Keeping the Evil In
Unfortunately, like so many other areas, the role of IT administrator in an education environment is often underfunded and underappreciated. During time that could be spent preventing hacking and viruses, admins must also deal with everything from stolen mouseballs and RAM chips, to catastrophic disk failure on outdated equipment. With typical 15 year olds often more expert in computer security matters than professionals of as many years full-time experience, how does one get ahead in the battle against viruses, malicious hacking, denial of service attacks and fraud given the unavoidable limitations?
One myth which should have been dispelled years ago is that there is a software or hardware solution which will prevent these problems. An entire industry has grown in the last 5-10 years from marketing based upon Fear, Uncertainty and Doubt (FUD) when it comes to online environments. The truth is, whilst many products are excellent aids, there is simply no magic bullet when it comes to information security.
Instead of attempting to block every rogue packet and identify which user perpetrated each attack using solely technical means, we should also be looking toward preventing such traffic in the first place. How? Education.
Despite the huge returns on investment, in the commercial sector at least, education and training is the most frequently overlooked tool in the shift toward information security. Despite information security breaches costing billions globally each year, education and training is often seen as too expensive, when the staff could be generating revenue instead of training, or simply too hard given the many issues to consider. This puts the education sector at an advantage given education is the very core of the 'business model'.
The education sector has a great social responsibility as well, to ensure the students understand right-and-wrong before being turned on an unsuspecting world.
Unfortunately, Cybercrime is too often seen as victimless. People who would never dream of stealing a chocolate bar from a shop, would not think twice about penetrating a privately owned computer system and causing tens of thousands of dollars damage. It is incumbent on educators therefore to reverse this perception and make sure students understand not just what they are and are not allowed to do online, but in fact why such rules are put in place. Not only will this benefit society in general, it will also reduce the requirement on institutions' IT administrators to enforce such rules technically, rather relying on self-discipline such that they can concentrate on identifying and stopping deliberate breaches.
In other words, reduce the number of bad guys to a more manageable level. Additionally, as today's students become tomorrow's software developers, consultants and network engineers, a solid grounding in security principles will help ensure these issues continue to be addressed into the future. As a parallel, many professional organisations are today spending the bulk of their Information Security budget on hardware and software for enforcement of policies, rather than finding ways to have well-meaning, adult staff simply do the right thing in the first place. This has created a shift in responsibility and an environment where end-users assume it 'must be okay' if the system lets them do something.
As schools develop IT educational programmes even for the youngest classes it is important that these programmes focus on security and online behaviour. We have had tremendous success in changing cultures and would be only too happy to discuss the issues with you.