2022 Back to School Cybersecurity Protection Package for the Secondary School Boards

The following questions should be presented to the school boards in the country:

• Have you prepared your school boards to plan for cybersecurity protection as you plan to receive learners back to school after two (2) years of ‘free range’ while using technology in their homes?
• Have you thought about the possible cyber threats that you are likely to face?
• What kind of guidance have you considered?

The above questions may be answered by reviewing the text below:

Several secondary school students who were forced to go and chill at home have had access to smart mobile phones, either bought by themselves or borrowed from colleagues. They have been using these phones to access the internet to browse content, open social media accounts, connect with their peers, etc. Their behaviors while using the internet might haven’t been regulated since the majority of the parents aren’t tech-savvy. These learners might want to sneak their phones to school or transfer their internet habits to the schools’ computing devices.

Many secondary schools in Uganda have inadequate staff to manage computing/information Technology (IT). Even where they are present, the majority are concentrating on teaching and completing the ICT syllabus and they don’t help the schools to protect the schools’ resources (students, teachers, computers and other supporting infrastructure) against cyberthreats.

Additionally, there may be limited resources like finances to protect the schools’ supported processes & systems that are supported by information technology (IT). This seems to have been a recurrent challenge in our country but the situation seems to have been escalated by the Covid-19 pandemic which has hit the education sector most and many other sectors of the economy.

The above challenges won’t spare the schools against the internal threat, the students who will pose a high risk to the schools’ IT environment. It might look normal to let students explore on their own and learn from their mistakes but to keep them on track in school requires school leaders to consider the digital safety of these learners especially in the current cyber era.

The following may need to be done to help protect the digital sanity in the schools:

Whitelisting/Blacklisting of certain web traffic/applications through firewall rule
There’s a need to identify the common websites/online applications that the students have been using or accessing for different purposes. This can be followed by either allowing the traffic/sites of interest (this is known as whitelisting) or blocking the unnecessary traffic/websites thus denying the learners who are trying to access those sites from school an opportunity to do so (this is known as blacklisting). This is implemented through standalone software or hardware with a program with configurable rules that enforce the whitelisting or blacklisting process. This is similar to what is known as Domain Name System (DNS) filtering, which is a process of using the Domain Name System to block malicious websites and filter out harmful or inappropriate content. This strategy will be successful if there are no proxies (commonly known as virtual private networks (VPNs)) which many learners have been using to access social media sites like Facebook from their homes.

Network segmentation by separating the network traffic of different users
After filtering out internet traffic using the blacklisting/whitelisting approach, one may end up blocking the legitimate traffic/websites (for example, YouTube) which teachers may find useful in the teaching and learning process. In order to make things right, the schools need to virtually segment their network so that different categories of people have access to different internet content. For example, teachers would be allowed to access all the sites which are needed to enable them to render their teaching service whereas the students are also limited to access only the sites which the management has discussed and authorized to be allowed.

Enforce authentication before accessing the computing resources
All school computing system users need to be authenticated (with a username and password) before accessing the resources. Any form of violation of access rules should be tracked and reported to the responsible personnel. This helps to identify who accesses what resources on the computers, thus it is easy to identify wrong elements in the school community.

Conduct regular password reset/expiry
To achieve item 3, there’s to support the authentication process by retiring the password with a lifespan of utmost six (6) months. This implies that learners shouldn’t be able to use re-use the passwords which they last used one year ago. This will help to reduce the possibility of students masquerading in their colleagues’ accounts in an attempt to hide their true identities.

Mobile device access and management
For schools that allow students and staff to bring mobile devices (phones and computers) to school should put in place guidelines on dealing with the use or misuse of devices. Proper documentation should be made and clearly communicated to the staff and students. This will help to maximise the teachers time at and commitment towards work and regulate the students’ behaviours while using their devices.

Cybersecurity awareness training/education
As already stated, it’s not a good practice to let both students and staff using the internet explore on their own and learn from their mistakes. Therefore, all the internet users in the schools should always be taken through a regular awareness education about cybersecurity tailored towards the ongoing trends in the cyber world. This could be done at the beginning of the terms, like two (2) after the first day of reporting.

