Risk Management |
Article by Clare Sisisky, Global Education Benchmark Group
From the September/October 2019 NetAssets magazine
Whether it’s students traveling as part of an academic program or staff members recruiting prospective students, many independent schools are sending stakeholders to China on a regular basis. When they do so, students and staff will need to keep their data safe — be it personal, health or financial data; their own or that of families. Travel security experts from International SOS, the world’s largest international security services firm, have reported that unauthorized broad-based data collection from international visitors is becoming increasingly widespread.
During the 2018–19 school year, Global Education Benchmark Group surveyed 40 independent schools that regularly travel to China. Only 7% of schools had a policy or consistent practice to mitigate cybersecurity risk abroad, but 32% of schools were actively discussing the risks and how to best mitigate them. While 36% of schools reported they do not engage in any mitigation at all, 10% use only a school-based VPN to connect to the internet, 13% use only local devices in-country and 5% use only “burner” devices (one-time-use devices).
This data demonstrates that schools are beginning to recognize the significant risk and discuss strategies for mitigation, but practices vary greatly.
Schools should examine their communication and data access needs during travel abroad as well as reflect on the school’s risk tolerance around cybersecurity. Global Education Benchmark Group interviews with cybersecurity experts, school technology leaders and local Chinese partners affirmed the risk is real and helped shape the following questions schools can use to better understand their risk exposure and develop a strategy for risk mitigation.
How do schools conduct discussions, make decisions and address challenges around implementation? Jamie Britto, chief information officer at the Collegiate School in Virginia and a nationally recognized expert on cybersecurity, provides one example. Before a school trip to China this spring, Britto brought together faculty, students and the director of global education, led the group through several scenarios and outlined a communications strategy. Collaboration among risk managers, technology leaders and global program leaders when developing strategy and implementing a plan was critical.
After reassessing risk, the team modified the previous policy, which allowed employees to use a school-based VPN, to a much more restrictive policy for students and school employees. Many schools that travel to China with students eliminate concerns by banning all technology, but most schools that plan a homestay component, such as Collegiate School, allow students phones during the homestay. Collegiate asked students to use limited technology and apps, and to wipe and restore all devices before reconnecting to networks in the U.S. upon return. Collegiate faculty were given old iPhones and computers that were wiped and loaded with the few features they would need as well as global phone service.
After implementing these policies during its latest trip, Collegiate administrators have decided that going forward the school will likely require students as well as faculty to use old iPhones, and trip planners will work with Chinese partners to acquire local SIM cards. This second iteration should eliminate students’ and families’ need to undertake inconvenient risk management steps and result in lower costs for the program.
Schools will have varying thresholds for data protection, but when stakeholders travel to countries with increased risk factors, administrators would do well to assess their cybersecurity policies. A collaborative approach should include the business office, technology department and department overseeing travel to help streamline implementation and communication. Policies will continue to evolve along with risk factors and management strategies, but schools that are up to speed and have a strong working relationship across departments will be much better equipped to manage their risk and avoid a significant data breach.
Download a PDF of this article.
The General and the Diplomat: Protecting Data at Independent Schools (Sep/Oct 2018)
Risk & Compliance: Responsible Student Data Collection (Sep/Oct 2018)
Your Money or Your Data: Dangers of Ransomware (Sep/Oct 2016)
Sign in to leave a comment
Get Net Assets NOW
NBOA's free twice-monthly newsletter
1400 I Street, NW, Suite 675Washington, DC 20005www.nboa.org