For most businesses, non-profits, and project leads data security is like home security, not important til you need it. According to data and ethics expert Dr. Gemma Galdon Clavell, there are five major moments where data is most vulnerable: collection, storage, sharing, analysis, and deletion. These vulnerability points increase the risk of a data breach.
It’s critical for every business to understand their risk. An important step in data security is to identify potential threats, classify them by category, and evaluate the damage potential to the company. Use this checklist to understand common data threats and assess how they may affect your business:
- Hacking: a multi-billion dollar industry for cybercriminals and provides opportunities to extract data for political and monetary gains. Hacking refers to an unauthorized user gaining access to a computer or a network.
- Cracking: another form of hacking; is reverse engineering of software, passwords or encryption could lead to unauthorized access to sensitive
- Malware: short for malicious software, disrupts computer operations, gathers sensitive information, or gains access to a computer system to compromise data and information.
- Misuse: Employees may take advantage of entrusted resources or privileges for a malicious or unintended purpose. These actions can be either malicious or non-malicious in nature.
- Error: such as system misconfigurations or programming errors can cause unauthorized access or in-house due to faulty programming, or hackers can find loopholes that can cause errors as well
- Leaks: Unauthorized electronic or physical transmission of data or information from within a company to an external destination or recipient could leave data in the wrong hands.
- Cloud integration: storing unencrypted sensitive data with lax access controls leaves data stored in the cloud vulnerable to improper disclosure.
- Availability Attacks: Availability attacks are structured cyberattacks to extort or damage companies whose websites or online assets are a major source of revenue.
- Advanced Persistent Threats (APT): The goal of an APT isn’t to corrupt files or tamper, but to steal data as it continues to come in. Hackers attack computer systems while avoiding detection and harvesting valuable information over a long period of time.
- Third Parties / Service Providers: Third-party networks may be used by other external cybercriminals as an initial access point into a company’s network.
- Non-technical Threats: Data security isn’t only an electronic issue. Non-technical threats can affect your business, too. Physical theft of devices, environmental damage, insider threats.
All data repositories are vulnerable for countless reasons and we can’t possibility address them all, prioritizing your risk and testing your priories against common threats in your industry.
In terms of risk assessments, I’m speaking less about the private sector, which through trial and error and previous failures has been able to create benchmarks for information risk protection. The education industry should expect a myriad of risk areas in the form of the digital classrooms, BYOD (bring your own device) and the lack of regulatory standards that reflect the digital risk faced by school leaders with limited data management experience and school communities who used technology vulnerable to breaches.
“Stewardship is easy and inexpensive to claim; it is expensive and difficult to honor, and perhaps it will prove to be all too easy to later abdicate”.(Clifford Lynch, 2003)
Since the early 2000s organizations like OIAS (Open Archival Information System Reference Model) began to design frameworks, which addressed the fundamental questions regarding trustworthy data repositories. The conclusion, and continued norm is steered away from being too prescriptive and opted for checklist that measured trustworthiness.
This reality still exists today. Striking a balance between maintaining your claim of reasonable trustworthiness and affording to be so is at the center of success for all “digital-first” organizations. As schools are asked to adapt and take hybrid “digital-primary” organizations, data stewardship must be prioritized to maintain the trust shared between the school and school community that tacitly or directly consent to their behavioral and identifying information captured, stored, and productionalized.
Everything including “acts of God” can compromise your security; the Pandemic qualifies as such. Security risk are rooted in a combination of, (1) organizations lacking an innate sense for security and (2) human error. Organizations can work to limit information security breaches by standardizing information security and using risk assessment to determine how much risk you’re willing to take on vs. your budget and other factors.
A Personal Synthesis: Why Protecting Data is Difficult
My personal example comes from my work in a charter school in DC working with Pre-K students. In my school students are not assessed by test scores but are to be video recorded in the classroom by the teacher using their personal mobile devices using an app. The videos are tagged with grades for what competency the student is demonstrating. Those videos are then sent to this third party company. The technology company aggregates grades from various other schools they partner with across the country to give a “true” grade of your student. The assessment is then sent back to the teacher. The idea itself is a cool way to assess learning and give parents a look into how their child is learning. I question the level of risk assessment the charter school had done in this situation. There seemed to be very little concern from my fellow educators about the lack of proper training with this application and there was no type of software offered to convert their personal devices into “secure devices”. When I asked my administrator why we’re using this service, they declared that it was efficient and useful during parent teacher conferences. I pushed and asked about security issues in regards to the technology companies. Their response was “other schools use them, and I haven’t heard anything negative.”
“When an adverse event occurs, the important issue is not who blundered, but how and why the defenses failed.”(Castillo, 2000)
In this situation the school has handed over the keys to the car to complete strangers. Based on my conversation with my Admin it appears the school has not vetted this company for security and is going off of word of mouth about their level of security. This speaks to the lack of standards that exist with regards to education information security. The fact that my Admin did not site any type of criteria for security beyond, essentially, “I know a guy” leads me to believe that there was no standards-based risk assessment. In addition, while the school may have an understanding of there teachers competency to teach theydo not have a sense of their teachers digital literacy as it pertains to information security. These teachers are using personal devices w/ their personal applications and sending private information about students through non-secure networks to a third party where their students info is being compared to that of other students where we have no guarantee of anonymity. There appears to be no defenses and dozens of opportunities for blunders.
Bibliography Castillo, on 26 March 2013, F D ( Tito ). "Data Management Planning for Secure Services (DMP-SS)." Data Management Planning for Secure Services DMPSS RSS. BLOGS.UCL.AC.UK SITE, 26 Mar. 2013. Web. 15 Oct. 2016. Trustworthy Repositories Audit & Certification: Criteria and Checklist ru). (2007, February). Online Computer Library Center, Inc (OCLC) and The Center for Research Libraries (CRL). Retrieved fromhttp://www.crl.edu/sites/default/files/attachments/pages/trac_0.pdf