Cyberbullying management
Bullying of students in high schools used to be a norm, possibly the vice could have been reduced a bit. However, having stayed home for a long period, learners may have learnt new mannerisms that are unpredictable at the moment. The bullying which used to be intra-school (i.e., students within the same school environment), can easily be accelerated to inter-school (students from different school environments). Within the cyber world, bullying can easily spread like fire.

Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. It can occur through SMSs, Texts, and online apps, or online in social media platforms, online forums, or gaming where people can view, participate in, or share content. Furthermore, it includes sending, posting, or sharing negative, harmful, false, or mean/negative content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation within the community or among peers. In some cases, cyberbullying may cross the line into unlawful or criminal behaviour. The consequences of cyberbullying may vary from one individual to another. Some of the warning signs that a student may be involved in cyberbullying are:

• Noticeable, rapid increases or decreases in school computing devices used by the learners.
• Uncontrollable emotional responses (laughter, anger, upset) are exhibited by the learners about what is happening on their devices.
• A student hides their screen or device when others are near, and avoids discussion about what they are doing on their device.
• Social media accounts are shut down or new ones are created.
• A student starts to avoid social situations, even those that were enjoyed in the past.
• A student becomes depressed or loses interest in people and activities.

Schools should include cyberbullying in the schools’ anti-bullying regulations/policies and anti-bullying materials (inform of ‘talking compounds’), and in the teacher training materials for the ICT subject.  While traditional methods for reducing bullying are already working well, some more specific interventions will be helpful, including how cyberbullying will be reported and managed by the school management.

All cyberbullying activities need to be brought to the attention of school management because they can create a disruptive environment at school. The school can use the information to help inform prevention and response strategies.

Data protection, especially the personal identifiable information (PII)
PII is known as the information: (i) that directly identifies an individual (e.g., name, address, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

It has been reported in the media that pregnant learners, learners who have given birth, and their partners who are students will be profiled and information shared across the schools in the country for easy tracking of the culprits (the boys). It was also reported that there will be mandatory testing of female learners to detect pregnancies. Some questions may be paused: How will the records be captured? Who will capture them? In which form will the records be kept/stored? Who will have access to the stored data? How will the data be shared across the different schools?

The schools should remind themselves about the nation’s Data Protection and Privacy Act 2019, assented by the president of the Republic of Uganda on 25^th February 2019. The act stipulates well the principles of data protection, data collection and processing, securing the collected data, rights of data subjects, data protection register, and others. The act serves to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide the right of the persons whose data is collected and obligations of data collectors, data processors, and data controllers; to regulate the use or disclosure of personal information; and for related matters.

At all times, school leaders should exercise due care and due diligence while collecting, storing, processing and sharing data about their learners in order to protect themselves from being caught operating outside the law. According to the Legal Dictionary, “Due care is a level of responsibility that a person in a particular situation is expected to practice. For example, due care is practised when a person drives his car safely. He is expected to adhere to the rules of the road so as to prevent injury to himself and to others. When he makes it from point A to point B, while following all of the rules that are expected of him, he has practised due care in operating his vehicle. In law, determining someone’s due care is determining to what extent, if any, he was negligent in the situation at hand”. Additionally, the Oxford Learners Dictionary gives the definition of due diligence as reasonable steps taken by a person or an organization to avoid committing a tort or an offence.

With the above in mind, the pregnancy test results, photos or texts about pregnant students or any other protected information (by law) won’t be found on the internet platforms.

In conclusion, secondary school leaders need tactically and strategically plan for and deal with cybersecurity threats that are on the way to their school environment. The greatest threats of concern are the internal threats, the internet computer or internet users (staff & students) who form the weakest point in information security architecture.

By

NKAMWESIGA Nicholas, CISA®, CISM®

• Senior End-User Support Officer – Kabale University
• Academic Relations Director (Volunteer) – ISACA Kampala Chapter (https://engage.isaca.org/kampalachapter/)
• Volunteer – ISACA Global (https://www.isaca.org/)