Although cybersecurity awareness month ended in October, Ryerson’s Computing and Communications Services (CCS) wants to assure students that their data is securely protected for online learning.
Throughout the month of October, CCS ran a campaign for cybersecurity awareness with pop-up quizzes about what to look out for in emails and websites every time a student visited RAMSS along with Google Forms quizzes on short scenarios.
This year, participants in Cybersecurity Awareness Month at Ryerson got a chance to win an iPad Pro when they turned on two-factor authentication for all applications by Oct.31, and five gift cards with a balance of $200 each for reporting three of Ryerson’s fake phishing emails and not opening the suspicious links or attachments.
As post-secondary schools in Ontario remain closed for the remainder of the fall and winter semesters due to the COVID-19 pandemic, classrooms have been moved online. However, this transition to operating exclusively virtually doesn’t stop the regular monitoring of students as they take their tests online.
Ryerson has licensed the use of Respondus LockDown Browser for online exams and integrated this system into Ryerson’s learning management system, D2L.
Brian Lesser, chief information officer at Ryerson, said that softwares like D2L, Respondus Monitor, and Respondus LockDown Browser have been assessed by CCS for security and privacy.
“It usually starts with … questions by Ryerson’s privacy officer and chief information security officer regarding how the application works, the privacy policies and security controls of the [program],” said Lesser. “We may also check the [program]’s cybersecurity rating from a third party rating service and do our own vulnerability scans.”
“Lockdown Browser takes a huge toll on the hardware and performance of our devices as the software must be downloaded and all background programs must be force-quit,” according to the petition web page created by “RU Students.”
“New methods for online exams and tests that do not require downloads and such invasive spyware should be used for efficiency of test-taking, and the privacy of students.”
In October, the Western Gazette reported that Proctortrack, another proctoring software used by Western University, was hit by a company breach. Western University released a statement that confirmed “no student biometric data, videos, images or recordings were exposed.”
Verificient, Proctortrack parent’s company, sent out a Tweet that said “an imposter emailed out fraudulent messages.”
A petition made by Corey Vercauteren, a student at Western, addressed the president and vice-chancellor of the university to stop the use of Proctortrack.
“The extent of the information collected is unwarranted and poses a massive security risk for students’ privacy,” said Vercauteren on the petition web page. “There is an irony that professors are unable to record due to privacy concerns, but the university willingly lets a third-party company collect student data without option.”
Lesser explained that the Proctortrack breach at Western did not involve the application that was installed on students’ computers and that it was instead a breach of a Proctortrack test server in a data centre.
“Ryerson student data was not in the Proctortrack system at the time of the breach. Proctortrack also says no one’s personal information was stolen,” said Lesser.
In terms of LockDown Browser used by Ryerson he said, “When you take a test in D2L with the LockDown Browser, your test data goes to D2L and is stored on D2L’s servers … The video goes to a Respondus server and the test results to D2L.”
Other programs such as Microsoft Office and Adobe products have not gone through an assessment by CCS. However, Ryerson added an additional security measure for Microsoft Office 365 in July. All Ryerson employees that log on to their Microsoft Office 365 accounts will be asked to set up multi-factor authentication. Similar to how Ryerson community members would have to login to RAMMS, users would have to enter their password as usual and use another form of verification, such as Google Authenticator, to access their accounts.
Lesser said that CCS encourages faculties, departments, programs, and professors to let them know of the services and programs they want to implement in their classrooms in advance so they can use them more securely.
“In some cases that means minimizing or anonymizing the data stored on those sites … In many cases we have worked with vendors to incorporate Ryerson’s two-factor authentication system into their service,” said Lesser.
Because not all programs and websites that instructors are implementing into their classrooms have been assessed by CCS, students should take extra precautions when downloading attachments and clicking on links.
There are a few practices the CCS department recommends students do to protect their data privacy: learn Ryerson’s three-step ransomware response protocol, use encryption to prevent unwanted access to your data, and lock down your device in case it’s ever lost or stolen.
Security breaches can happen anytime, even when CCS runs multiple assessments and vulnerability scans on programs used by Ryerson students or when the students themselves take the extra steps to keep their data safe.
“There are no perfectly secure systems so we are always trying to evaluate risks and eliminate or mitigate them,” said Lesser.