), as well as usernames/passwords to popular services, is encrypted. You can use a text file to put all your usernames and passwords into; just make sure it is encrypted. Use Secure Space Encryptor (SSE) on Mac, Windows, iOS and Android devices. Chromebook users should rely on FileLock.org, a browser-based solution.
#3 – Prevent Access to Data
As schools become data-driven, putting security processes in place becomes an imperative. In fact, if you can walk into an office or classroom and get a username and password for any district information system, that’s a problem. Schools must also keep in mind that students may be one of the people who can leak logins and passwords. It’s all too easy for a student to walk into a classroom, look under their teacher’s keyboard, and get access to the Google Suites for Education or Microsoft O365 username and password.
Recommendation: Secure your passwords using a “password database” (e.g. Keepass, LastPass, 1Password). These are encrypted locations or files that are encrypted. They are also convenient; you need only remember one password to access the encrypted database containing your usernames and passwords. Make sure to log out of open systems on your device, whether it’s a computer or smartphone.
#4 – Heed Warning Signs
“She just went ahead and clicked the malware email,” said the network engineer. “‘Why did you click it?’ I asked her and she said “It look relevant, even if it was in my spam folder.” Most email programs and/or services will provide you with a warning. For example, Google features “Safe Browsing” which throws up a red sign when you encounter phishing attacks. Keep in mind that there’s generally a good reason for something to be in your spam.
#5 – Learn and Share Information
While many are waking up to the importance of digital citizenship, data privacy and security remain nebulous, techie subjects. Explode the myth with access to online curriculum that can coach you and improve your skills. You can read this privacy ebook for educators (free), facilitate professional learning opportunities using Me and My Shadow’s curriculum, as well as conduct a thorough review of how data is managed in your environment.
Finally, make every effort to model for staff and students simple ways that data can be protected. Safeguarding our children’s education remains paramount, but you can’t teach in an unsafe environment. Protect, educate, and model digital safety.
Updated 02/19/2018: Updated to replace browser-based file encryption tool (Minilock) with FileLock.org.