Schools are unaware of the extent of their exposure to data hacking Schools are unaware of the extent of their exposure to data hacking CREDIT: MUSAC Ltd

How Schools Can Reduce the Threat of Data Breaches by Hackers

Thursday 3 December 2015, 1:12PM

Will 2016 be the year that New Zealand schools decide that accessing technology as a service via the Cloud is far preferable and much less costly than installing and managing servers and related equipment on school premises ?

School Principals and Trustees have an opportunity to proactively secure their student data and ensure they are fully compliant with New Zealand Privacy legislation. 

SMS (School Management Systems) provider MUSAC Ltd is aiming to raise awareness among school principals and school trustees to be aware of their obligations to protect student data mandated under New Zealand's Privacy legislation. 

MUSAC CEO, Greg Twemlow, said today that some Primary and Secondary schools are still using installed servers – as opposed to cloud solutions – to run their SMS (School Management Systems) and other applications and these are vulnerable to hacking, from inside the school network system and from external hackers.“Hacking by cyber criminals and tech-savvy school students is now common overseas and recently a data hack of an Auckland school by a Danish hacker made front page news ( I don’t think New Zealand is different to any other advanced society where hacking attacks on school networks are now frequently reported. Even more concerning is that it's generally believed that less than 20% of hacking attacks are made public meaning the true extent of the problem is far greater than what we read about.”

Mr Twemlow said students and visitors to school premises connect smart phones, laptops and other devices to school wifi networks, which puts them inside the school’s network defences. From there it is easier for technology savvy users to explore the data resources in a school network that includes servers, including ‘hacking’ into the school servers to tamper with data, such as changing test scores or accessing the personal details of other students as well as caregivers.

“When schools choose to operate servers inside their networks they rarely consider the data security implications. If a school does operate application file servers then they must also operate robust firewalls and employ switched on IT providers to maintain high levels of network and data security. A further important issue when schools do use severs is that many teachers also work remotely from home on VPNs (Virtual Private Networks) and invariably VPN account passwords can be readily hacked.“If even one of the many software applications hosted on the school's server network is not updated, it can create a vulnerability pathway that hackers find easy to exploit.

My advice is don’t wait to be hacked before you take steps to ensure you’ve done all you can to protect the personal data of your students. Everyone involved in supplying, managing and accessing student data has to be mindful that safeguarding student data is paramount.“My message to school principals is to be extra vigilant if you run an SMS that is installed on file servers at your school. As a school principal you have responsibility under New Zealand Privacy legislation to do everything in your power to the protect the personal data that you store on your servers.”

Mr Twemlow said that MUSAC LTD began the move from a server based SMS application to a Cloud solution more than four years ago.“We believe that best-practice in data protection means that all schools will migrate to the Cloud sooner than later which is why MUSAC offers its products, SMS and Library Management, as software as a service (SaaS) from the Cloud.

“Cloud applications have a single security control point to protect. MUSAC, for example, is hosted in New Zealand (in the Massey University Cloud infrastructure in Palmerston North), which means one security update and one state-of-the-art firewall protecting all our customers. “Securely integrated cloud solutions have the necessary resources and data protection, and the ‘network’ is not exposed to multiple on site devices operating inside a school's firewall.

“Schools using an SMS running on servers installed in the school are relying on their network vendor, their server vendor and ultimately their staff to take on the responsibility for data security. This model is far more vulnerable to a data security breach, which if it leads to publication of personal data is in effect a breach of New Zealand's Privacy laws,” he said.

Scott Noakes, CEO of Linewize, a company helping schools secure their IT network endorses the MUSAC advice, “In helping schools manage network access across staff and student devices, we’ve seen that about half of NZ schools do not have properly segmented networks. Schools that put student BYOD devices on the same network segment as school servers are putting themselves and their students' data in harms way. In such environments schools are only one malicious student away from massive IT disruption or possible legal repercussions from data breaches."

Mr Twemlow recommends that school trustees give serious consideration to their exposure to data security vulnerabilities including over the summer holidays when there is negligible or perhaps no monitoring of school data networks. If the school isn't already actively planning to run all their applications from the Cloud in 2016 then it needs to be high on the agenda of the first trustees meeting in 2016. 

MUSAC has written a helpful explanation of Cloud Systems

For more information, visit - the MUSAC website