Cybersecurity in corporate eLearning: stereotypes, threats, and methods of protection
We suggest you conduct a little experiment. Type in the query “key factors when choosing an LMS” in a search engine, read a few materials on the topic, and count how many of them advise you to pay attention not only to the functionality, accessibility, and scalability of the LMS, but also to its security.
We’ll give you a hint – one in ten. And that’s at best.
This situation is frankly surprising, especially given the fact that, according to statistics, every fifth person over the age of 18 has been a victim of cyberattacks on social media or via mobile devices.
In fact, security should be one of the top priorities when looking for a corporate online learning service. CTO & Co-Founder of LMS Collaborator, Oleksandr Slubskyi, told us why.
The key criterion for choosing an LMS
Cybersecurity is a set of actions aimed at improving and protecting an organization’s confidential data. After all, let’s be honest, it mostly comes down to information, which is essentially the core value of any company, regardless of its size.
When it comes to online learning, it seems as if nothing bad will happen if your lectures, webinars, or tests fall into the wrong hands. Indeed, this is not as critical as, for example, in the banking sector, when it comes to losing money, or in the healthcare sector, when attackers can obtain data on your customers’ conditions.
Nevertheless, large and medium-sized businesses always assess risks and look at the security of the solution they are purchasing, as their reputation depends on it. The recent case of the hacking of one of the largest Ukrainian telecom operators is a vivid proof of the devastating consequences that third-party interference can have.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
In addition, don’t forget that corporate courses are not limited to learning about the company’s history and values. They may contain some sensitive information, such as product recipes, which attackers will gladly sell to competitors or use for blackmail purposes.
In cybersecurity, there is also a concept of horizontal hacking, when a hacker cannot reach someone directly. But having gained access to another link, he will penetrate this one. So if the customer’s distance learning system is deployed and it is hacked, then it opens up the possibility of access to other information.
This type of fraud works more on a mass level. That is, if we are not talking about the company’s top management, then the attackers are not interested in any particular employee. Each employee is a small cog in the company, and there can be hundreds of thousands of such cogs. Therefore, most likely, the fraudsters’ goal is to get the personnel database through a hacked LMS in order to use it for spamming, fake sales, or blocking the service.
Russian hackers work on this principle, sending fake emails with a virus to millions of people. A certain percentage of recipients open them, and they succeed, but not in quality, but in quantity.
That’s why cybersecurity is a key criterion when choosing an LMS.
But before you start looking for a reliable provider, you need to understand what dangers your company may face.
Threat #1. Spam
We don’t think there’s any need to explain what it is, because each of us has received an email from a Nigerian prince at least once asking to lend him some money. Spam can come to any email, even if you use spam filters. Unfortunately, there is no one hundred percent protection against it yet. But it’s still a good idea to have spam filters. Especially since this functionality is already included in most modern email services by default.
Good providers will protect the company’s staff from spam, but you should understand that this will only work partially. Therefore, employees just need to use critical thinking and look at who sent the email. If it comes from a colleague with whom you have not had any prior communication, you can write to them not by mail, but, say, in Telegram, Viber, or a corporate messenger and make sure that it was them who sent it.
Until this happens, it is advisable not to open a suspicious email. Most people think, “I’ll just read it and mark it as spam – it won’t be a big deal.” No, such an email should be deleted immediately, because opening it is tantamount to interacting with and transferring personal information, for example, the same IP address, to an attacker.
Less commonly, but apart from such similar works, which immediately show that they are spam, there are also real poems. I know of a case where the CEO of a fairly well-known company received a letter from the CFO with an invoice for using a certain IT service. He read it, approved it, signed it with his key and sent it to work. In fact, it was a fraudulent letter, but it was very well crafted. The attacker simply introduced himself as the CFO and slipped in his invoice.
Now hackers have gone even further. One multinational company lost $26 million after fraudsters deceived its employees by creating a fake group video call using deepfake technology. And in the future, similar cases will occur more and more often.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
This is more targeted spam, but it still exists. It is more difficult to organize such a scheme than a standard mass mailing, but it is also many times harder to detect. Moreover, the development of ChatGPT has simplified this process, and it is becoming increasingly difficult to distinguish whether the email was written by a human or artificial intelligence.
