Secure eLearning: Overcoming The Biggest Online Training Security Challenges
Online security is more important than ever, and for a good reason. According to a 2017 study [1], modern enterprises face a 25% chance of experiencing a security breach, with the total cost of handling one averaging $3.63 million dollars. In this article, we'll have a look at the most important online training security challenges, and go through the LMS features that you need to deliver your enterprise training securely.
1. Account Breaches
Protecting access to user accounts is one of the biggest online training security challenges businesses face. The power of modern hardware makes it easy for hackers to break thousands of passwords per second (especially if they were stored naively).
In fact, there are billions of stolen account credentials available online, with more added every day. The threat is real for every business. Even some of the largest services, like LinkedIn and Yahoo, have been hacked [2], and user data have been compromised [3].
You can protect your online training portal from account breaches in three ways:
- Don’t Expose Your LMS To The Open Internet
In practice, this means that your LMS is only accessible from your company’s own network. This creates some big restrictions, but provides the ultimate protection from internet attackers. If you take this route, you’ll need an LMS that allows self-hosting, like TalentLMS, so that you can run it from your local data center.
- Choose An LMS With Complete Authentication Features
Protecting an internet-accessible training portal from breaches is difficult, but not impossible. Choose an LMS that comes with these security features:
- Password policies (expiration, minimum length, etc.)
- Account lockout after repeated failed login attempts (to prevent “password guessing”)
- Two-factor authentication (this improves account security by using the user’s smartphone or email account as an additional “password”)
- Choose An LMS That Works With Your Existing Single Sign-On Scheme
If you can log in to different services at your company with the same username and password, then your organization uses a Single Sign-On system. Your LMS should be able to support that.
In practice, this means you want to look for an LMS that supports industry-standard SSO authentication methods like LDAP, Active Directory, and SAML 2.0. An SSO-compatible LMS gives your administrators total control over your company’s employee accounts and allows them to easily enforce company-wide security policies.
2. Web Attacks
A strong authentication system will protect you from attackers trying to steal regular user accounts. Βut hackers will still try to gain access to your training portal through common web application security holes. These security holes come with scary names such as XSS, SQL Injection, and CSRF, and even scarier implications.
The only way you can protect your investments against attacks like these is by choosing a reliable LMS vendor, like TalentLMS, that pays attention to security. Ask your eLearning provider about their security features. Do they follow best development practices? Do they have a proven track record? Choose an LMS vendor that does regular security audits and penetration testing, and check review sites and user comments to investigate their security reputation.
3. On-The-Fly And On-Disk Data Security
If you allow open internet access to your training portal, then web encryption is not just nice to have, but a necessity. Not only do recent laws like GDPR mandate it, but most modern browsers will mark your portal as “insecure” (or refuse to access it) if it doesn’t support encryption.
To encrypt your eLearning traffic, your LMS’ security features must include support for the HTTPS protocol. HTTPS encrypts the data exchanged between your LMS and your learners, and ensures that nobody can snoop on your network connection.
To further ensure that you have total control over who can decrypt your users’ data, avoid cloud-based eLearning software that hosts all of their customers on the same domain. Instead, invest in a custom web domain and encryption certificate for your training portal, or run your LMS as part of your existing corporate domain.
The on-disk security of your data is important, too. Make sure that your training data is regularly backed up. If your corporate policies or client contracts demand it, make sure that your LMS allows for encryption of data at rest.
Last but not least, ensure that your training platform gives you the tools to achieve GDPR compliance. This is a must, whether your organization operates within the EU or not.
4. Access Control
Larger organizations face another major online training security challenge – access control i.e., who gets to see what. For smaller businesses, where every employee knows everything, access control isn’t a big issue. But for larger businesses, with thousands of employees, different departments and projects, you’ll want certain employees to have access to certain information.
To do this, your LMS should let you define and enforce access control rules (or “permissions”) for different users and different pieces of content.
Pro tip: To make your administrators’ lives easier, find a platform that supports mass assignment of predefined sets of permissions. This feature is known with many names across different LMS platforms, but you’ll usually find it as either roles, groups, or user types.
If your organization spans multiple facilities or countries, you’ll also want the ability to create dedicated eLearning sub-portals for different groups of employees. This feature (usually only found in LMSs for large enterprises) lets administrators restrict training access based on local needs, but spares them the overhead and security risk of managing separate LMS installations.
5. Data Center Breaches
One of the biggest online training security challenges is protecting your learners and training data from attacks. These aren’t attacks just against your LMS, but against all other parts of your infrastructure, too.
Security experts often say: “A system is only as secure as its weakest link”. This is why having a secure LMS is not enough: it needs to run on secure and properly maintained infrastructure.
When it comes to your training infrastructure, you have three options:
- Software As A Service Training Platforms
Some of these have a great security track record, while others don’t. In any case, it’s a matter of trust. You have little control over their infrastructure, and whom you share it with.
- Self-Hosting
If your LMS supports self-hosting, you can install it to your enterprise data center or private cloud. This can be more or less secure than a SaaS offering, depending on your IT skills. Large companies with dedicated IT departments can easily go that route, and get an extremely secure result. Especially if combined with restricted intranet-only or VPN-based access to the eLearning portal.
- Managed Private-Cloud Hosting
For Subject Matter Experts and larger enterprises that don’t wish to self-host, this is another secure option. Unlike with a SaaS platform, a private cloud gives you total control over your installation. Unlike with self-hosting, you have a dedicated team of dev-op professionals taking care of installation, maintenance, and security.
What’s best, your training cloud is segregated from the rest of your enterprise services (billing, document management, and so on). This adds another security layer against hacking attacks.
If you’re unsure about your company’s security expertise and want the best possible option, the managed private-cloud route is your safest bet.
6. Human Error
One of the biggest security challenges companies face is having employees ignorant of security practices. Fortunately, you can tackle this one with a little effort. To prevent costly employee-driven security breaches, educate employees on basic security principles.
At a minimum, they should know:
- not to pick obvious passwords (e.g., their birthday or 123456)
- not to use the same password on multiple accounts and services,
- not to write their passwords down
- not to give their password or other sensitive information to third parties (except e.g., your IT department)
- not to trust public computers (e.g., those on internet cafes, libraries, etc.)
- not to trust email attachments from unknown recipients
- how to spot phishing emails
We suggest you use your enterprise training program to train employees on the basics of online security. Make it part of your onboarding program so that new hires start following best security practices right away.
Even better, have employees retake the course (e.g., annually), as part of a company-wide security certification (for this, you’ll need an LMS platform that can handle certifications).
Over To You
Do you agree with our list of online training security challenges? If there are any you think we’ve missed, or if you have some security-related tips for our readers, leave us a comment below.
If you’re on the lookout for an enterprise LMS software for your employee training, consider eFront. It’s an award-winning platform that ticks all major security checkboxes (and then some), and comes with all the features you need to create, deploy, and manage your enterprise training courses.
References
- Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview
- A hacker is selling 167 million LinkedIn user records
- Hackers stole data from more than one billion user accounts: Yahoo
