A major data breach is a problem for any industry, and none more so than the educational software sector. There is a clear duty of care to children in your systems as a breach could have a significant impact on their lives. In addition a breach will lead to a large fine from the Information Commissioner’s Office and the publicity could seriously damage your company’s reputation.
Whilst breaches are becoming more common, the good news is that there are steps you can take to prevent them. The best approach is to fully review your systems to identify areas of weakness and then a concrete plan to strengthen them. This is a long and detailed process and beyond the scope of this Insight. However there are some techniques which are common to all situations, and if implemented well will go a long way to reducing risk. I have outlined three of these techniques below.
Test, test, test
This is simple really - you would never release an application without testing first to make sure it did what it was required to do. We call that functional testing. Well in 2021 protecting children’s data is one of the things your application is required to do. So its time to test that too!
To security test applications there are two complimentary types of testing. Penetration testing, where someone effectively tries to hack into your system. And Static Application Security Testing (SAST), which is like an automated code review looking for security weaknesses.
To carry out effective security testing build SAST into your SDLC and apply it to every line of code as its written or compiled. Your developers can then correct security issues on the fly as they code. This is both very effective and very efficient. And in addition on an annual basis (or at major releases) carry out a penetration test and resolve any issues discovered. The pen test also has the benefit of providing a great report for you to share with your customers to prove how secure you are. This may even help you win new clients!
Create a fortress around your data
Put simply the data is where your risk is, so focus your protective efforts around it. Place your strongest controls closest to it, and layer them so that if one fails you can rely on the others. For example place your data on a separate network, configure the servers to be ultra secure, control privileged access to it, instal the cleverest anti malware, encrypt it, and only allow systems access to it which absolutely need to. I’m not saying don’t secure the rest of the network, but your data store is where your risk lies. £5,000 spent protecting it will be worth £50,000 spent elsewhere. Create a fortress around your data.
A side note on this. To be effective your data needs to stay in the fortress. If you have lax data control and allow it to spread throughout your network it is still at risk. Unless of course you build a second fortress around it there too. This will be relevant for reporting and other uses where large amounts of data are exported for analysis or integration. And never use children's data for testing!
24/7 burglar alarm
Hackers, miscreants and organised crime gangs will take some time to get to your data. Gone are the days of a simple hack leading to someone running off with terabytes of data – or at least they should be if you take security at all seriously! Ransomware gangs and other groups of nefarious scoundrels will gradually learn about your network and when they locate your data will try different techniques to get access to it. And once they get access, copying a large amount of data out also takes time. All of this activity makes noise, which you can alert on. And like a burglar alarm, that alert gives you the chance to act.
General alerts all around your network are a good idea, but can create lots of false alarms so be ready to tune them out. If you already have a fortress architecture you can use very precise alerting which will give you a very good alarm that an attack is underway. Here are some examples:
- Unexplained use of privileged accounts in the fortress
- Login failures within the fortress
- Anti-malware events within the fortress
- Access attempts blocked for access across the firewall into the fortress
- Access attempts blocked for access across the firewall out of the fortress
- Unexplained network spikes of traffic leaving the fortress
Of course, once you know an attack is underway you have to be ready to react. More about this in a later Insight.
I hope that you have found this Insight useful. It should give you a starter for 10, and if you would like to know anything more about how to protect against a data breach please do feel free to get in contact.
Head of Consultancy