When most of us think about online privacy and data security, our thoughts turn to technology solutions such as firewalls, anti-virus software and encryption. But the most critical risk factor of all is the human operator: after all, even the most sophisticated security systems won’t help if they’re not activated or properly deployed, and it’s notoriously easy to lose – or steal – a smartphone, tablet or laptop.
Users: your first and best line of defence
When it comes to protecting sensitive data, students, teachers, admin and support staff, and even parents all need to be security-aware. Whether through viruses transferred between shared files or emails, poor password management or even deliberate data theft, ‘people perils’ can’t be overlooked.
Information is the key, and that means training. It’s vital to have a full suite of security technologies, policies and protocols, but if they’re not adopted because users don’t understand their importance, or how to comply, then your security remains at risk.
IT: own the training, own the result
That’s where you come in. IT should take the lead in training users about the risks their actions may present. But that training must be more than a ‘one and done’ initiative – it must be regularly refreshed and above all, designed with a ‘user first’ approach. Best practices for such training include:
- Make it ongoing. Staff, students, and teachers come and go, and new risks are always arising. Cybersecurity training should be planned and built as an ongoing, always-changing program.
- Avoid the jargon. Keep it simple and non-technical; concepts and terminology that are familiar to you may be alien to your end users.
- Explain why. Too often, data security rules create barriers or burdens for users. This makes users more likely to ignore the rules unless they understand why they’ve been put in place.
- Share pertinent examples. Sharing some examples of good practices – and bad – will make the training more ‘real’ and demonstrate how the tools and techniques you’re adopting work in practice.
- Provide feedback. Share relevant examples of internal best practices (good and bad) so the organisation will learn and benefit from the training.
- Involve the parents. Parents also play a role in protecting data security and their own personal information. Make sure they understand the role and risk they represent.
One final tip: seek plenty of feedback from your users. Are you communicating clearly enough? Do they understand the ‘why’ behind the requests? Do they have suggestions on how issues might be approached differently? Opening the lines of communication between IT and others can help build relationships that boost compliance.