Is your data protection policy protecting your employees and students?

It seems like a regular occurrence these days that we hear about a company’s employee records or customer data getting stolen by hackers. Well-known companies like Blue Cross/Blue Shield, Home Depot, Target, Anthem Insurance, and others have fallen prey to data protection breaches that resulted in private information getting stolen.

These days, the private sector isn’t an exclusive target for hackers either. Universities like Harvard, Penn State, and other schools have also experienced the pain of security breaches. Even locally, here in Southeastern Wisconsin, there have been successful cyber-attacks in the public sector, most noticeably in Ozaukee County where 200 government employees recently found out that their personal information was compromised and falsified tax returns were filed under their names with the Internal Revenue Service.

These scenarios are ever-increasing, and the number of attacks keeps rising. The culprits want your data, and they often target the path of least resistance when it comes to gaining that coveted data.

Data protection risks in education

Today, it’s common practice for schools to provide a web portal to access data remotely. Most often, it’s for the purpose of allowing employees (both current and also former) the ability to view and retrieve pay-stubs online or W2s online (which typically also show social security numbers), or in the case of students/parents, allows someone access to online grading information, and potentially medical/health information, home address, emergency contacts, and so on. As a result, there comes an inherent risk with making any of this otherwise private information available on the internet.

When financial systems and student information systems (such as Skyward, Infinite Campus, Powerschool, Alio, etc.) are properly setup, the risk is minimal, but end-users themselves (who are the target of cyber-attacks) have virtually no control over how secure the systems actually are. While most of the financial software and student information software available has some built in mechanisms for securing data, there is no guarantee that best-practices have been followed during implementation and before making that data available online.

There are also no ‘de-facto standards’ across the board for these particular software applications to enforce important security/data protection measures for users such as:

• Requiring complex password requirements (password length, special characters, upper/lower case, etc.)
• Requiring users to change passwords at specific intervals
• Requiring new users to have a unique password instead of setting a global password for all new users at their first login

That being said, it’s very possible, depending on the security configuration of your financial system or student information system, that individual users may have logon accounts that are using a password of “Hello” of “123456”. For systems that contain personal and private data, this can potentially be a problem and put users at risk.

If you have any doubts about the security mechanisms in place at your school, now might be a good opportunity to spend some time evaluating your financial and student information systems. Be proactive and not reactive! Take the time necessary to evaluate various ways you can improve upon security and protect confidential data, *before* would-be hackers and criminals attempt to steal that data.

Taking action to make improvements to security doesn’t necessarily mean having to spend an abundant amount of resources (time or money). Easy to implement ideas and solutions, such as:

• Making sure that any staff or employees that have “administrative” access to the financial and student information system programs are using very complex passwords.
• Putting additional security measures in place on your financial systems and student information systems that adhere to industry best-practices.
• Sending out informative emails to employees and parents to warm them against the dangers of using simple passwords, or effectively turning off the ability to use simple passwords altogether.
• Educating employees and parents in regards to the increasing use of clever phishing attacks and strategies employed by hackers.

They key takeaway here is; do your due diligence and spend the time necessary to evaluate your current environment. Look into the options available to make the necessary improvements for protecting your data and keeping it safe. An ounce of prevention goes a long way and could save your school district from experiencing the same data protection lapses that other companies and public sector agencies are facing on an all too regular basis.