Data breaches not only embarrass an organization and damage its customers’ confidence; they are costly as well – according to the 2016 Cost of Data Breach Study: Global Analysis published by IBM and Ponemon Institute in June, the average total cost of a data breach globally increased from $3.79 million in 2015 to $4 million in 2016.
The average total organizational cost of a data breach in the US this year is $7.01 million (2015: $6.53 million), in Germany, $5.01 million (2015: $4.89 million), and in the UK, $3.95 million (2015: $3.70 million). And those numbers don’t include the potential reputation damage an organization can suffer in the marketplace once word of the breach spreads.
LMS Security Matters
Not surprisingly, protecting important data stored on organizational IT systems is a key concern of many executives. In addressing application security management it is critical that organizations should not overlook their Learning Management Systems (LMSs).
It was only a few years ago when a global services organization confirmed that the posting of certain data files online was the result of a data breach pertaining to the LMS of a government agency.
LMSs today are also used in compliance, security control or quality management. LMSs store courseware and education-related records, some of which may contain confidential Personally Identifiable Information (PII) about employees or clients. And aside from organizational and employee records, an LMS often stores other sensitive internal information such as company courses that contain confidential product or strategy details.
In addition, single-sign-on (SSO) functions may enable an unauthorized user to use a stolen ID to log in to an organization’s LMS and then from there access other internal connected or integrated systems.
Consequently, LMS security needs to be a top priority concern given that so much critical information about products, internal procedures, processes, operations, organizational structure, personnel and customers — that an external party could find extremely valuable – could be stored on or might be accessible, in some manner, through an organization’s LMS.
Uncertainty in the Cloud
Nowadays, many organizations outsource the hosting of applications to an external service provider in a ‘cloud-based’ or SaaS (Software as a Service) deployment. The SaaS option offers an organization several potential advantages, notably the offloading of the various managerial, personnel-related, environmental and technical aspects associated with managing an IT system.
SaaS also provides rapid elasticity – an organization gains the ability to quickly scale up or scale down the IT services it provides to its users to meet changing demands and requirements.
In a SaaS environment, an organization’s own internal (and possibly external customer) data will be stored at the SaaS provider’s data centers as well as the software itself. The organization therefore needs to not only review what security protections the SaaS provider has in place and what security functions its LMS offers but also investigate the SaaS service provider’s security regime to look at, among other things, whether the provider has a comprehensive security scheme in place that not only considers network, change control, operations, facility and personnel aspects but is also meticulously followed.
Eleven out of 20 companies are currently running their LMS in the cloud.
However, larger organizations are still more likely to be running on-premise that in the cloud.
Source: Brandon Hall Group, 2016
While appraising the security of a SaaS provider’s offerings an organization should check whether the service provider is certified compliant with internationally recognized Information Security Management System (ISMS) standards such as ISO 27001.
Compliance to ISO 27001 standards guarantees that many of the fundamental ISMS policies, procedures, operations, and automated protection mechanisms to guard against security lapses are in place, externally audited, and periodically reviewed to ensure compliance at the international standards level, significantly removing many of the common security- and ISMS-related concerns faced by user organizations.
Finally, as service providers may operate multiple data centers in multiple locations, it is important that all these data center locations adhere to the same standards of security and compliance.
What should you consider for your LMS in terms of security and privacy, especially in the cloud?
Security management will always be a key consideration for any application that must deal with potentially sensitive information. Given that an organization’s LMS may contain, among other things, information about an organization’s products, internal procedures, processes and operations, organizational structure, customers and personnel, LMS security must be a top priority for any organization today.
In assessing LMS security, an organization should adopt a comprehensive approach considering aspects such as whether passwords are stored as plain text or are encrypted, the vendor’s approach to development, the LMS architecture and, if the LMS is cloud-based, whether the hosting service provider is certified compliant to internationally recognized ISMS standards.
- Authenticity – validated identity authentication (e.g. e-signatures or physical identification)
- Integrity – secure infrastructure (e.g. ISO 27001)
- Confidentiality – data privacy & control (e.g. Secure SaaS)
- Availability – system architecture (e.g. intrusion/DOS detection & prevention)
- Auditability – tracking & reporting
- Applicable Industry Regulations (e.g. 21 CFR Part 11, EU GMP Annex 11)
- Data hosting location for data privacy and adherence to government regulations (e.g. GDPR)
- Control over software updates – is it important?
- Security of application infrastructure & standards (ISO/IEC 27001)
- Support for industry-specific regulatory and legal requirements
- Ability to tailor your system to your specific business needs
- Data segregation – how does the SaaS provider ensure your data remains both separate from other client’s data and inaccessible to other clients
- Encryption – How is your data protected both in transit and at rest
Given these considerations, how much of your learning strategy are you willing to outsource or commoditize? What people data or information do you think might be at risk in your L&D or HR department?
Head of SaaS Services, NetDimensions
With 30 years working in the Information Technology field, Steve understands that IT is a means and not an end – a tool to enable businesses to grow. Throughout his career, Steve has managed the delivery of solutions that deliver value and solve problems for people. Steve spends his free time photographing bands in Hong Kong and Manila and writing about film, music, food and travel.