Educational institutions handle large amounts of personal information and are increasingly becoming targets for cyber-attacks and data compromise. Considering managing and planning for these risks will help an educational institution better protect its students' personal, confidential and health information from a data breach, and will assist the institution in being compliant with privacy law and regulation.

Laptops, tablets and internet connected devices are now omni-present in Australia's educational institutions. Used by students, staff and the institution, these technologies provide efficiency in how the institution interacts with its student population. But the increased use of mobile devices within a network poses significant challenges for institutions – in particular, in protecting its network against infiltration, compromise or attack and in securing the personal and confidential information accessible within that network.

What are the emerging risks and how do you manage them?

  1. More gateways: An unsecured network made up of multiples of devices is a labyrinth of open doors for hackers into an institution's network. This risk will only intensify with the increasingly common implementation of 'bring your own device' (BYOD) policies at schools and universities. Ensure your BYOD policy prohibits non-education related activities and consider how you can actually enforce it. Without proper enforcement, even the best policies are just words on paper. Educate your teachers, lecturers and students about online risks. Most importantly, plan for a data breach and prepare an effective response. Know what to do and who to call when the inevitable occurs.

  2. Smarter students: Hackers are not only those external demons who wish to steal information or compromise systems. Academic fraud through internal infiltration is becoming increasingly common. Identify data which is particularly valuable to an internal intruder seeking to commit academic fraud, such as tests, assignments and results, and implement additional security measures that protects this information from compromise.

  3. Tighter privacy regulations: Public and private educational institutions are subject to the Privacy Act by their collection of personal information. Know which laws you come under and ensure that you are compliant with the law and regulation relating to personal information – keep an up to date and effective privacy policy, and implement appropriate security practices and safeguards at your institution to ensure the policy is effective and actively encourage privacy within your institution. Remember, your institution should only retain information that is reasonably necessary for its functions. The OAIC provides useful guidelines on your compliance obligations. Finally, remember that mandatory data notification laws are looming. You don't want to be the educational institution which tells parents that you haven’t properly secured the personal or health information of their children.