Is your learning management system (LMS) secure? You should know which LMS security factors are important when choosing a solution. The number of annual internet data breaches in the U.S. has nearly doubled over the past decade, and new cyber threats are emerging all the time. For the LMS customer, this presents the potential for confidential company data being compromised and used for nefarious purposes.
Most modern learning management systems are cloud-based, which presents new and urgent challenges for cybersecurity. There’s a lot of value in these systems, but we have to take security seriously to make sure we’re not trading convenience and scale for more risk. If you use an LMS for your organization, or if you’re shopping around for an LMS, certain security features are fundamental for protecting both company and employee data.
1. User provisioning/management
Any modern SaaS LMS vendor should make it easy to set and modify user permissions. User roles should be clearly defined and easy for administrators to modify, as this can help ensure that sensitive data isn’t shared with or accessed by the wrong people.
In addition, the HR or L&D team must be diligent about promptly removing terminated employees and only allowing active employees to access the system with the appropriate permissions. Note also that certain states and countries have rules specifying who can access certain data. These rules must be included in user provisioning decisions. We recommend integrating your LMS with HR tools that allow for automated provisioning, changes, and user removal. This will save you a lot of time and reduce the risk of oversight.
2. Data security
When choosing an LMS, it’s important to confirm where the LMS data is stored as well as what data is stored and whether the data is stored in accordance with any local regulations. At a minimum, you want to look for features like:
- Data encryption that uses the most current encryption standards. Security standards are constantly changing, and your LMS needs to stay on top of that.
- Automatic data backup. If the system crashes or is corrupted by malware, you won’t lose your valuable data. Many LMS providers conduct nightly backups, though this can vary from one provider to the next. The important thing is to ensure that data is backed up regularly.
- Firewall protection with layered firewalls at a minimum. A good system of firewalls can prevent unauthorized access into and out of your network.
- IP blockers to reduce traffic from malicious IP addresses. An IP blocker tracks and prevents traffic from problematic IP addresses and can be customized by the user.
- Anti-spam and antivirus protection. You want to go with a good cloud-based security software suite that includes virus protection, spyware protection, blocklisting and spam prevention at a minimum.
On its own, each of the above data security tools is limited in its ability to prevent cyber-attacks. However, when used in conjunction with one another, these tools can be invaluable. For example, there are ways for cyber-criminals to circumvent an IP blocker, but they’ll have a much harder time infiltrating your data if the other safeguards are in place.
3. Password management
There are multiple factors involved in password management.
First, you should manage password access through an SSO (single sign-on). This tool makes it possible for users to access all company accounts—including the LMS and other essential software—using a single set of login credentials. SSOs offer better security because:
- Users only have one password to remember, so they’re less likely to encounter password fatigue and more likely to choose a secure password.
- There’s no risk of the user duplicating the same credentials across multiple accounts (which can present a huge security risk).
- There are fewer login attempts. For instance, you can set up a “Start Training” button on your main employee portal where the employee is already logged in. If your training content is stored in another LMS or LCMS, the user can easily access it without multiple logins.
The system itself should impose specific password requirements like minimum characteristics (letters, numbers and symbols) and password expiration dates so you never have to worry about careless employees entering “password1” into the password field.
4. BYOD security
Any modern LMS should have security protocols in place for BYOD (bring your own device). As learning systems become increasingly mobile-friendly, more and more trainees are accessing the system on their personal devices—logging in to sensitive work-related systems and transmitting confidential data both in and out of the workplace. This is a good thing, as BYOD can help drive engagement and make training more accessible, especially for frontline employees who don’t use work-issued devices. But it does come with its own security concerns.
This is another security consideration that falls largely on the organization. The LMS provider should have tools in place to remotely lock compromised accounts and minimize the risk of third-party data interception, but there’s only so much that they can do. That’s why it’s up to admins to work with IT to establish and maintain the rules. The policy should address things like:
- What to do if a device is stolen or compromised
- What can and cannot be done on personal devices (e.g. a secure connection is always critical when accessing sensitive company accounts)
- How to separate personal from professional usage on personal devices
- Locations where personal devices can and cannot be used to access company data (e.g. a public wireless network presents heightened security risks and should generally be avoided). As this is a growing workplace concern, some companies are applying safeguards.
- When the content can be accessed. For instance, Axonify has the capability to gate access to the app based on scheduled shifts and company networks so employees can only access certain parts of the app when they aren’t at work.
Because more users are accessing training on mobile devices, any LMS mobile apps should contain their own security features like data encryption, mobile user authentication and anti-virus protection.
5. Emergency response
The cybersecurity emergency response plan is a set of actions and instructions designed to help companies prepare, identify, respond, communicate and recover from network security incidents, such as phishing and malware attacks. Some of the emergency response protocols should be addressed in the BYOD security policy, but emergency response goes much deeper than that—accounting for all types of attacks, whether they happen on personal devices, company devices or the network itself.
Every enterprise needs a plan of action to use when emergencies strike. To make this plan successful and bear its fruits, it must highlight different aspects, such as how to respond, what resources to use and who should be contacted, minimizing damages and responding to incidents as quickly as possible. However, it is still possible for cyber-attacks to hit the organization in many ways and at many levels. When it does happen, you need to act quickly to minimize any potential damage.
How Axonify protects user data
As an industry-leading frontline LMS, Axonify is passionate about cybersecurity. We adhere to SOC2 protocols to minimize security vulnerabilities and protect your data and users. And because we’re a trusted mobile LMS, we take mobile and BYOD security just as seriously as our larger web security.
Whether it’s secure cloud hosting, layered firewalls, or any other IT concerns, Axonify can meet or exceed the toughest security requirements of industry-leading companies.
If you’re considering Axonify or any learning management system, make sure to prioritize your web security. It may take a bit of extra work to keep your system secure, but it can help to prevent a costly and devastating breach—and considering how cyber-attacks are on the rise, you don’t want to roll the dice on your web security.