Professor e Alunos ao Computador

Guide for Teachers and Schools (and Other Institutions)

This guide is intended for Teachers, educational institutions, and organizations related to education, such as schools, libraries, study centers, or non-governmental organizations (NGOs) focused on education.

Its purpose is to guide professionals in educational institutions and organizations to increase their awareness of cybersecurity, providing tips to protect their networks, devices, and online accounts. Equipped with this information, they can incorporate these concepts into the noble practice of teaching, better preparing students for a future that, as we know, will be increasingly digital.

Despite the information in this guide, some tips are easier to apply than others, and individual experience varies. Therefore, it is essential that schools have a trusted partner to help them make the best choices regarding tools and implement technology appropriately.

This is a living document, meaning it will be continually updated and expanded over time with new details. Therefore, I encourage you to check back periodically.

Awareness

Teachers and Schools play a crucial role in raising awareness among Students, Parents, and Guardians about the dangers of the Internet and the basic precautions they should take when using it.

Thus, Teachers in general—and particularly those specializing in Information and Communication Technologies (ICT)—should have these foundations to discuss topics such as online privacy, the protection of devices, and safeguarding online accounts with their students.

In addition to classroom teaching, Schools can organize in-person or online workshops for Parents and Guardians, as well as send information through flyers or emails.

But before teaching students, Teachers and Schools must protect themselves. And how can they do that? Let’s take a look next…

Network Security

Schools must ensure that their network is secure—not only against external threats but also against internal threats (whether intentional or not). To achieve this, it is essential to use a firewall and implement network segmentation, which involves having different segments for Teachers and Students, or for managed and unmanaged devices within the School.

Certainly, Teachers have access to more sensitive content that Students should not have, and therefore, segmentation will help protect those accesses.

Additionally, care must be taken with personal devices of Teachers and Students that connect to the school network. These devices, which are not managed by the School, do not adhere to the established policies and, therefore, should not be connected to the same network as the managed devices.

Furthermore, Students are in much greater numbers, which increases the risk on the networks they connect to.

Schools should also have software that filters the content visited by students, ensuring that everything they access is appropriate for their profile and age.

The firewall should have the Intrusion Detection System (IDS) and the Intrusion Prevention System (IPS) activated, ensuring that there is notification and also blocking of any potential attack.

The Wi-Fi network should use WPA3, ensuring the use of the most secure protocol.

Device Security

Schools should have management of their devices, meaning not just that the devices belong to them and they can do as they please with them, but that there is software in place to ensure proper management. This includes implementing a policy for operating system and application updates, as well as certain controls such as blocking USB ports, among others.

Devices that are not managed by the School should not connect to the same network as those that are managed. This does not mean that they cannot connect to any network for connectivity, but rather that they should not be on the same segment as the managed devices.

Depending on the size of the institution or organization, protection software such as antivirus, Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or Managed Detection and Response (MDR) should be considered.

Account Security

The school’s accounts should have secure passwords, which means long passwords, such as passphrases, rather than overly complex passwords that are difficult to remember—see our article on best practices for password management here.

In addition, all accounts should have Multi-Factor Authentication (MFA) enabled, ensuring that if the credentials are discovered by someone, they are not sufficient for that person to access the account. Learn more about MFA here.

Regarding access, least privilege policies should be implemented for teachers and students, meaning access should be limited to those who truly need it.

Compliance with the Law

Schools must also comply with the General Data Protection Regulation (GDPR) in the European Union or the General Data Protection Law (LGPD) in Brazil, limiting access to sensitive data and ensuring that this data is stored and transmitted securely. Whenever possible, they should use techniques such as anonymization or pseudonymization to reduce the associated risk of unauthorized access to the data, as schools, as we know, store a significant amount of personal data of all Teachers, Students, and Parents/Guardians.