The pandemic has drastically changed the way education is being delivered worldwide. For a large part of the last year, through various lockdowns, we have inhabited a world where being safe equates with being socially distant, quarantined, and connected only virtually.
In the process, we have embraced newer models of education dissemination, battled major safeguarding risks, and accounted for the psychological as well as the overall long-term impact of the pandemic on children.
The bottom line is that this transition to either a hybrid or a remote learning model has come with a fair share of challenges. As a result, the school authorities have to stay vigilant, constantly.
As we enter the next phase, we want to be ready for, and ahead of, any challenges that might arise. When we first made the transition, it was done in haste, so we worked with imperfect systems, where a plethora of safeguarding concerns raised alarm.
Now, all school authorities and other education stakeholders wish to implement a system that is well-thought-out and tested for any safeguarding loopholes. In tandem with this goal, the Department of Education (DfE) has mandated the implementation of a secure remote learning plan by September this year.
Photo by Compare Fibre on Unsplash
This plan would take into account challenges faced in educational settings related to cybersecurity best practices, equity and access, and psychological concerns. This brings the issue of cyber safety to the centre stage. As EdTech is developing exponentially, it is more important than ever to liaise with National Cyber Security Centre (NCSC) and develop a foolproof structure where
a) cyber attacks can be prevented and
b) mitigation directives are in place if such attacks occur despite these guardrails present.
New Learning Models, New Cybersecurity Challenges
In order to fully appreciate the need for a remote learning plan and implement a safeguarding infrastructure around it, it is important to understand the challenges posed by the remote model in nuanced depth.
The NSCS has issued warnings as well advisories in regards to the increased ransomware attacks in the education sector. In a fairly recent ransomware attack, 37000 children were unable to access their email. Since we moved to the remote mode of learning and working, hacking incidents have been on the rise: the Cyber Security Breaches Survey 2020 found a total of 54% identified breaches or attacks at least once a week for secondary schools.
In addition to the traditional forms of cyber attacks, we also witnessed novel security breaches in the form of “zoom bombing” whereby an uninvited user accesses a private video call. In an educational setting, zoom bombing has posed several threats:
- Invasion of privacy of everyone in the video chatroom/call,
- Distraction from or disruption in the lessons, and
- Exposure to inappropriate materials or sights.
Phishing — the fraudulent practice of masquerading as a person/company of repute in order to acquire sensitive information — was rampant too.
Photo by Sigmund on Unsplash
When we first implemented a remote learning structure, it was out of urgency and uncertainty. We knew very little about the virus and how it would impact our lives. Going forward, however, we can predict with a certain degree of certainty, what precautions and safeguards we need in place to ensure a safe remote learning environment. The Chief Information Security Officer of XYPRO and Cybersecurity Expert Steve Tcherchian shares,
“Cybersecurity awareness needs to be part of any remote learning plan. This needs to start with teachers and administrators. There is usually a huge tradeoff between security and functionality. Unfortunately, with the rush to implement this, security may have been an afterthought.”
“Unfortunately, criminals know that and will capitalise on that. One of the biggest immediate threats to remote learning is ransomware, meeting hijacking and email compromise. These don’t take a lot of effort given the current landscape.”
So, how do we ensure that the remote learning programmes are not laden with security vulnerabilities still? That’s the answer this action plan seeks to provide.
Scope of a secure remote learning plan
A robust remote learning plan would account for the safety of children online, data protection and privacy shields, access to educational resources without endangerment or mental distress. Here are a few areas that need to be considered in the creation of this plan.
