Security Best Practices for Your LMS

Posted by Sam Fellerer - November 18, 2020


You may have seen news stories about high profile cyberattacks on companies and government organizations. As our world becomes more digital, and more training moves online, the possibility of being the victim of a cyberattack becomes more real. If you’re the administrator of a Learning Management System (LMS), and you haven’t thought much about security, now is an excellent time to start! This process doesn’t have to be scary or difficult, it’s all about being informed and knowing the steps you can take to keep your users and your organization safe.

Why Does Security Matter for an LMS?

Really any piece of software or system that contains user data should be protected from malicious attackers who might use that information to harm your users or your organization. Your LMS likely houses sensitive employee information and passwords, as well as training policies and intellectual property. A breach in your LMS could also lead to attacks on other company systems. Therefore, it's important keep your LMS secure. Let’s go through some of the steps you can take now!

Be Aware of Your Legal Obligations

The first thing you should consider is if any regulations apply to your organization that govern how you should handle your users’ information. The most commonly talked about standard is the General Data Privacy Regulation (GDPR), which is a European Union regulation. If you have any users in the European Union, then GDPR probably applies to you, and you’ll need to make sure you’re giving your users proper notice along with their consent to use their information.

The other major regulation to be aware of is the California Consumer Privacy Act (CCPA). Unlike the GDPR that applies even if you only have one user in the EU, the CCPA only applies if your organization meets certain criteria. If you’re a for profit organization and you have either $25 million in gross revenue per year OR have information about 50,000 California residents, then CCPA applies to you.

Neither of these regulations have specific rules for security, but both require organizations to take “reasonable” steps to protect their users. Both also have requirements for handling information and require you to notify users if their information is compromised in an attack. This might just mean applying security updates in a timely manner, using encryption appropriately, and other simple measures. If the information you have is particularly sensitive, “reasonable” might mean getting your organization certified for meeting security regulations like the ISO 27k series of standards.

Failure to protect your users’ information, or failure to inform them, could result in large fines and other sanctions. So it's important to take the steps to protect their information now to prevent bigger issues in the future! But if you aren't sure where to start or if reading legalese makes your head spin, reach out to your legal team for help figuring out the best steps for your organization to take.

Only Store and Collect Necessary Information

Part of the process of running a secure LMS should include taking the data you store and collect about users into thoughtful consideration. If you’re importing data from a payroll or HR information system, it might be tempting to import everything you can “just in case” you need it. But this could be a dangerous practice if you’re not careful. When you import sensitive information from another system, you’ve just increased your attack surface, or the number of ways a hacker can acquire that piece of information.

This doesn’t mean you shouldn’t store anything on the LMS. But before you choose to import or collect a piece of information, think “will this information help me make a decision about training?” If the answer is no, then you probably shouldn’t keep it on your LMS. Additionally, there are some types of information that should never live on your LMS if you can avoid it such as:

  • Social Security numbers and other financial information
  • Medical information
  • Status as a member of a protected group
  • Birthdate -- This one might seem less obvious, but what you probably really need is Age to assign appropriate learning. If you're looking for something to celebrate, celebrate loyalty instead and use hire date anniversary!

Implement Security Best Practices

Whatever LMS you use, it likely has a variety of security settings you should understand and utilize. Does your LMS give you controls over password requirements? Bump up the minimum length or complexity. Can you restrict access to the website to only company computers? If your employees don’t train from home, then turn that on. If you don’t understand the options available to you, consult with your LMS provider and your internal IT/security teams.

Be especially careful about which employees you give administrator accounts. Adhere to the Principle of Least Privilege, and only give people the minimum permissions they need to do their job effectively. End users are almost always the weakest link in any security strategy. Try to make sure your strategy takes this into account. Automating security tasks (like auditing permissions and adjusting settings when certain permissions are no longer necessary) is a good way to take human error out of the equation.

In Summary

Check if any privacy laws apply to your organization, be mindful of what information you keep about your users, and follow security best practices. Reach out to your team for help and ask your LMS vendor about what additional security options they may have available. Think about the security of your LMS now, and start protecting your users today!

Topics: Learning Management System (LMS), Service & Support, security

Recent Posts