Author Profile Picture

Michael Keller

iSpring

CPO

LinkedIn
Email
Pocket
Facebook
WhatsApp

Fortifying your eLearning: How to select the right provider for secure LMS deployment

How can you ensure you select a secure LMS provider that’s right for your organisation? Michael Keller, Chief Product Officer at iSpring Solutions, shares a security checklist and key risk factors to pay attention to.
white bullet camera during nighttime

When you employ the services of a third-party company, including Learning Management System (LMS) providers, security becomes a game played on both sides. No matter how tight your security policies are, if your partner does not meet the same standards, your security may be compromised. 

Security is a very important aspect of eLearning. Mainly because as a rule, eLearning is generally viewed as a ‘safe’ activity, so security measures can often be overlooked when creating an eLearning environment. However, if your company holds sensitive data, such as trade secrets, user information or partner information, it becomes an issue. Very often such data becomes a part of your corporate education curriculum. This means, you will be processing this data with your chosen LMS and you need to rely on the LMS’s security measures to handle it safely. 

In this article, we will discuss which security and privacy risk factors may be associated with an LMS and outline a security checklist that can help you to select an LMS provider for a secure eLearning solution. 

You need to make sure that your LMS provider adheres to the same security level or is willing to alter their security practices to meet your requirements.

What are the most important security vulnerabilities associated with the use of an LMS?

Working with a Learning Management System implies working with a third-party provider, which is a regular security issue. However, eLearning poses a number of industry-specific security challenges. Let’s take a closer look at them. 

1. Bring Your Own Device (BYOD) policies

Today eLearning strives to provide comfortable access to learning materials. Usually, an LMSprovides features to access courses from anywhere, anytime. It is a great accessibility feature and allows your workers to learn while commuting or having a coffee break.

Many corporate learning programmes allow access to courses from personal phones or other devices. However, these devices are not administered by your company’s admins and rely on user security settings. This creates a huge security liability. 

2. The use of mobile apps

The use of a mobile application to access learning courses is convenient but, again, opens up many ways to compromise shared data. Today’s mobile apps are made compatible with multiple devices and platforms and there is no single, generic way to protect them all. 

Regardless, even if a company imposes the best security practices and rules, it is not easy to enforce them on a wider scale. For instance, some LMS providers provide customers with an option that allows their employees to use an  in-build mobile app to access courses on the LMS only when they are connected through a corporate VPN.

3. General lack of security training, poor data security habits

The switch from largely in-class or on-premises corporate training to eLearning was very swift. Accelerated by Covid19 and the overall chaos of the pandemic, this switch left little time and room to educate the general public on personal data security habits. Chances are, not all of your workers are aware of the threats they encounter on the Internet every day. This amplifies the risk of human error when it comes to security issues.

4. Authentication issues

Credentials theft is one of the most common cyber attacks today. Many courses imply meetings via Zoom or Google Meet or MS Teams, the invitations to which are sent in emails to the workers. If any of the email addresses are compromised, attackers get easy access to these meetings, shared data, participant lists, and other information. 

As eLearning becomes increasingly central to corporate training strategies, the need for robust security measures cannot be overrated.

LMS provider security checklist

Before you start using a third-party LMS solution, you need to make sure that your LMS provider adheres to the same security level or is willing to alter their security practices to meet your requirements. Here are a few potential issue blocks that you can include in the security checklist for the LMS provider: 

General company and product information

The list of deliverables, installation type, existing customers, legal procedures and entities, and information on update policies. This is crucial information you need to know before starting out. 

Questions about security, data and information management

In this block, you can ask questions about whether the LMS provider has their own data security and privacy policies, what levels of access and access roles they have, which employees can access customer data, etc. 

Required infrastructure

This is the block where you can find out how much dependency you will have on an LMS provider’s infrastructure, whether it is possible to isolate your data entirely, what type of data storage is used, who the cloud solution provider is, and whether this provider is compatible with your security requirements.

Authentication, authorisation and accounting

You can ask questions about which types of authorisation and authentication are supported, whether SSO is used, which two-factor authentication or authentication apps are used and supported, and which audit logs are maintained. 

Data protection, encryption protocols, security measures

In this section, you can find out how data that passes through an LMS is encrypted at rest and in transit. Which protection methods are installed on the LMS provider’s side and used against common security attacks and breaches? How often does the LMS provider company carry out security audits? What type of firewall, antivirus, anti-phishing software or solutions do they use? 

If you are planning to use the LMS provider’s data centre, you can ask about their physical security measures as well. 

Compliance

You can ask which type of security certification the company has and what industry standards they conform to. For instance, do they adhere to the ISO2001 security framework? Do they have Cloud Security Alliance STAR certification?

Roadmap 

When you choose an LMS provider, it is usually for the long term. So you are entitled to ask what their business continuity plans are, how they plan to improve their security measures and what their change management policy is.

Backup and restore

You can ask what type of failover practices the company uses. For instance, how often is a backup copy created? What is the recovery time after a failover? How long do they store their backup data?

Conclusion

As eLearning becomes increasingly central to corporate training strategies, the need for robust security measures cannot be overrated. To ensure continuous security of your company, your eLearning processes need to be integrated into your security infrastructure and your LMS provider security measures need to be equivalent to your own. 

Running your potential LMS provider partners through a detailed security checklist helps you be on the same page over security standards. 

Michael Keller, CPO at iSpring solutions is a prominent figure in the e-learning industry, known for his leadership at iSpring, a company specialising in e-learning software and services. Under his guidance, iSpring has developed innovative solutions for online education and training, including its LMS iSpringLearn.

Want more insight like this? 

Get the best of people-focused HR content delivered to your inbox.
Author Profile Picture