Data security is essential for schools, given the use of digital platforms and software that are used for teaching, learning and school management Safeguarding sensitive student and staff information is more critical than ever.

In this article we outline best practice steps schools can take to implement robust security measures and protect this confidential data within SEQTA. This includes several technical and non-technical actions that help keep school data secure, such as:

  • Implementing Security Assertion Markup Language (SAML) with multi-factor authentication (MFA)
  • Following the principle of least privilege, as well as
  • Establishing a robust security program to protect against phishing and other common attack vectors.

4 Key Components of Data Security Infrastructure

  1. Single Sign-On (SSO):
    • SAML is an industry-standard authentication protocol that enables single sign-on (SSO) and secure authentication between an identity provider (IdP) and SEQTA, allowing seamless and secure access to your data.
    • With SAML users log in once to their identity provider (e.g. Azure AD, Google Auth) and gain access to all SEQTA applications without the need to re-enter credentials.
    • This streamlined process simplifies user experience and reduces password fatigue.
  2. Enhance Security
    • SAML leverages cryptographic signatures to ensure data integrity during the authentication process.
    • Multi-Factor Authentication (MFA) can be enforced by the IdP, providing an extra layer of security.
    • Enabling MFA means that even if a user’s credentials are compromised, they remain protected, safeguarding against phishing attacks and credential leaks
  3. Centralised Identity Management
    • User accounts are centrally managed in a directory system such as Active Directory.
    • Changes such as password updates and account deactivation, are automatically reflected across all SEQTA applications, ensuring consistency and security.
  4. Auditing and Compliance
    • SAML provides detailed logs for authentication events, making it easier to audit.
    • By tracking user access, SAML helps schools meet compliance requirements, ensuring adherence to regulatory standards.

3 Ways to Combat Phishing Threats

  1. Phishing Awareness Training:
    • Conduct comprehensive phishing awareness training sessions for students, teachers and staff. Develop engaging lessons that explain what phishing is, how it works and the risks associated with it.
    • Teach users to “think before they click” on links or opening attachments from unknown senders. Encourage a healthy scepticism toward unexpected emails and ensure they know who to contact if they receive a suspicious email.
  2.  Invest in Phishing Protection Tools:
    • Schools should allocate resources to be able to invest in and implement robust anti-phishing solutions. These tools can automatically update and adapt to new threats.
    • Regularly conduct phishing simulations to assess the effectiveness of your training and identify users that might need further training.
  3. Develop and Communicate a Reporting Process:
    • Establish a clear and easy process for staff and students to report suspected phishing emails
    • Enabling staff to report suspected phishing emails will assist in identifying potential risks and reducing false positives
    • Conducting regular reviews on reported emails can also assist in providing targeted training, enhancing overall security awareness.

The Principle of Least Privilege

The principle of least privilege is the concept of limiting permissions and privileges granted to users to the minimum necessary for them to perform their role.

  1. Minimise Access
    • Users should only have access to permissions relevant to their current role
    • If a user requires access to additional permissions due to a change in role, these should be separately requested, reviewed and granted
  2. Attack Surface Reduction
    • By limiting permissions, the attack service is reduced, minimising the data exposure in case of compromise
    • By granting access to what is only essential to a role, the impact of a security breach is significantly mitigated as the attacker will gain access to less data.
  3. Regular Reviews
    • Conduct regular reviews of permissions to detect and address any misconfigurations promptly
    • Ensuring permissions are regularly reviewed helps prevent unnoticed misconfigurations that could compromise security.

Additional Security Best Practices

There are a number of other good security practices to consider, including:

  1. Effective Password Management
    • Implement a password manager with browser support for better password security
    • Educate users on the importance of keeping passwords unique and confidential to mitigate the risk of security breaches resulting from password sharing.
  2. Utilising Passphrases Instead of Passwords
    • Encourage users to choose passphrases over traditional passwords to enhance security
    • The password P@55w0rd!! could be cracked quickly, whilst the passphrase ‘apple tree pear’ could take hundreds of years to crack. Over time, we’ve concentrated on making passwords hard for ourselves to remember, but easy for a computer to crack. By using passphrases, the opposite is true.
  3. Ensure Physical Security
    • Ensuring on premise equipment is physically secure, to prevent exfiltration of data storage devices.
  4. Data Storage
    • Carefully consider what information will be stored and for how long. Avoid storing information or documentation in your systems that doesn’t strictly need to be there.
    • Regularly review and remove stored data that has fulfilled its purpose and is no longer required for compliance or operational reasons.

It is essential to emphasise the critical importance of implementing robust security measures to safeguard your school’s cybersecurity and protect its sensitive data. The security landscape is constantly evolving and staying ahead of potential threats requires ongoing vigilance and protective measures.

At Education Horizons our dedicated security team is committed to supporting your security needs. Whether you need guidance, assistance or have any security concerns, we are here to help. Don’t hesitate to reach out to us via email at: security@educationhorizons.com

And please review our recent School Leadership Series Webinar “School Cyber-security: Where to begin?” for more insight into how your school can protect its most sensitive data.