10 Golden Rules: Securing schools from social media threats

Bookmark and Share

The proliferation of social networks such as Facebook, Bebo and MySpace, instant messenger, file-sharing and peer-to-peer applications mean that the IT teams in schools have to cope with an even greater number of threats than many corporate networks. So how can schools protect their pupils from being exposed to inappropriate, offensive or illegal material? Here, Internet Security Analyst, Simon Heron, gives the 10 golden rules for ensuring school security.

Schools today face increasing internet security risks from the number of new platforms and technologies used by pupils and teachers in and out of the classroom. But what are these threats?

The first, and probably the most common of the direct threats to school networks, comes from downloading malware – most commonly done by clicking on links shared between pupils within, for example, instant messages (on MSN, for example, or within social networks like Facebook), emails and Twitter (although Twitter users tend to be older). This risk is increased by the use of file sharing and peer-to-peer technologies such as BitTorrent, by which users  can download files including rich media such as music and film from multiple (and usually unsecured) sources. Using such technologies can expose schools to malware that could ‘take over’ one or more computers – using them to run a botnet, for example, or even more worryingly, steal personal information on the school and its pupils.

The unauthorised downloading of video and music files, even if free from malware, can present another problem to schools. Think of the time and bandwidth that downloading a movie from the Internet can take, and how it slows an Internet connection. If a number of children download music and video files simultaneously – with or without authorisation from an adult – it can seriously affect the performance of the network.

It is not uncommon for children to want to explore areas that they should not go, and the Internet is no exception. Schools have a responsibility to prevent children visiting adult, illegal or otherwise inappropriate websites. It is up to the school’s security system to do this – a teacher simply can’t oversee every website that a pupil visits. Web filtering technology can ensure that blacklisted websites, or sites containing potentially damaging content, are blocked from use. Filtering should work both ways, and prevent children from being able to upload explicit, offensive or abusive images or messages to websites.

Arguably the most serious security issue is that of protecting children from inadvertently giving out their personal information online. Most responsibly-run online communities, virtual worlds and games for children will use moderators (such as eModeration) to prevent children from giving out personally identifiable information about themselves, such as address, phone number or school details (even when children code this information to get round filters) that could lead to grooming. Schools should monitor websites that children access to ensure that they have safety measures such as moderation in place and might consider blocking those that don’t.

There are a number of social issues that Internet security raises for schools, too. Children tend to be much more clued up about the newest ‘fad’ technology (such as the latest peer-to-peer technology for illegal downloads of music and video) than adults. So they need a security system that can compensate for this. Dedicated security companies that manage the latest technologies to combat trends in Internet use are worth considering, rather than stand-alone systems that require manual updating and configuring by the school’s IT manager. Equally, schools should put in place security at the network gateway – so updates apply across all computers – rather than individual computer security. This means updates can be pushed out across the network, rather than having to be applied individually, and keeps all computers are up to date all the time.

It is not appropriate simply to block children from using new technologies. Children need to learn how to use them, and should be encouraged. There is even a move to introduce learning about social media and new technology platforms such as Twitter to the school curriculum (with varied responses: 1 & 2).

So, the approach that schools take to IT security needs to be safe, but not restrictive. There needs to be flexibility for security to be effective. For example, many schools are now providing homework on remotely accessible servers so that pupils can access their work from home. This raises issues of safe remote access (ensuring that if a pupil’s home computer is infected with malware that it doesn’t infect the school network, for example, or that pupils are not able to access each other’s work via the system.)

The 10 golden rules for schools: 

  1. Create clear security guidelines. Creating clear rules for pupils and teachers alike will help everyone know exactly what is expected of them, and what the consequences are if these rules are broken. Of course, they need to be enforced by the security system and IT manager, but making it clear to users what they can and can’t do is an important part of security. Review guidelines and specify how new technologies and platforms can be used, such as social media access, which IM platform can be used and what the limits are on file downloads.
  2. Educate pupils on the importance of security, using these guidelines. Make sure they understand why the rules are in place – they are not just to restrict their behaviour for the sake of it. But, don’t expect them to enforce your security policy for you!
  3. Stay informed. Teachers and IT managers in schools should ensure that they are up to speed with the latest technologies and platforms that are being used in and out of the classroom by their pupils. Advice on new technologies should be available from your security provider to help you stay on top of new trends.
  4. Keep your security systems up to date. This is critical. No matter how informed you are about what IM platform to use, if your security system is allowing an unauthorised technology to be used without you knowing it, the system will be vulnerable.
  5. Agree what platforms are and aren’t acceptable. For example, agree which provider to use for IM, blogging, video streaming and so on, and don’t allow any other onto the system.
  6. Set strict web filters and password systems, and monitor web and IM use. Keep an eye on bandwidth use too – if the system is slow, check that no-one is downloading video, or using a file-sharing or peer-to-peer application. Set limits on music or video downloads (if they are required at all), except on secure, passworded computers. This will limit bandwidth use.
  7. Monitor access to the Internet, and to platforms and applications. For example, check which pupil has accessed which sites by using individual, secure IDs and passwords. Security companies such as Network Box can integrate with the active directory of the school (or the radius server, if the school is not using Microsoft) and transparently cross-check logins against the material being accessed.
  8. Set the same stringent security controls to information leaving the network as to information coming in to the network. This can help prevent unauthorised applications (such as the wrong IM provider) from being used, and prevent a school’s IT network from unknowingly being used to distribute information (for example, in peer-to-peer network technology, or being used to distribute spam).
  9. Block all third party plug-ins and devices, except those approved by the school. This will help decrease the possibility of external sources corrupting the network.
  10. Do not allow unsupervised time on school computers where possible. If you spot any unusual activity, this can be checked against the registered login system.

Ultimately, advice on all security matters can and should be provided by your security company, as well as the day-to-day running of network security. But for effective security, it is important that teachers, at the ‘front line’ of monitoring what pupils are doing online, understand the issues.

Links to further reading and resources:

  1. A new initiative, Memory4Teachers, has been set up in conjunction with LEAs and teachers unions. Memory4Teachers provide teachers with free information and resources (provided on a memory stick) on issues including security in schools, applications and educational resources from a range of companies.
  2. Network Box’s ‘Securing Social Media’ papers (six part series - scroll to bottom of table to access).
  3. eModeration’s website (for information on moderating children’s online environments)  

Simon Heron is Internet Security Analyst at managed security company, Network Box.

e-Learning Update
spacer
spacer