School mobile apps for families have become important communication tools in addition to websites. School apps are easy to push information to,...
School Website Security: what features are important for your school website company to have
Cyber security as it relates to school websites is becoming increasingly important. Just as some schools have hired live security teams to walk the halls and protect the students, school website companies are putting their own security in place to protect your data and school image.
Security is listed just above food and water in Maslow’s hierarchy of needs. We have alarm systems for homes, cars, even trackers on our kids' cell phones to make us feel safe. However, when it comes to intangible security, such as website security, we act very differently. In my own effort to be more secure online, I decided not to have the same password for all my accounts. Then, because that would be very complicated and hard to remember, I considered buying a journal with “Passwords” imprinted on the cover thinking it would be such an easy way to keep track of my different and now unique login information. After company security training, I learned this would not be secure as well, but I am not alone when it comes to needing help with website security.
Questions about hacking a school website are at the top of the list of what people ask in school website searches according to AnswerThePublic.com. The top questions include:
Can you hack a school website?
How to hack a school website?
How to unblock a school website?
If you are a Tech Director reading this you most likely understand website security. The problem is, other users of your school website are less likely to care as much. With students trying to hack into their Chromebooks to play games, and teachers using the same password for everything because “technology is hard,” it’s an uphill battle. Partnering with a website company who puts measures into place to help keep these users secure is crucial.
Here are some ways you can work to increase your school website security and some questions you can ask from your school website company to ensure they are also taking the appropriate safety measures.
Secure Cloud-Based Hosting
The top cloud-based hosting companies manage and are able to guarantee the security of the underlying hardware based on the latest security recommendations. This is the opposite of self-managed hardware, which requires constant monitoring and updating. Ask what type of hosting your school website company provides. Also confirm that they provide DDOS (Distributed Denial of Service) to filter malicious attacks from numerous sources.
Single Sign-On & Two-Factor Authentication
How are you logging into the backend to make updates to your website? If you are allowing users to create their own usernames and passwords, does the software require a long password with letters and numbers? Does it require two-factor authentication? These features should be put in place by the website company to help with security. Single sign-on is a more secure option to have from a management perspective. If a user's credentials were compromised, the admin would only have to disable one account instead of all of their accounts. (That one account would cover email, social media, updating the website, etc.)
How many users can update the school’s website? If your website platform only allows for a couple of users but multiple people are updating the site, this can only mean that login credentials are being shared, which is not a secure practice. Having a granular user management system is ideal for security. (For example, being able to assign social media for the high school to one person, and social media for middle school to another person.) Therefore, if something is compromised at one school, it doesn’t affect the others.
Does your school website company filter out IP addresses based on location? This means if the IP address is from a certain location, it will not be able to access the school website. Locations on this list usually include Russia, China, North Korea, and possibly a rival high school.
PCI Level 1
Are you accepting payments online or through online forms? PCI (Payment Card Industry) has four levels based on how many transactions the merchant processes per year. Level 1 is the highest, with over six million dollars in transactions from the company annually. Ask your school payments company which level they are. The higher the level, the more transactions they process.
This is the practice where companies hire another company to try to hack them in order to identify site vulnerabilities. If you are using WordPress for your school website, someone just needs to google how to hack a WordPress site. However, if you’ve hired a website management company, ask if they participate in penetration testing—and how often—to get a sense of the security measures they are taking to keep your school website safe.
Do the employees at your website company understand website security? Do they mandate security training for the entire company? That means the employees of your website company are trained annually about website security. It also means they know if they receive an email with an attachment from their CEO it’s probably spam and they need to report it because most likely the CEO is not emailing the graphic designer important “financial” documents to read that are “time sensitive.” Therefore, if they are helping to maintain your site they will not expose it to unnecessary vulnerabilities.
Closed Source Code
An open source platform such as WordPress means the code is available to the public, making it very vulnerable. If the code for your website is private and owned by the website company, it’s more difficult to hack. Also, if there is a vulnerability, the website company will know how to fix it because they are familiar with their own code.
Hopefully one day the searches around school websites will move away from how to hack to how to enroll or find or build. In the meantime, align yourself and your school with a company that values security a little more than the person who created a journal and titled it “passwords.”
See Edlio's security features here.