Trust no-one

Especially not the students.

We were so close. Just 20 minutes to go until the end of the week, and someone screwed up. LadiesMan spotted a couple of students using the computer in the office next to ours, nearly half an hour after home time. I immediately checked via remote desktop what they were looking at.

They were going through a member of staff’s email.

I marched in and challenged them, and things went from bad to worse. They had been given permission to go through the inbox by the member of staff in question, who was in another building at the time, to search for a contact email address.

This comes just one day, ONE DAY, after our Deputy Head had announced in a staff briefing that there had been a suspected incident of students accessing the staff intranet (which contains very sensitive pupil records) via a compromised staff account, and that staff should be absolutely sure not to leave their account logged in. We also issued a very firm policy at the start of term that explicitly explained why staff must never allow a student to use their login, ever, for any reason.

I recently started delivering training to educate our staff about Information Security. Guess who I’m going to book onto the next one?

About The Angry Technician

The Angry Technician is an experienced IT professional in the UK education sector. Normally found in various states of annoyance on his blog. All views are those of his imaginary pet dog, Howard.

2 responses to “Trust no-one”

  1. joe90bass says :

    It beggars believe how many teachers think that NOT letting pupils their accounts doesn’t apply to them, despite as you you mention informing them of the amount of sensitive data they’ve just allowed pupils access to. It doesn’t even sink in when you mention they would now be out of job if they had done this out ino the real world!!

  2. Gerard Sweeney says :

    Yep – had exactly the same thing here.
    Staff in dept x wanted the pupils to be able to print to their colour laser in their Staff Base. Which – oddly enough – they’d specifically asked not to be possible.
    Rather than give me the names of the pupils the wanted to have access, they instead gave out their login ID and passwords.

    I – like you – stumbled on this when I saw a group browsing through a folder that I knew they shouldn’t be able to see.

    Beggars belief, really.