Cyber Security: Incident Management for School Continuity
In this fifth blog in the series, we look at Incident Management, following the guidance from the UK National Cyber Security Centre (NCSC). We...
With the COVID-19 situation forcing global school closures, schools have hastily introduced new platforms to continue delivering lessons. When it comes to video conferencing, the most popular choice has been the US-based company, Zoom. With growing pressure from the privacy sector and recent headlines stating that users have experienced inappropriate content and video hijacks, many schools are questioning if this is the best platform for a school to use.
Zoom has been subject to several high-profile security issues in the past, including an exploit and security issue that could allow an attacker to take control of your webcam and microphone. More recently, reports have surfaced of Zoom rooms being hijacked or "Zoom-bombed" by intruders, who usedthe room to voice racial slurs, post inappropriate imagery and videos and insult both children and staff.
[UPDATE 05/05/20] 9ine recommends that all users now change their Zoom account password and enable two-factor authentication. As always, ensure the new password is unique to Zoom. A recent security report claims to have discovered that more than 500,000 Zoom user account credentials are available for purchase on the Dark Web. This is not believed to be the result of a breach or cyber attack on Zoom but rather a technique known as "password stuffing" in which hackers use stolen usernames and passwords from other platforms that have suffered data breaches to attack users who use the same credentials for their Zoom accounts.
Zoom has been active in addressing each of these issues through a series of software updates, blog articles, online training resources, and a CEO announcement to their community. To further support this, we have put together best practises and considerations when using Zoom for your virtual classrooms.
The free version of Zoom is unmanaged and will likely result in staff and students accessing Zoom with either their personal and/or school email addresses. Safety and security settings cannot be managed by the IT team, and the school will be unable to acquire evidence or hold staff accountable, offering no protections for users from the school. Schools should use the Zoom Education license at a minimum, which provides centrally managed control of settings and users, organisation recording and an increased number of possible participants. If you wish to implement more regular recording of lessons and meetings then it’s better value to select the Enterprise plan, as it offers unlimited storage for recordings rather than the Education maximum add-on of 3TB.
Schools have experienced uninvited guests joining their Zoom rooms as a result of obtaining the room link or ID, this can be easily avoided by ensuring the "Waiting Room" feature is enabled; the host then approves any new users who may wish to join the room. In addition to this, enabling the "host-only content sharing" feature ensures that the host (Teacher) of the room can manage the content being shown and students cannot freely post images or videos to the shared screen. Both of these features are now enabled by default if you have Education license of Zoom.
If pictures or recordings of Zoom meetings are shared on social media, it’s possible to obtain the Personal Meeting ID and potentially allow a hijacker to access the room. If "Waiting Room" is not enabled, the hijacker will be able to enter the room and share their video feed instantly. This could result in inappropriate or malicious activity being forced on the users of that room. Using a Random Meeting ID ensures that the moment the room is closed, access via the link is no longer available. This and other useful best practices for securing your virtual classrooms are available on a Zoom website created specifically for educators.
With staff working from home and becoming more comfortable in their home-working environments, now is the time to ensure staff receive suitable training and support in the use of Zoom. Zoom provides education-specific training materials, video tutorials, and live training webinars to get your questions answered.
Download 9ine's Data Processor Assessment to assist you in the deployment of new software tools.
As a Data Controller, you are responsible for making sure personal data is processed in accordance with data protection laws. You are required to make sure that all data processors you are using provide sufficient guarantees and have the appropriate technical and organisational measures in place. In response to recent pressure from the privacy sector, Zoom recently updated their Privacy Policy to provide more clarity about their personal data processing.
With some careful consideration and the right licencing for your organisation, Zoom can be an excellent platform for your virtual classroom needs. If you allow your organisation to rush in without completing the proper checks and sign up for the wrong license, you run the risk of exposing the school to a range of technical, functional, and safeguarding risks, resulting in an unsafe environment for your staff and students.
To assist schools during this challenging time, 9ine has developed a comprehensive Data Processing Assessment tool available to all schools. For further reading, take a look at our recent blog, Assessing and Deploying New Software Platforms.
ABOUT THE AUTHOR:
Tom Hamersley, Associate Director at 9ine and Head of Client Engagement, is an experienced certified GDPR Practitioner, he is responsible for compliance programmes at a range of schools around the globe. Tom brings a wealth of knowledge with over 10 years of training experience.
In this fifth blog in the series, we look at Incident Management, following the guidance from the UK National Cyber Security Centre (NCSC). We...
Schools today are increasingly targeted by cyber attackers who use sophisticated methods to breach networks and steal or manipulate sensitive data. A...
The National Centre for Cyber Security recently published an alert for those responsible for IT and Data Protection in education. The alert brings to...