Cyber attacks: they are becoming more sophisticated ánd they are becoming more frequent. This makes the security of online platforms increasingly important. In this diptych about Cyber Security, we look with IJsbrand van Prattenburg, Information Security Officer and Software Developer at Procademy, at the measures that are needed to make online learning safe. To why that is necessary. In this first part we zoom in on the people behind the systems. What can you do and what can your organization do to make and keep online learning safer?
More than just technology
IJsbrand opens the conversation: "When you think of information security you quickly think of the technical side of things. That you protect things with passwords, try to prevent DDoS attacks and arrange the encryption of your files properly. But the human factor also has a great influence on your security. The way in which you monitor the quality of security together is so important. So: who is going to think up a new functionality? Who is ultimately responsible for maintenance? Who can monitor that? How do you test that with each other? By thinking about that and applying the outcomes, you prevent vulnerabilities in your systems." Wearing two different hats, as an Information Security Officer and as a Software Developer at Procademy, IJsbrand looks at security issues daily from both a technical and end-user perspective.
Because in addition to monitoring quality, human activity is an important link in information security. Critics claim that it is the most important and weakest link at the same time: "You can technically seal everything off, but if you as an admin user share your login details, you make it a lot harder for us to guarantee the security and integrity of the system." IJsbrand soberly outlines a common problem. Nice reason to start by sharing some concrete security tips in this article to make online learning more secure.
Tip 1: Your account is your account
"People sometimes have the impression that the sensitivity of the data on a learning platform is not so bad. As a result, they tend to go a little easier on their login credentials." IJsbrand outlines a well-known risk. "One of the main points of data security is that changes are always traceable to a specific administrator or a specific linked system. This is hugely important, because then we can also observe anomalous patterns, which may indicate misuse of login data. Sharing login credentials with each other may seem harmless to the administrator. Or especially convenient, during a leave of absence. But for us, important information about traceability is thereby lost. That means we are less able to do our job - securing the personal data of all those thousands of end users."
And the risks go beyond obscured traceability, IJsbrand explains, "It is sometimes forgotten, but information about the knowledge a person has, that also falls under personal data. Someone with access to Learning Management Software, can see what certificates or diplomas a user has or even what competencies. That's just confidential information."
On top of that, malicious hackers continue to evolve. "Hackers are getting smarter at pooling obtained information. For example, your obtained password from your e-learning module may eventually also lead to your X account being hacked, if you don't vary your passwords enough. That one hack then sets in motion a domino effect with major consequences."
Tip 2: Use a password manager
This brings IJsbrand to his second concrete recommendation: "Invest those few euros per month in an application to manage your passwords. With this you can easily choose your own, rock-solid and virtually unbreakable password for each application, without having to remember it all yourself. After all, if your personal passwords are captured, that's the end of it. Then all your information will be on the Internet for the rest of your life. That is an irreversible process and really bears no relation to the euros for a good password manager." Good suggestions for tools to manage your passwords with include 1Password, LastPass or Keeper.
Tip 3: Monitor your rights
"A lot of good security starts with awareness. Being aware that there are people out there who want to do harm. Then you also act on that insight. So by not sharing accounts, or being careless with passwords, but also by periodically checking in your organization how the rights are distributed. Who is allowed to do what? Are they still correct? And, we really see it happen: an employee goes to a competitor, still has the old login details and tries to take the old teaching materials with him. You have to be keen on that." So that means you have to define roles and matching rights. IJsbrand explains: "We always start from the 'principle of least privilege', where users only get the rights they need to perform a function. And therefore not more rights, because that happens to be convenient."
Tip 4: Data minimization
In the article on technical measures, we will still discover that software development can take into account minimizing and anonymizing the data in a platform. But the administrator also has an important role in this: "As an administrator, you feed the platform. That means you have to think about what you put in it. What data in an e-learning contains confidential company information? What personal data do you store from your learners? If certain data is necessary there, for example to create proper certificates when passing, how long can that data remain in the platform? What are possible triggers to review that information?" All questions you can ask yourself about the data in your SaaS tool.
But data minimization is also best applied outside the storage of your tool, IJsbrand explains: "Suppose you have a support question about your learning environment, what do you send along to your supplier? At Procademy we are very clear: communicate with us a user ID. Then we look for the relevant information. That way we don't have to receive e-mails with personal data or attachments containing confidential data. Conversely, we also want our employees not to send those kinds of e-mails. We train on that. And if the situation requires it, we choose a secure mail solution where the message is automatically deleted after use. This way, such e-mails do not live on indefinitely in our customer's mailbox. New customers sometimes have to get used to this, but once we have mastered this together, we can tick off another security risk."
Organizational measures at Procademy
From the practical recommendations then to the concrete organizational measures at Procademy. IJsbrand, smiling: "I believe in practice what you preach. That's why at Procademy , for example, we work according to the Privacy by Design principle. And in addition to only using user IDs, our colleagues also work with Multi Factor Authentication and we control access to systems based on a strict IP whitelist."
Even for non-daily operations, Procademy has information security as a high priority: "We frequently release new updates to our software. That's nice for our customers, but that speed can also carry some risks. Therefore, we naturally test every update thoroughly before we proceed with the release. For example, we always have at least two people look at the code before it goes live. And does something still go wrong? Then we can intervene very quickly with a security patch."
Added to that: "To avoid just judging our own meat, we also have a comprehensive pen test conducted annually to uncover vulnerabilities."
Procademy has, partly as a result of the above activities, ISO 27001 (international standard for information security), ISO 9001 (international standard for quality management) and NEN 7510 (Dutch standard for information security in healthcare). "With this, independent auditors also judge that we at Procademy pay proper attention to our Cyber Security and the processes that go with it." concludes IJsbrand with satisfaction.
Want to learn more about what secure learning management software can do for achieving learning goals in your organization? Please feel free to contact for a demo.
