In cybersecurity, balancing vigilance with access
Cybersecurity is essential for all organizations, but security cannot be valued more than usability
Cybersecurity is at the forefront of IT issues to be addressed over the next year. Nearly every list of major IT or educational technology issues for 2023 includes the need to further harden educational systems and infrastructure.
More than 20 educational organizations–including AASA, the American Association of School Administrators (the primary superintendents’ association)–have asked the Federal Communications Commission (FCC) to expand E-rate to cover advanced firewall technology to support protection from denial of service (DOS), improve virtual private network (VLN) access, and similar upgrades. The FCC is currently soliciting public input on the potential change here until February 13, 2023.
It is easy to understand the need for increased cybersecurity safeguards. In the first half of 2022, at least 34 major cyberattacks were made against schools. Cybercrime cost more than $6.9 billion in 2021. The evening news commonly reports on cyberattacks against pipelines, government systems, and other vital services. Due diligence in considering ways to harden cyber targets and protect student and institutional data is essential and to not do so in today’s environment would probably be willfully negligent. However, there is a need for balancing security with usability.
IT leaders need to ensure that usability is still the primary consideration in building IT systems. IT systems are of little value if they are not able to be used effectively by end users. Considerations of what level of additional steps end users are willing to take is essential. This is particularly important as many organizations still have a high number of remote workers. Make sure the warnings provided to end users are significant as well. Too many warnings can numb end users into assuming the IT department is crying wolf and they may stop paying attention to warnings.
For instance, if a user is given a warning that the vast majority of links in the email system are dangerous, how long will it take until the user starts to ignore those warnings. This is particularly true when even links sent by the organization are flagged as unsafe. Most systems allow enough granularity to ensure that commonly used systems, trade newsletters or professional journals, etc. are not flagged. This would be a good first step in building effective trust between the end users and the IT staff.
Another common concern is to ensure that security strictures put into place do not so restrict users that the systems are not fully functional. Testing needs to occur with outside systems and partner organizations. It is particularly common for struggles between organizations that utilize the Google Suite verse those that use a Microsoft Suite. This is often a common struggle for K-12 educators, who are mostly Google users, when they want to interact with higher education institutions or other government agencies, many of which are Microsoft environments. IT staff need to make sure that interagency collaboration is encouraged and supported by the installed technology base. Most of us have had a situation where a Zoom, Teams, or Google call was complicated or failed due to one or both institutions involved having too tight of security.
When the security, as well intended as it may be, gets to the point of being burdensome to the end users, they will get creative. Their creativity will often create an even more insecure situation than the burdensome security measures were trying to address. For instance, when security measures create too many hurdles, users might find other users with more direct access and then just get them to send the sensitive data in a less secure email format, or even use a personal email to avoid the institutional system all together.
Similar rules against forwarding emails are well intended, but when staff or students have multiple emails, insisting that they do not forward them to their primary account is a set up for missed information. When multiple emails exist in the same system, as is common in higher education for staff who are also students, those emails should be merged. One student I was aware of missed his final comprehensive exam for his master’s degree because the notice was only sent to his student email and not to his staff address, which he used exclusively.
There is no doubt that cybersecurity is essential for all organizations in our modern world. However, security cannot be valued more than usability. The sad fact is that the only entirely secure computer system is one that have been unplugged and shut off. Cyberattacks will continue, and it will be important to ensure that every organization has strong backup and recovery plans in place. However, end user usability is just as important as security.
Exposing the realities and myths of K-12 cybersecurity
Ransomware attackers head back to school
- In cybersecurity, balancing vigilance with access - March 1, 2023