Challenges and Ideas
Just as hackers employ encryption to deny access to data on an ransomware-infected machine, so can educators and students learn to use encryption to prevent unauthorized access to data. Popular data encryption tools are available. Are you using them?
Obstacle #1 - Not a Priority?
For many districts, safeguarding sensitive data isn't a priority. Some tips for making it one:
Conduct a benchmark assessment of current practices
Get executive leadership to form a stakeholder committee
Develop Policies and Procedures for Safeguarding Sensitive Data
Review paper processes
Review digital processes
Compare them to what other's do
Develop incident response team
Provide professional learning
Obstacle #2 - Expensive & Enterprise Level?
Establish procedures for handling sensitive data in your classroom and/or office. Ensure that data containing personally identifiable information (PII), as well as usernames/passwords to popular services, is encrypted.
Failed cybersecurity efforts represent a problem at large for society. The consequences are also felt in schools given improperly trained staff, students, and a lack of policies and procedures.
Cybersafety has a direct impact on the cybersecurity of an organization. The less cybersafe staff and students are, the greater the threat to personally identifiable information (PII).
Need more training and technical info?
Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor.
Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler). See other links to the left.
This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.
Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users' accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.