Managing the security risks of virtual reality in K-12 schools


The potential applications of virtual reality (VR) in K-12 education have been a source of constant buzz at edtech expos in recent years. Already, educators have begun experimenting with VR software, often utilizing inexpensive viewers like Google Cardboard and Samsung Gear VR, which can create a VR experience from students’ smartphones. As VR technology becomes more advanced, affordable and available, it will play an increasingly prominent role in schools across the nation.

However, with new opportunities come new risks. As with any technology that collects user information, VR devices have become targets for cybercriminals. What’s worse is that, in the rush to bring headsets and software to the market ahead of competitors, many tech companies have released VR products with serious security flaws.

Most organizations don’t handle cybersecurity gracefully. In fact, according to a report from SolarWinds, 68 percent of organizations don’t reliably apply or audit security policies.

This problem will likely persist, as many cybersecurity experts anticipate that hackers will adapt traditional hacking methods to bypass the security of VR devices and applications. New forms of interaction with technology will inevitably lead to new approaches to phishing and hacking, and with VR comes the need for understanding these new risks.

IT directors have an integral role to play in the safe implementation of VR technology — and also helping educators understand how to avoid flawed VR products and protect sensitive student information. The security policies you implement as an IT director play a major part in protecting both your institution and its students.

Establishing policies to protect student data

At this point, VR technology does not consist of new systems; it merely offers users new ways to interface with existing hardware through new input and display devices. Accordingly, IT directors should continue to employ anti-virus software and high security settings to prevent faculty and students from accessing infected sites or content. Follow the basics of security to safeguard your school network: continue to protect school-owned property (even when it’s off site) and enforce strict rules surrounding bring-your-own-device (BYOD) policies.

When establishing protocols for VR use, there are several measures you can make to protect students and their data.

For one, before installing or authorizing the use of specific software, be aware of what information it gathers about users. This is a serious concern, as illustrated in mid-2016, when consumer watchdogs and politicians noted that Oculus Rift, a VR headset developed by a company acquired by Facebook in 2014, collected information about users including their location and physical movements.

While some of this information is of perhaps trivial use to cybercriminals at the moment, the importance of VR security will grow as the technology becomes more sophisticated. In the future, a person’s verbal or physical idiosyncrasies will become a part of their digital signature. It may become possible for fraudsters to impersonate an individual with this data and socially engineer their way to more sensitive information.

Student data must be protected, and while information collected by VR platforms is usually intended to improve the user experience, it can be shared with practically anyone — not just advertisers.

It behooves IT professionals and school administrators to carefully read legal agreements prior to using software and assess what information may be shared with third parties. In the educational realm, this factor can be a deal-breaker when it comes to deciding on specific platforms or applications. Acceptable VR tech should not put student information at risk.

As this technology evolves, keep a pulse on new security risks and adapt your policies accordingly. If a VR software update changes what type of information is collected from its users, determine whether those applications are still suitable for your school district. If a particular virus or exploit becomes known, change protocols to avoid risks — even if that means abstaining from using that particular application until the issue is resolved.

Learners in your district must be taught that, regardless of the input or display device being used, the tenets of internet safety hold true. Instructors need to impart the core values of digital citizenship, including the basics of data collection and profiling, internet security and managing one’s online reputation. VR can be an immersive experience, but internet safety is paramount in K-12 schools.

Fight the VR hype — learn from edtech lessons of the past. With every transformative innovation in the edtech sphere, numerous risks and challenges can complicate the process of integrating and using it. By staying aware of VR security issues, IT directors can set safety policies that protect student and organizational data.