Risk & Compliance  

Risk & Compliance: Safe Travels with School Data

If your students, faculty or staff are traveling to China, their data is at risk. Thoughtfully developed and well implemented policies can keep it safe.

Sep 4, 2019

https://higherlogicdownload.s3.amazonaws.com/NBOA/UploadedImages/c781eb1f-9fca-4408-b2f8-9bceec57f0af/NetAssets/2019/09/cyber_travel.png

|

Article by Clare Sisisky, Global Education Benchmark Group

From the September/October 2019 NetAssets magazine

Whether it’s students traveling as part of an academic program or staff members recruiting prospective students, many independent schools are sending stakeholders to China on a regular basis. When they do so, students and staff will need to keep their data safe — be it personal, health or financial data; their own or that of families. Travel security experts from International SOS, the world’s largest international security services firm, have reported that unauthorized broad-based data collection from international visitors is becoming increasingly widespread.

Kick-Starting the Conversation

During the 2018–19 school year, Global Education Benchmark Group surveyed 40 independent schools that regularly travel to China. Only 7% of schools had a policy or consistent practice to mitigate cybersecurity risk abroad, but 32% of schools were actively discussing the risks and how to best mitigate them. While 36% of schools reported they do not engage in any mitigation at all, 10% use only a school-based VPN to connect to the internet, 13% use only local devices in-country and 5% use only “burner” devices (one-time-use devices).

This data demonstrates that schools are beginning to recognize the significant risk and discuss strategies for mitigation, but practices vary greatly.

Self-Assessment for Schools

Schools should examine their communication and data access needs during travel abroad as well as reflect on the school’s risk tolerance around cybersecurity. Global Education Benchmark Group interviews with cybersecurity experts, school technology leaders and local Chinese partners affirmed the risk is real and helped shape the following questions schools can use to better understand their risk exposure and develop a strategy for risk mitigation.

  1. Who is traveling? What technology and communication needs (not wants) will they have while away, and what device and connectivity options will meet those needs?
  2. What data access needs will the travelers have while away (e.g., student medical information, alumni contact information)? How can they can access this data without using technology?
  3. Who will make decisions about risk mitigation and how will they be made?
  4. What steps do we need to take to implement any decisions with all relevant stakeholders, including students?

Policies in Practice

How do schools conduct discussions, make decisions and address challenges around implementation? Jamie Britto, chief information officer at the Collegiate School in Virginia and a nationally recognized expert on cybersecurity, provides one example. Before a school trip to China this spring, Britto brought together faculty, students and the director of global education, led the group through several scenarios and outlined a communications strategy. Collaboration among risk managers, technology leaders and global program leaders when developing strategy and implementing a plan was critical.

After reassessing risk, the team modified the previous policy, which allowed employees to use a school-based VPN, to a much more restrictive policy for students and school employees. Many schools that travel to China with students eliminate concerns by banning all technology, but most schools that plan a homestay component, such as Collegiate School, allow students phones during the homestay. Collegiate asked students to use limited technology and apps, and to wipe and restore all devices before reconnecting to networks in the U.S. upon return. Collegiate faculty were given old iPhones and computers that were wiped and loaded with the few features they would need as well as global phone service.

Schools will have varying thresholds for data protection, but when stakeholders travel to countries with increased risk factors, administrators would do well to assess their cybersecurity policies.

After implementing these policies during its latest trip, Collegiate administrators have decided that going forward the school will likely require students as well as faculty to use old iPhones, and trip planners will work with Chinese partners to acquire local SIM cards. This second iteration should eliminate students’ and families’ need to undertake inconvenient risk management steps and result in lower costs for the program.

Collaborative Engagement

Schools will have varying thresholds for data protection, but when stakeholders travel to countries with increased risk factors, administrators would do well to assess their cybersecurity policies. A collaborative approach should include the business office, technology department and department overseeing travel to help streamline implementation and communication. Policies will continue to evolve along with risk factors and management strategies, but schools that are up to speed and have a strong working relationship across departments will be much better equipped to manage their risk and avoid a significant data breach.

Claire Sisisky is executive director at the Global Education Benchmark Group, a nonprofit that supports 260 member schools in all aspects of global education including risk management.

Download a PDF of this article.


IN THE NEWS

ON THE HORIZON

15

years is the target ceiling for a school plant's financial "age."

Get Net Assets NOW

Subscribe to NBOA's free twice-monthly newsletter.

SUBSCRIBE