e-Safety and your Data – Password or Encryption?

The Ofsted e-Safety Inspection Framework makes reference to data on PC’s, laptops etc. being encrypted.  This ties in with the Data Protection requirement to keep personal data safe and secure.  Not only is the loss of personal data a potential safeguarding issue, the ICO is free to punish (financially) for data breaches.

What is personal data?  If you want to read the ICO’s horrendously complicated definition you can see it HERE, but essentially it means any information, or record that could identify a living individual.

Nine times out of ten when I visit a school, staff believe their data is encrypted because they use a password to log onto their PC’s and laptops. This is completely understandable; surely if you need a password to log in to your device the data is protected?

Unfortunately this isn’t the case, passwords are no more secure than a lock on a door that can be kicked down.  When that door is kicked down, your data is wide open for all to see.

When I drive my car, I’m not really interested in knowing how a 4-stroke combustion engine works; in the same way this explanation is basic and non-technical.  You just need to know the difference and why it is important.

Passwords

Your password works in conjunction with your username, i.e. the name you use to log on to your PC.  Your username is what gives you your profile.  Your profile is what personalizes your PC experience.  For example it defines your level of internet filtering; it allows access to your emails without having to log in again; it defines (or maps) your drives where you save your personal and work documents; it may give you access onto your VLE without signing in again (called single sign-on, SSO); and much more.

The password gives you a very limited level of security so that the odd passer-by can’t just sign into your account and view your data.  To put it really simply using an analogy, imagine your classroom; your classroom has a door, your data is everything in the classroom.  You (your username) are able to open that door and view everything in that classroom (the data).  The password in this context is a lock and key; you put your key in the door (your password) and unlock it.  So this means that anybody with that key can open the door and view everything in the classroom.

Passwords are relatively easy to crack, usually with a technique called a brute force attack.  This is essentially another computer (piece of software) that tries out variations of passwords at a rate of millions per second.  So once your password is cracked, your data is wide open. To check a password you can see HERE for a bit of fun (WARNING: Do NOT put in your real passwords). I say a bit of fun because there is no way of checking if these types of sites are legitimate; for example I tested the password “testing123456789” and the site told me it would take 10 years to crack – hmmm I don’t think so!

Now, I don’t want to scaremonger!  Cracking a single PC password is easy (if it’s a poor password), so you may be wondering about all the passwords you use on the Internet for your shopping and the like.  Well, this is a very different kettle of fish and would be completely over the top for this post – maybe a future post.

Encryption

Encryption is something entirely different.  At its most basic level encryption is cryptography; this means that an algorithm is used with your password (known as a key) that renders your data complete unreadable gibberish without the correct key (or algorithm).  This means that if you lose your laptop or somebody tries to hack you, they simply can’t get at your data.

There are different types of encryption, for example file/folder encryption, full drive encryption and others.  My advice is that if your device has personal, sensitive or confidential data you need full disc encryption.

Encrypting your devices is not difficult, and neither does it need to be expensive; there are commercial as well as free offerings.  You should talk to your IT support to decide what best fits your needs.  Even better if you are a Windows 7 user, you already have encryption available to you supplied as part of the operating system.

So my advice is as follows:

If you’re not sure you need to encrypt your device, find out.
If you have data on your device that needs to be encrypted, and you’re not sure if it is or not, find out.
Ignorance will never be accepted as an excuse by the Information Commissioner’s Office.
You don’t need to know the technicalities, you just need to know: whether you do/don’t need encryption; if you do, that it is on your devices and working; if you do and it isn’t on your devices ask your IT support why not.

e-Safety isn’t just about the normal safeguards; we talk to children and young people of the appropriate and inappropriate ways of sharing personal data – we have a legal and moral duty to protect their personal data also.

Leave a Comment

Your email address will not be published. Required fields are marked *