Why a Secure LMS Matters Now More Than Ever

Your institution’s learning management system (LMS) does more than simply host content for students to retrieve. Used to its full capabilities, an LMS transforms learning, teaching and assessment ecosystems to help you make data-driven decisions and support students like never before. With the growing move to online, hybrid and technology-enabled teaching, it’s more important than ever to maintain vigilance over the security of your LMS.

At D2L, we believe that good security starts with a strong foundation. That’s why we put our clients’ security and data confidentiality, availability and integrity first. As part of our ongoing commitment to data security, D2L Brightspace has recently achieved provisional certification for the Texas Risk and Authorization Management Program—or TX-RAMP—a set of new cybersecurity requirements in Texas. TX-RAMP aims to provide a standardized approach to security assessment, authorization and continuous monitoring of cloud computing services used by Texas state agencies, including public higher education institutions.

In this blog, we look at three reasons why LMS security should be top of mind at every educational institution. We also discuss and define TX-RAMP, the recent piece of legislation passed in Texas to advance improved cybersecurity throughout the state.

Three Reasons Why a Secure LMS Matters Now

1. Ransomware Attacks Are Targeting the Education Sector

The State of Ransomware in Education 2021, a whitepaper from cybersecurity firm Sophos, found that the education sector experienced one of the highest levels of ransomware attacks across all industries, tied only with retail.

Ransomware is a type of malicious software (malware) that uses encryption to hold or block access to files, databases or applications until a fee is paid to the individual or group that deployed it. Over time, the volume, type and complexity of attacks have increased.

Today, the three main categories of ransomware are:

• Scareware: This type of ransomware uses pop-up security and tech-support alerts claiming that malware has been discovered on the system. The threats are made to look real and urgent to panic people into paying for security software to fix the problem. What people actually download is malware disguised as anti-virus software that’s designed to steal personal information and data.
• Screen lockers: As the name suggests, this type of ransomware puts a lock on systems and files, barring access while requiring a payment be made to restore it. When individuals attempt to use an infected file or computer, they’ll see a pop-up demanding payment, and they won’t be able to close the screen locker.
• Encrypting ransomware: This is the most complex and damaging type. With encrypting ransomware, an individual’s files are accessed, seized and encrypted. Then, the person gets a message telling them that their files are no longer accessible. If they want to decrypt them and regain access, they need to pay.

According to the State of Ransomware report, the education sector also had the highest recovery cost of all industries—$2.73 million, on average, to fully rectify a ransomware attack. That’s 48% above the global average.

2. Educational Institutions Have Seen a Spike in Hacking Attempts to Gather Valuable Data

The risks posed by cyberattacks extend beyond financial losses for higher education institutions. Colleges and universities have an enormous amount of sensitive data and personally identifiable information such as financial information, medical records and Social Security numbers from applicants, students, alumni and faculty. On top of that, institutions also harbor confidential research and intellectual property, which can be sought after by hackers.

According to Verizon’s 2020 Data Breach Investigations Report, educational establishments were the sixth highest out of 20 sectors most likely to experience cybersecurity incidents, with 819 incidents in 2020 alone. The shift to online and hybrid learning environments means that school systems are more digitally connected than ever before, making them particularly vulnerable to hacking attempts.

3. Institutions Are Facing Rising Costs of Managing Security Breaches

Managing cybersecurity incidents is not cheap. According to the Cost of a Data Breach Report, a 2019 whitepaper by The Ponemon Institute in conjunction with IBM Security, the average total cost of each data breach for the education industry was $4.77 million. This report also uncovered that the education industry had the eighth-highest cost per record, $142 per data set.

In addition to the financial impact, cybersecurity breaches can disrupt learning as information technology teams scramble to investigate the attack and determine the effect on their systems. This also impacts a higher education institution’s reputation and the safety of its students.

How D2L Has Committed to LMS Security

With the changing nature of cybersecurity threats and an increase in incidents, it’s more important than ever that higher education institutions have the right technology partners in place to not only meet privacy standards but also surpass them. The following certifications are an indication of how serious we are about protecting the confidentiality, availability and integrity of your data:

• ISO 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best-practice guidance.
• ISO 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002. As well as additional controls with implementation guidance that specifically relate to cloud services. This Recommendation provides controls and implementation guidance for both cloud service providers and cloud service customers.
• ISO/IEC 27018:2019 is described by ISO as a document that “establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
• Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how D2L achieves key compliance controls and objectives.
• Provisional certification by TX-RAMP, which aims to provide a standardized approach to security assessment, authorization and continuous monitoring of cloud computing services used by Texas state agencies, including public higher education institutions.

What Is TX-RAMP?

TX-RAMP is a risk and authorization management program administered by the Texas Department of Information Resources. The overarching goal of TX-RAMP is to provide “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.” Cloud computing services used by state agencies in Texas, including public higher education institutions, must receive a TX-RAMP certification. Authorization and certification under the program require cloud computing services to conform to a subset of the NIST 800-53 cybersecurity controls.

D2L Brightspace has achieved provisional certification for TX-RAMP based on previous work to achieve ISO 27001 and 27018.

How a Secure LMS Provides Peace of Mind for Your Institution

While every major industry faces significant cybersecurity threats, higher education is particularly vulnerable. Not only do these institutions hold an enormous amount of sensitive data, but they also provide students and staff access to many different applications, often operating on the principle of “bring your own device.”

In order to reduce the impact of pervasive threats, higher education institutions need to have in place the right technology partners with rigorous security policies. An LMS, for example, helps colleges and universities move away from decentralized legacy IT systems and instead provides a highly secure, durable and available infrastructure for deploying teaching and learning.

Learn more about D2L’s commitment to security and privacy here.

Written by: