Educational Technology or “EdTech” is a discipline of Technology focused solely on the development of Software as a Service (SaaS) to improve student learning. Despite EdTech sounding field-specific, its impact is far-reaching as education or even the lack of it touches everyone’s life. This blog will dissect how cybersecurity intersects with EdTech.
Defense-In-Depth
You wouldn’t rely on floodlights as the only mechanism of securing your home from burglars, so why would you solely use an anti-virus solution as means of protecting your entire IT infrastructure from threat actors? The secret to achieving a robust cybersecurity program is security must be woven into every angle of your environment in such a way that each control complements the others. This is formally known as “Defense-in-Depth” or otherwise a strategy that is used to eliminate single points of failure.
For instance, EdTech software platforms specifically must consider students how students submit assignments. Is there a public-facing portal that could be brute-forced? Could student logins be hijacked to manipulate or snoop through their connection? Are your backend databases that contain student records externally accessible? Defense-in-Depth is all about slowing down an attacker and making your business less enticing to attack. This approach is reliably effective in preventing, deterring, and detecting cyber-attacks because an attacker has numerous “layers” to overcome before completing their objective.
For those seeking to validate their controls can stand up against a real attack, Silent Sector also offers Pen testing for our clients to simulate real-world adversarial tactics. We then walk them through what we did how they can improve their EdTech platform’s security.
It is important to recognize Defense in Depth necessitates considering users because technological controls are not 100% effective. Unfortunately, the human element is often neglected when considering a cybersecurity program. However, employees are instrumental in protecting an organization as they are the ones interacting daily with the IT, email system, and data records. Proper training can equip them with the right mindset to identify phishing attacks, probing threat actors, inherent procedure weaknesses, etc., and other activities that are precursors to attacks.
Security Domains to Consider
- Physical
- Endpoint
- Network
- Application
- Data
- Personnel Training
Keep Digital Compliance at the Forefront
Compliance is one of the major priorities schools strive for so they can qualify for federal funding, and their EdTech programs must uphold compliance. Given that EdTech solutions are fully hosted by the vendor or a cloud organization's infrastructure; and accessible anywhere translates to data security concerns. This is expected since storing data on a 3rd party’s equipment means giving up some control over how it is protected. Even more so, concepts such as data localization come into play since data hosted in the USA is under a myriad of vastly different regulations than data hosted in somewhere like Europe. In the USA, the Family Educational and Rights Privacy Act (FERPA) requires educational institutions to protect student records.
The pandemic convoluted things when regulations like Americans with Disabilities (ADA) were overlooked because educational institutions quickly onboarded EdTech platforms to support remote learning without fully vetting their information security. The ADA “requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data.” It is imperative your institution fortifies its data ingress, egress, and storage locations to protect against lurking threat actors.
Silent Sector recommends our clients take the initiative to review how their personnel and student data is protected by 3rd parties because cybersecurity for software companies is not yet enforced by legislation. Additionally, your organization could be penalized when your students’ records are in the possession of a vendor who has little to no security.
Automate the Tedious Tasks
Basic IT Security tasks are often overlooked due to their repetitive nature but are essential. For example, operating system and application patches are released often. Manually applying patches to every workstation, server or application is not realistic. Conversely, not patching positions your organization as a prime target for an attack like ransomware and other detrimental side effects.
Automating patches goes hand in hand with other IT tasks like creating up-to-date and functional backups. Consider scheduling mission-critical data to be remotely backed up on an interval. This way you do not have to worry about losing sensitive data, natural disasters, or when a ransomware gang targets you. Automation also addresses the human element mentioned above because automating a task such as device deployment ensures devices are securely configured from the moment they are deployed.
It is also worth mentioning automation is accompanied by a great value-added feature since it can reduce the amount of time dedicated towards repetitive operational tasks so that your team can focus on more complex topics instead. Another security domain like vulnerability scanning should also be scripted so that your team is quickly made aware that vulnerabilities that pose a risk to your organization exist.
SaaS cybersecurity and compliance are major distresses that can be overcome with proper consulting. For instance, cybersecurity firms like Silent Sector can execute web application penetration testing to uncover any weaknesses in how an EdTech app behaves thus, avoiding a breach and FERPA violation. Interested in hearing how to vet EdTech platforms or security your own EdTech company? Contact Silent Sector today to learn more.