Education Business

Data security: educating the educators
Andrew McIntosh, operations manager at Powerchex, investigates the increasing burden of keeping personal data safe in the education sector

ImageAcross the world, fraudsters are realising the potential treasure trove that lies with people’s sensitive information. As the risk has become main-stream rather than a few isolated incidents, there has been a steady increase in awareness of data security and the risk of identity fraud.
    
Information exchange is a central facet of educational institutions everywhere. After all, teaching cannot take place without it. However, such institutions also hold detailed personal records of their current and past students, and of their staff. Schools, higher education authorities and other related parties have a duty to ensure that all is being done to safeguard this kind of information. Though many institutions have good standards of data security, a significant number still underestimate the risk of data loss and fraud both to their own reputation and to the individuals whose personal information they are entrusted with.
    
Whether it happens through criminal intent or by complete accident, a data breach is still a data breach. The sad fact is that honest staff can pose a similar level of threat as that posed by computer hackers, and it takes just one moment of carelessness for this to be demonstrated.

Precautions
What can you do to mitigate against the risk of fraud and data loss? Here are the precautions you should look to have in place:
    
You need to create a centralised environment for all personal, financial and other, potentially valuable information, meaning that all data can be secured in one or more protected databases. Despite the complexities in doing this, moving all sensitive information to just a few locations makes it much easier to control and secure data.
    
Any information database should be equipped with real-time activity monitoring so that administrators have logs of all user activity. These should go back at least 12 months.
    
Once in place, those who work with this information should not be given access beyond that necessary for them to perform their job roles. The less access an individual has to information, the lower security risk they represent.

Monitor & control
You should be looking to monitor and control all flows of potentially sensitive information in and out of the institution:

  • Where laptops or other portal devices are used to transfer sensitive data, these should be encrypted. Usage of such devices should be logged and monitored under the authority of an appropriate individual. Water-tight policies on the usage of such devices should be in place.
  • Software which tracks all web surfing as well as e-mail traffic should be installed on every single terminal on your network, and staff should be aware of this. 
  • You should consider blocking all major external webmail and social networking sites for all members of staff. This reduces the risk of sensitive information being deliberately or unintentionally sent to an external party.
You should ensure that you conduct checks on any third party suppliers that might have access sensitive information. After all, these companies will still impact on your reputation if something goes amiss. If you choose to outsource your IT, do not forget to conduct checks on their staff also. Remember, they have access to absolutely everything on your network.
    
You should have a clear policy on what to do with paper documents that could contain sensitive information. In the case of administrative staff, it may be good practice to treat all paper as ‘confidential waste’ to eliminate any confusion about which bin to use. All paper should be shredded ‘cross-cut’.

Know your staff
To have all the above in place demonstrates a good understanding and appreciation of the risks of data security. However, this is insufficient in real terms because it fails to address where the key risk lies, and that is your staff.
    
It goes without saying that you should screen your employees. All of them – temps, cleaners, even the work experience boy. If they could have access to sensitive information then you should ensure that they are properly checked.
    
There has been a lot of media focus recently on inadequate background screening, especially relating to criminal record checks. Any person working in an environment where they have access to children or vulnerable adults should be subject to an Enhanced Disclosure Criminal Check and needs to be registered with the Independent Safeguarding Authority (ISA).
    
You need to be checking the full employment history of any potential employee, including personal references from their previous managers. While often time-consuming to obtain, these can be an invaluable tool to help gain a real insight into the character and potential performance of any future member of staff.
    
Some appropriate questions to ask about a potential member of staff might include: “What was their rapport with their charges? Their colleagues? The management team? Were there any disciplinary issues with this person that you are aware of? How did they respond to criticism? Were they a team player? Did they struggle to keep up to date with necessary paperwork? Would you re-employ them if given the opportunity?”
    
Remember, if the referee is unwilling to provide a reference, then change tack and ask on a personal basis; most people are more comfortable commenting if reassured in this way. And despite any temptation to do so, never start a new member of staff before checks upon them have been completed. You should always wait until everything is back and you are happy with the information you have gained before you let them in the door.

Training & awareness
Finally, you need to conduct regular training and awareness programmes for staff to make them aware of their data security requirements. Those who work with sensitive data need to have a clear understanding as to why data security is integral to their work and what they need to do to comply with regulatory requirements.
    
The important thing to remember is that data security is not simply an IT issue. The main risk of data breach remains that which is hardest to control; human error by those who work with sensitive information. Imagine that an individual with felonious intentions applies for a job with you. Are you confident that you have enough checks and/or deterrents in place to spot them? Do you honestly believe that you are devoting enough resources to raise staff awareness and conduct risk assessments, or are you making the mistake of focusing solely on IT security?