Threat #2. Phishing
The idea behind this type of cyberattack is that the attacker imitates a login and password form that we are already used to, such as Google, Facebook, or other social networks.
An employee may receive a link with the comment “Look who’s in the photo” or “Oh, I recognized you.” Naturally, they are curious to see what it is. They click on this link, which seems to take them to the Instagram login form, and enter their username and password for authorization. In fact, this page is just a very sophisticated copy, so the employee may not even notice that he has handed over his personal data to the hacker.
And while spam filters can save 90% of cases, the responsibility here lies entirely with the person who clicks on the link. So far, there are almost no mechanisms to protect company personnel from phishing. That’s why you need to look closely at the URL of the page. It may be very similar to the original: not Facebook, but Facebock, not Google, but Google, etc. Although most major social networks are trying to buy out such domains, we should also keep a close eye on this.
Threat #3. Credentials leakage
How can attackers gain access to confidential information?
There are usually two options here.
The first scenario involves the so-called classic method, when hackers find some vulnerability and steal the data they need.
Alternatively, they rely on the human factor: they pick up the password of one of the admins or trick them into using it and log in under the guise of an administrator. In this case, there is no need to hack anything. Fraudsters already have all the access and can download whatever they want.
Checks and audits protect against the first scenario. It can be a penetration test, when white hackers try to hack you for your money, and then provide a report on the found and potential vulnerabilities. Usually, large companies have such people on staff or hire outsourced specialists.
As for the second method, when a password is stolen, two-factor authentication remains the most effective way to protect against it. Its mechanism is simple, but no less effective. So one factor is the password the employee knows, and the other is a temporary one. It is generated randomly and can be sent in the app, Viber, Telegram, or via SMS.
And this temporary code is sent exclusively to the employee’s phone. That is, if the attacker somehow received or picked up the main password, then the entire attack will end there, because he will not be able to go any further. The only exception in this situation would be if the phone is stolen, but that would be an organized scheme.
That is why you should never use the same password for different services. In this way, we simply make it easier for attackers to do their job. Using the same phishing technique, someone can steal an employee’s Instagram password and use it to log in to a distance learning system, corporate email, CRM…
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
Nowadays, the services have learned to control this process themselves, and, for example, when an employee enters such a password, the system will tell him or her that it is not secure. Many people are annoyed when a pop-up window appears asking them to add a single digit, a special character, or a capital letter. But they are not for fun, but for our protection.
If a password consists only of numbers, modern programs can go through billions of combinations in just a few hours and determine the required password. When we add letters and special characters, it complicates the process many times over. Then it takes months, not hours, to crack a password, which is why the requirements are so high.
Yes, I know that there are a lot of services, and it’s simply impossible to remember the unique login information for each of them. That’s why many people usually have a special file that stores all their passwords. Others, on the contrary, are afraid that this way an attacker can easily enter any application. This is how the stereotype emerged that it is better to have one universal password, but keep it in your memory.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
However, a password manager exists for just such cases. You can safely store all the information you need in it. It’s encrypted, so even if someone steals the file, they won’t be able to do anything with it. And most importantly, you only need to keep one password in mind – the one from your manager.
This is the fundamental difference between storing personal data in a regular Word document on your desktop and in special software. Hackers often deliberately target accountants or secretaries and find a whole catalog of such passwords stored in a publicly accessible file. In fact, this is the same as leaving them on a piece of paper attached to the monitor.
Threat #4. Use of public Wi-Fi
Employees tend to work on company devices, which are most likely equipped with basic security. No matter how bad or good it is, these services still perform their functions.
But there are cases when a person, for example, is sick and has to solve urgent work tasks. He or she is treated at home and deals with all issues from his or her personal gadget. Each company solves such situations in its own way.
Some people do not allow access to the system from third-party devices. Some require that home devices also have certain protection. And some require you to install a special application that will check whether you can go to a particular site.