Legislations to be referred & abided by
The plan should give due regard to all relevant legislation and statutory guidance including, but not limited to, the following:
- Equality Act 2010 Education Act 2004
- The General Data Protection Regulation (GDPR)
- The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013
- Data Protection Act 2018
- DfE (2019) ‘Keeping children safe in education’
- DfE (2019) ‘School attendance’
- DfE (2017) ‘Special educational needs and disability code of practice: 0 to 25 years’
- DfE (2018) ‘Health and safety: responsibilities and duties for schools’
- DfE (2018) ‘Health and safety for school children’
- DfE (2016) ‘Children missing education’
- DfE (2020) ‘Safeguarding and remote education during coronavirus (COVID-19)’
- DfE (2020) ‘Adapting teaching practice for remote education’
- DfE (2020) ‘Guidance for full opening: schools’
Measures and tools to be included in a secure remote learning plan
1. Scheduling and conducting classes
For teachers, who are directly organising and scheduling the classes, it is important to have a checklist of precautionary and security measures handy. According to Tcherchian, measures on this checklist should include: password protecting your zoom meetings, using complicated passwords, creating accounts for children’s emails, Chromebooks, etc with stronger passwords that aren’t set to their name. He also suggests the admin not to share passwords and account details in public documents, and to add another layer of security, make sure the user is forced to change the password upon signing on.
Photo by Sigmund on Unsplash
2. Technological preparedness
Some remote learning applications can have security vulnerabilities and leakage threats due to mobile device permissions. Our advice to mitigate this would be to firstly start with an initial audit of your information systems. Standard controls should include intrusion detection and prevention, firewall protection, content filtering, email security, antivirus software, and data loss prevention.
The approach of network segmentation, i.e. creation of separate network segments for students, staff, and confidential data can help protect the other segments in case of an attack on one segment. A safeguarding perspective would also mean following the “least privilege” policy. According to this, you will provide tiered access to various segments/users, with no user having access to more dashboards or files than they need to. With each tier, the security settings can get tougher & prevent any attacker from escalating to the more sensitive data.
Rahul Mahna, Managing Director of Managed Security Services at EisnerAmper’s Process, Risk and Technology Solutions points out,
“Cameras also come to mind. Most students are using Chromebooks that have integrated cameras. Those cameras are often integrated and not easily controlled by the student. In the case of a hacker getting access to the camera, we suggest that when the student is not working in an online classroom to block the camera lenses with something simple, such as tape. The other precaution is the location in the house in which the student does his/her learning. The camera is picking up items behind the student, such as household items and other personal items that could identify that particular student or his/her family, and then used by hackers for password clues to any number of that family’s devices.”
School managers could also consider an ongoing monitoring framework. This will help analyse logs for unusual activity that could indicate an attack or a potential data breach. “Moving forward, our team does see more shift to Chromebooks that are easily remotely controlled, provisioned and secured through various cloud security software offerings that assist both the school and student,” Mahna adds.
Furthermore, a single sign-on feature across all accounts within an educational institution can be useful to combat breaches. This is because a single sign-on makes it easier for users to create and maintain unique and complex passwords for logging in. This way they stay more protected across more accounts.
Finally, ensuring two-factor authentication (2FA) or multi-factor authentication (MFA) also allows you to add an extra layer of security to your accounts, using an authenticator app to prove user identity. For example, the SCR Tracker software provides MFA capability to further protect your organisation's single central record.
Photo by Steinar Engeland on Unsplash
3. Ensuring equitable access
Not all children have the same accessibility and affordability for the remote learning infrastructure, specifically the devices and internet. According to Ofcom, children from financially vulnerable households were 89% likely to have access to a desktop or laptop as against 98% in the least financially vulnerable homes.
If children use unsafe devices or open/public connections, it might jeopardise their safety as well as that of the school systems. Therefore, it becomes extremely important to address equity from a safeguarding perspective: when children from less privileged backgrounds find it harder to access a suitable device, they miss out on schoolwork or synchronous lectures/classes. Sharing a device with other family members can also make it harder for them to take extra measures for security. Hence, equity becomes a safeguarding concern.
Overall, it is recommended to use all measures listed above, but the final implementation of a secure framework ultimately also needs in-built education around it, and will only fully succeed when the staff and administrators are well-trained and aware of the risks, threats, and solutions. Schools are suggested to host cybersecurity training and awareness sessions for staff regularly, with updates on newer technological threats as well as the use of protective tools.