This guide is aimed at teachers, educational institutions, and organizations connected to education, such as schools, libraries, study centers, or non-governmental organizations (NGOs) focused on education.
Its purpose is to provide guidance to professionals in institutions and organizations connected to education, helping them increase their awareness of cybersecurity. It also offers tips for protecting their networks, devices, and online accounts. Equipped with this information, educators can incorporate these concepts into their noble teaching practices, better preparing students for a future that, as we know, will be increasingly digital.
Notwithstanding the information in this guide, some tips are easier to implement while others may be more challenging, and individual experience varies. Therefore, it is essential for schools to have a trusted partner to help them make the best tool choices and implement technology effectively.
This is a living document, meaning it will be continually updated and supplemented with new details over time. Therefore, I invite you to return here from time to time.
Awareness
Teachers and Schools play a very important role in raising awareness among Students, Parents, and Guardians about the dangers of the Internet and the basic precautions they should take when using it.
Thus, teachers in general, but particularly those teaching Information and Communication Technologies (ICT), should have this foundational knowledge to educate their students about online privacy, protecting their devices, and securing their online accounts, among other topics.
In addition to classroom teaching, schools can organize in-person or online workshops for Parents and Guardians, as well as distribute information through pamphlets or emails.
But before teaching students, Teachers and Schools must protect themselves. And how can they do this? Let’s find out next…
Network Security
Schools must ensure that their network is secure—secure against external threats, but also against internal threats (whether intentional or not). To achieve this, the use of a firewall is essential, along with network segmentation, meaning having separate segments for Teachers and Students, or for school-managed and non-managed devices.
Certainly, teachers have access to more sensitive content that students should not have, and therefore, segmentation will help protect these accesses.
In addition, care must be taken with personal devices of Teachers and Students that connect to the school network. These devices, which are not managed by the school, do not adhere to the policies set by the school and, therefore, should not be connected to the same network as the managed devices.
Moreover, students are far more numerous, which increases the risk on the networks they connect to.
Schools should also have software that filters the content accessed by students, ensuring that everything they access is appropriate for their profile and age.
The firewall should have the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) active, ensuring that any potential attacks are both detected and blocked.
The Wi-Fi network should use WPA3, ensuring the use of the most secure protocol.
Device Security
Schools should manage their devices, meaning not only that the devices are owned by them and they can do as they wish with them, but also that there is software in place to enable proper management. For example, ensuring that there is a policy for updating the operating system and applications, as well as implementing controls such as USB port blocking, among others.
Devices that are not managed by the school should not connect to the same network as the managed ones. This does not mean they cannot connect to a network for connectivity, but they should not be on the same segment as the managed devices.
Depending on the size of the institution or organization, protection software such as antivirus, Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or Managed Detection and Response (MDR) should be considered.
Account Security
School accounts should have secure passwords, and by secure passwords, we mean long passwords, such as passphrases, rather than overly complex passwords that are hard to remember. – Click the button below to read my article on best practices for password management.
Furthermore, all accounts should have Multi-Factor Authentication (MFA) enabled, ensuring that even if credentials are discovered by someone, they are not enough for that person to access the account. Learn more about MFA by clicking the button below.
Regarding access, least privilege policies should be implemented for teachers and students, meaning limiting access to only those who truly need it.
Compliance with the Law
Schools should also comply with the General Data Protection Regulation (GDPR) in the European Union, or the General Data Protection Law (LGPD) in Brazil, by limiting access to sensitive data and ensuring that this data is stored and transmitted securely. Whenever possible, they should use anonymization or pseudonymization techniques to reduce the risk of unauthorized access to the data, as schools, as we know, store a large amount of personal data of all Teachers, Students, and Parents/Guardians.