I recommend starting at least with the minimum base – buying a VPN that encrypts the Internet connection between the employee and the company’s services. It cuts off some of the threats that can arise when connecting from home or another location.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
The same remote workers sometimes like to go out and work from a coworking space or a coffee shop on unpatched Wi-Fi. If you log in through a VPN, you can use it, in principle. This is also acceptable in the case of closed Wi-Fi, when you need to ask the waiter for a password that encrypts the connection between the employee’s gadget and the router. There are no other options here.
No password means no encryption, which means that traffic is not protected. That is, an employee is simply sitting in a restaurant using free Wi-Fi, and meanwhile, someone can intercept their password and unnoticed download the necessary data. That’s why VPNs have become so popular, because they are a really good tool for protecting traffic while working outside the office.
Hackers also use it precisely to anonymize themselves. As a result, only incomprehensible events from the Netherlands, China, or any other country remain in history. But we are talking about free VPNs. It is important not to get confused here. If a company doesn’t have its own VPN and an employee installs a publicly available version, it is 99.9% likely to contain ads or viruses.
It is crucial to understand that most free things are not actually free. Everything has a price. And advertising is not the worst thing that can happen. That’s why it’s important for a company to have its own VPN to control every connection.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
Threat #5. Malware
In Ukraine, this issue began to escalate in 2016-2017, when the Petya virus appeared, encrypting everything it could get to on a computer. At that time, our energy sector and other government agencies were severely affected. It was then that people started to take cybersecurity more seriously, because before that, only large companies cared about it. The rest of us mostly thought that it would happen somehow.
After the collapse caused by Petya, even small companies tried to improve their security. Therefore, at the beginning of the full-scale invasion, we were already more prepared for such situations. This became apparent not even in February, but at the end of January 2022, when cyberattacks from Russia became widespread.
Every employee can determine whether the software they want to download is dangerous, based on the same principle that free is rarely free. It is necessary to think critically. If we are talking about installing a program, i.e., the initiator is the employee himself, then you need to ask yourself why it is in the public domain.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
It’s a similar story with browser extensions and phone apps, but the Play Market and App Store are trying to control them. They use special tools to search for and block unscrupulous manufacturers, although this, again, does not guarantee one hundred percent security.
An employee can also download a seemingly ordinary PDF or RAR archive named “Instruction” or another word that automatically catches the eye. Our government organizations are often attacked in this way. It seems to be neither a program nor a plugin, but a simple document, but it can be used to hack a phone or computer.
It doesn’t matter what kind of file an employee opens – PDF, JPEG, or any other. There are no absolutely safe formats. Each of them can pose a potential threat. Anything that looks strange and shouldn’t be there should be ignored or deleted immediately. This is my main advice.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
In addition, you should regularly back up important data and update your device to the latest version. This is very important because hackers are constantly finding new vulnerabilities. Accordingly, the manufacturer is working to close them.
This is how we run in circles. But it is important not to fall out of this circle and not to neglect the proposed updates, because, unfortunately, there are no tools that would guarantee absolute security. So we can only rely on ourselves.
How to protect company data?
First of all, every decision depends on the tasks you set for yourself. And, of course, it depends on your budget, because some people have the funds to purchase expensive services to protect corporate data, while others do not. So there is no single answer.
This can be something as simple as installing an antivirus or conducting regular audits. These options are quite budget-friendly and take a minimum of time. Or you can go the extra mile, as we did, and get certified according to the ISO 27001 standard, which sets requirements for creating, implementing, and maintaining information security in a company.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
It is also not necessary to hire a cybersecurity specialist in-house. You can hire someone to outsource: people who will implement, prescribe action algorithms, and train. However, you should still be in control. The company’s security should not be completely managed by someone from the outside. Someone must still be in the context and monitor problem areas from the inside, because you can’t just set everything up once and forget about it.
In addition, it is worth remembering that employees are capable of protecting themselves. First and foremost, their main task is to use logical thinking and think before they take any action. It seems like a very simple advice, but it is extremely important, because it covers half of all potential problems.
