Why eLearning Platforms Must Adapt To Evolving Threats And Regulations
The eLearning industry is a growing—and profitable—global marketplace. It's a diverse technological ecosystem that runs the gamut from full-blown standalone educational platforms to specialized online tools and digital resources. It's been estimated that by 2025, the industry as a whole will be worth $331 billion. That's very good news for those in the industry, as well as for students around the globe.
All of the growth does not come without some risks, though. The rapid development and expansion of eLearning systems has happened with little to no industry standardization, and not much in the way of direct regulatory oversight. When coupled with the aforementioned high profitability, the industry finds itself with something of a target on its back.
Clouds Gather On The Digital Frontier
As with many other rapid technological advances, the massive recent shift towards eLearning hasn't only drawn in entrepreneurs and students, but a criminal element as well. This was certainly to be expected, as all digital platforms have come under some kind of attack at various points since their inception. There have already been examples of data security breaches and privacy issues within the industry, such as a recent hack of the eLearning platform Edmodo.
In that incident, the account information of approximately 77 million users was stolen, with at least 40 million of them containing associated user email addresses. While Edmodo insisted that the data included no passwords, it was still a worrisome portent for the entire industry. That wasn't the end of the story, though.
Within days of the news of the breach, a security researcher revealed that the platform was tracking both teacher and student activity and selling it to data brokers. While this is a common practice on many online portals, it raised fresh concerns about data privacy rights on eLearning platforms. It's a thorny issue in an industry that is tasked with safeguarding the privacy of millions of users, many of which are minors.
External Cyber-Threats
The eLearning industry must come to terms with the scope of the external threats they face, and they are numerous. Major online attack vectors to these platforms include:
- SQL Injection
Poorly secured database connections and related code are exploited to reveal site and user data. - Cross-Site Scripting
Malicious code spread to users through unverified data ingestion, through web requests and other untrusted sources. - Inclusion Attacks
Exploitation of insecure coding to request system data files from a web server or to cause it to run malicious code from elsewhere. - Access Control Attacks
Guessing of administrative and other privileged account passwords through brute force or social engineering. - Denial of Service
Overloading of web servers by flooding them with meaningless requests, thus preventing legitimate access.
In order to properly defend eLearning platforms from these types of attacks, operators must adopt a comprehensive approach to data security. This means bringing in programming experts to conduct a thorough security review of all public-facing websites, as well as deploying the latest web application firewall technology. Once these steps have been taken, regular penetration testing should also become a permanent part of the eLearning data security regime.
Internal Security Concerns
While the external security concerns are the most difficult to address, they aren't the only ones. That's because data security breaches aren't always the result of deliberate acts by malicious external actors. Sometimes, data may be exposed through simple mistakes committed by employees and third-party consultants as well.
For example, Schoolzilla accidentally left the personal information of over a million K-12 students exposed through a misconfigured Amazon S3 storage system. Although Schoolzilla assured customers that nobody had accessed the unprotected data (except for the security researcher that discovered the problem), the sheer scale of the exposed data illustrates just how easy it is for eLearning companies to suffer a serious data theft.
To reduce the chances of this type of error occurring, eLearning platforms must establish strict internal guidelines and procedures regarding data storage. Any external data storage should be reviewed by at least 2 technical staff members to provide critical oversight. In addition, there should be a single internal point of contact for any security concerns that arise, to minimize communication errors.
Regulatory Action
Although the eLearning industry hasn't had to deal with direct regulatory action as of yet, there are some legal requirements that many will soon have to meet. For eLearning businesses operating within the European Union or who have users based there, there's a broad new set of regulations regarding data security that is about to take effect.
In April of 2016, European regulators passed the General Data Protection Regulation (GDPR), which introduces new data security and privacy requirements throughout the E.U. Among other things, businesses will be required to protect:
- Names, Addresses, and Identification Numbers
- Health Data
- Sexual Orientation Data
- Location, IP Address, Cookies, and any other location data
As of May 25th of this year, GDPR compliance will be expected of all affected companies. As of that date, they must meet all of the requirements of the new regulation or be subject to escalating fines and other enforcement actions.
The Future Of eLearning Data Security
As time goes on, and the eLearning industry continues to grow, the number and frequency of data security threats will grow in direct proportion to it. There's also a high likelihood that the GDPR won't be the last regulatory regime that eLearning platforms must comply with. In the long run, those that are early to adapt and make sure that adequate resources are committed to data security will be best positioned for long-term success. There will be some initial financial pain, but if protecting long-term viability requires cutbacks on corporate gifts and another discretionary spending, the results will be well worth it. Just consider the alternative.
