Cybersecurity and Privacy: How Faculty Can Protect Themselves and Their Students
While most colleges and universities have IT professionals dedicated to cybersecurity issues, everyone in the institution has a role to play. This is especially true of faculty who are involved in selecting new courseware products, using them alongside other technology, asking large numbers of students to use multiple technology products, collecting data about students, and conducting research projects that may involve sensitive data.
Joseph Potchanant, the director of the Cybersecurity and Privacy Program at EDUCAUSE, characterizes data protection as an administrative responsibility shared across campus: “In comparison to physical security, which is more about locks and doors, cybersecurity is about controls, procedures, and policies to keep data that is accessible, stored, or in transit safe.”
Below are some of the key cybersecurity principles that Potchanant says faculty should keep in mind, particularly when it comes to digital learning technologies.
Update Often
Potchanant says the hardware brand that is used matters less than if it is updated regularly. For example, it’s okay that some students come to class with Google devices while the institution issues Apple devices to faculty . . . if all the devices have the latest operating systems. When devices are updated, they get the security patches and features necessary to minimize malware and other hacker attack systems.
“I think of updates as an oil change before each semester or during school breaks,” says Potchanant. “Vendors make this process much easier with a click of the button on your device, but faculty can also visit their IT department for a once-over to ensure everything is current.”
Practice Good Cyber-hygiene
Updating is the first step to good cyber- hygiene that helps keep IT systems safe from cyberattacks. Faculty can use three other good practices: Change passwords regularly, back up data regularly, and be selective about what data they collect and keep.
The more information that is kept on a device, the more tempted a hacker will be to steal it, Potchanant says. “A good guideline is if you do not have to collect information about something, don’t—especially personal information about students. For example, students’ birthdays are usually held by the registrar. If you have it in your learning management system, it’s one more danger.”
Talk to Students about Cybersecurity
Potchanant encourages faculty to alert students to issues of privacy and cybersecurity even if faculty don’t consider themselves cybersecurity experts. Students need to understand the financial and social risks they face in an increasingly digital world in which collective lives and data are intermingled.
“If students don’t have a grasp of security issues surrounding technology, they can suffer catastrophic situations such as having their information stolen and their bank accounts emptied,” Potchanant argues. “We have to implore them to be on the lookout.”
Faculty can discuss basic cybersecurity, such as encouraging students to have a “buyer beware” attitude when purchasing a digital product and to keep data privacy at the forefront of their decisions when signing up for digital services. “We are going to have a workforce of individuals who must have foundational cybersecurity hygiene going forward,” Potchanant explains.
Make Security and Privacy Part of the Courseware Selection
Faculty should ask courseware vendors about data protection and privacy when selecting courseware. They should also research companies’ security policies and assessments. “Ask the vendor if the courseware has undergone any third-party testing,” Potchanant suggests. “Because courseware is cloud-blended, it faces cloud security risks.”
Potchanant advises faculty to take advantage of collective wisdom. Colleagues who have used a courseware product can provide insight into its strengths and weaknesses. Faculty who have concerns about cybersecurity issues can team up to ask companies to address the problems. EDUCAUSE has convened many faculty and IT professionals to join events and workgroups and to develop resources on cybersecurity.
Potchanant recommends that as a first step when selecting courseware, faculty look at CourseGateway: “It provides a Consumer Reports-esque view on products, and cybersecurity and privacy concerns are baked into the product reviews.”
Be Aware of Special Considerations When Traveling Abroad
Faculty traveling abroad for research or teaching may encounter additional complications with cybersecurity. Potchanant suggests faculty look to the U.S. State Department for information on cybersecurity when traveling abroad. “We know from anecdotal evidence that faculty traveling to countries with an overbearing policy toward technology have returned with unwanted items installed on their machines,” Pontchanant explains. “You wouldn’t want to trust that device afterward.”
In a previous role at REN-ISAC, the Research and Education Networks Information Sharing and Analysis Center and a partner organization with EDUCAUSE,
Potchanant and his colleagues wrote a public resource for those traveling abroad for work or research. It provides tips for before, during, and after travel to protect institutional data.
Work with IT Colleagues
Potchanant says faculty sometimes have the misconception that cybersecurity experts will stop them from using products they like or otherwise impede their work. But he explains: ”As an IT professional, I was always on the lookout for new software or updates that could make faculty’s lives easier or engage students in different ways.”
Cybersecurity experts work to find solutions that are going to protect the privacy of students, research, and data while still allowing faculty to accomplish their goals. A strong working relationship between IT professionals and faculty is productive.
“Never be afraid to reach out to campus cybersecurity professionals or nonprofit partners like EDUCAUSE, because they find solutions for faculty,” Potchanant says.