Many hacks occur precisely because employees were in a hurry, inattentive, or thought, “Why do I need two-factor authentication? It’s long and inconvenient,” which then resulted in a hack of the system and, as a result, loss of money and the company’s reputation. Allegedly, they do nothing from a security point of view, because administrators set up everything for them. However, they are the ones who ultimately interact with the system, so every employee must understand the potential consequences of their actions.
A company should not rely on the self-awareness of its staff. Its task is to regularly communicate the importance of compliance with security rules and ensure that employees are digitally literate.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
Therefore, this is a two-way street. On the one hand, the company has to set up all IT services to ensure maximum protection. The employee, on the other hand, makes the final decision when it comes to opening an email, clicking a link, or downloading a suspicious file. So they need to know what threats exist. Only in combination will this system work.
Criteria for choosing an LMS
There are several important factors to consider when looking for a distance learning system. They may not be obvious, but take our word for it, they will have a significant impact on your company’s cybersecurity in the future.
Factor #1. Selecting the type of service
A moment of terminology.
An on-premise LMS is hosted locally on the company’s servers and managed by your in-house IT specialist. In practice, this means that no one guarantees you the quality of its work, since the developer is responsible only for the eLearning system itself, while it can be affected by the operation of the network, server, third-party software, etc.
At the same time, an on-premises LMS seems to be more secure than a cloud-based one, because it does not go beyond the company’s borders. It is configured exclusively on corporate devices and is under your full control.
When it comes to SaaS platforms, the developer acts as a provider at the same time. They have full control over all the necessary infrastructure, as well as the status of software updates, and, accordingly, can provide service guarantees (SLA).
Both approaches have their advantages and disadvantages, so in the end, it all depends on your needs. However, when it is a SaaS solution, we, as a provider, are fully responsible for it. It’s easier for us to constantly monitor and update the system so that all vulnerabilities are closed and potential security issues are identified through the same tests and audits. And the main thing here is that you don’t have to worry about it at all.
Oleksandr Slubskyi, CTO & Co-Founder, LMS Collaborator
Factor #2. Reputation
There is no need to hesitate to ask uncomfortable questions.
You need to know exactly where the LMS is deployed, which provider it is with, and whether it has backups, so that you don’t lose your training materials one day, like Union Group.
Also consider reputational risks. A closer look may reveal that the provider has Russian roots. It is quite easy to check this fact. If the service is unreliable, you will definitely find negative reviews on the Internet. This is the minimum you can do on your part.
Next, you should ask what authentication methods the chosen solution supports. For most companies, it is important how users will log in to the system: whether employees need to enter a password each time or whether it will be done automatically through a single sign-on (SSO) center.
Factor #3. Compliance with international standards
We can honestly say that LMS Collaborator as a product reached a qualitatively new level when it passed the security certification we mentioned above. That is, we have a certificate from a Ukrainian auditor, and he has a certificate from an international consortium. To comply with the ISO 27001 standard, it is necessary to fulfill quite strict conditions, so it is considered a kind of safety guarantor.
What will the user of this service get?
- Secure channel for data transmission over the network
- Two-factor authentication
- Encrypting and protecting data from unauthorized access
- Logging events to analyze and detect suspicious activity
- Ability to recover data in case of loss or damage
- Access control
- Regular penetration tests that help identify weaknesses in the system and protect them
- Monitoring of malicious activity
That is, in most cases, it will be enough to ask whether the provider has an ISO 27001 or SOC 2 certificate. If it does, then such a distance learning system can be trusted from a security perspective.
And finally
Unfortunately, in today’s reality, installing a reliable antivirus is not enough. Cybersecurity is a complex issue that requires your constant attention. That’s why it’s so important for every company to not only have a detailed security plan with a step-by-step algorithm of actions, but also to regularly remind employees of its existence.
And this process never ends. It needs to be constantly monitored and improved because everything is changing. Technology does not stand still. Every day, attackers are looking for new vulnerabilities in your security. That means you need to do the same in terms of protection.