14 Nov Rethinking security in the education sector
The sudden and dramatic impact of the pandemic on the education sector could not have been anticipated. Yet teachers, lecturers and education administrators and support staff appear – from the outside at least – to have transitioned to new ways of delivering education almost overnight. Whilst this is positive, it has come with challenges, and has led the education sector to think about security very differently.
One of the characteristics of the sector is that organisations often have tens of thousands of employees and students, spread across multiple sites, and in some cases with a hybrid (non-classroom) delivery model being rolled out very swiftly.
Enabling innovation, not stifling it
The University of California, Berkeley, is a public land-grant research university based in Berkeley, California. Established in 1868 as the University of California, it is the state’s first land-grant university and the first campus of the University of California system.
The university has over 44,000 students on campus. This makes them amongst the largest public institutions in the country.
Jenn Springer heads up IT at Berkeley. She says that security is “top of mind” every day.
“I have research labs, I have IT organisations across the campus that don’t sort of report into the authority of the CIO. I have researchers who have amazing graduate students with lots of technology ability that are spinning up servers and putting machines under the desks and actually sometimes even running their own networks. And that makes it incredibly challenging.”
She says that this amazing innovation makes it hard to “wrap their arms” around the security risks. She talks about the joint responsibility of the university and those students attending it.
“It’s really so much more about changing hearts and minds, and really getting the researchers and the students to understand how important security is, and that it’s their responsibility as well as my responsibility to keep the campus secure and safe. We offer the tools to enable them to do that. But it is very different than a vendor organisation or an organisation where we can talk down, make a bunch of dictates that people must do certain things.”
She says that the balance of enabling innovation, empowering researchers and students and having security measures in place is a delicate balance which universities need to strike.
Schools face the same security challenges as any other organisation
On the other side of the continent, Michael Martinrano is Superintendent of Schools for Howard County, Maryland. Howard County Public School System is located midway between Washington DC and Baltimore, Maryland, with a diverse student population of around 58,000 students. Not surprisingly, he also has responsibility for around 10,000 employees.
Martinrano talks about the impact of the pandemic.
“It was a whole different layer of engagement, that we had to again, protect our students. First, by aggressively being involved in making our teachers aware of those risks, and how to respond when certain events were occurring.”
Martinrano says that the organisation has to actively think about “bad actors” who can do harm at schools, and put measures in place. Enhancements have been made to both property and data systems.
“I’ve had to enhance the total security of our school systems data and opportunities for people to tap into our network for fishing expeditions, or whatever it may be. To give you an example, I’ve added additional positions to our budget just addressed on cybersecurity.”
He describes it as “disheartening” that educational environments are not exempt from these security challenges, but he says that being proactive is the only option. It’s a new era of security measures for schools.
Engineering the platforms to deliver trust in digital infrastructure
In education as well as other sectors, Trent Loebel, CEO of Torus, says his team is seeing a very strong desire to get commonality and consistency across their devices. He makes the point that this is not just about efficiency, but also that they recognise that they don’t get the “absolute security benefits” if they have disparity of systems.
They are seeing this trend across all aspects of security. But it even applies to the “simple keys” which organisations hold – which is the area Torus focusses on.
“Virtually every building, every medium and large building in the world has keys – if not to all of the doors, to many of the doors within those buildings. And those physical keys need to be managed, they need to be only in the hands of the people that are authorised to use them. That’s impossible to achieve that when it’s done manually, with pieces of paper or a spreadsheet and keeping them in a drawer.”
He says that the consequences of not having a structured, secure system is not just risk, but also huge amounts of wasted staff time every single day. This includes not just administering the keys, but tracking them down when they don’t return as planned.
“The ultimate risk and cost with poor key management is where they fall into the wrong hands. In this case, the people that you don’t want to have them get access to your, buildings or facilities and your valuable assets. So that’s that’s the obviously the ultimate benefit from having a sophisticated key management solution like Torus.”
With fewer people on campus at some times and more of a hybrid model of delivering education, schools and universities are having to consider all of their security risks closely. Loebel says that automated solutions for access control can often be “vastly better” than a manual solution can ever be. He says that clients of Torus are achieving payback “within six months or less”.
This article reflects some of the core topics discussed in Episodes 3 and 4 of Security TV – see them both here. Security TV is a new online series which launched recently, focussed on the world of security. There’s never been anything like it before: it promises to become a key resource for those of us thinking about security. Torus is proud to be the premier sponsor of Security TV. You can watch episodes here, or join our mailing list to receive early alerts when the Security TV team releases each new episode.