How secure is Google Chat for K-12 cyber safety & security risks?
Many districts are struggling with the question: how secure is Google Chat? The education community has found that Google Chat is an excellent way for students to communicate with teachers, and for faculty and staff to communicate with each other. This capability has become even more important in today’s K-12 remote learning and working environment.
But the question remains. How secure is Google Chat? School districts have to take unique cyber safety & security risks into consideration when making Google Chat—or any technology, for that matter—available for use.
Google Chat is not the most secure messaging app available on the market. But, it’s free to school districts using G Suite for Education. Using it also helps keep all communication together in one app for security, monitoring, and compliance. But distinct IT and safety teams need to understand that there significant data security and student safety risks that make Google Chat security & safety monitoring a requirement.
How Secure is Native Google Chat Security?
It’s important to properly configure G Suite data loss prevention controls across your entire domain. This includes implementing G Suite security best practices in Google Chat, as well as Gmail, Google Drive, Shared Drives, Google Meet, and Google Classroom.
Encrypting chat messages is important to ensure that hackers can’t access the information shared on messaging apps like Google Chat. Google Chat uses Transport Layer Security (TLS) to protect messages as they are transported from one user to another.
However, Google doesn’t encrypt messages during storage, which makes them vulnerable to attacks by cybercriminals. More secure chat apps use end-to-end encryption, which encrypts data during storage as well as in-transit. Using that approach, even if someone gains access to the chats on your system, they can’t read the content.
Google Chat monitoring is something all school districts need to do to secure sensitive information that may be shared over Chat for FERPA, HIPAA, and other compliance reasons.
4 Google Chat Security Risks
Given the fairly lax security Google currently provides, savvy district IT leaders question: how secure is Google Chat? There are four significant Google Chat security risks that you need to consider for your district.
1. Sensitive image access risks
Do students, faculty, and/or staff share sensitive images in Google Chat? Sensitive images could include images of a sexual nature (used in sextortion), images of credit cards, and images of people’s personal spaces, addresses, etc.
A chat app is a very informal way to communicate, and it’s easy for users to forget they need to be cautious. After all, why would anyone be interested in what they’re saying to their friends? They forget that cybercriminals would be delighted to access sensitive information and use it against them. So, it’s a pretty safe bet that students, and even faculty and staff, could share an image on Chat that they wouldn’t want anyone else to access.
Unfortunately, Google’s native Chat security doesn’t just not address this issue, it actually makes it worse.
When a user shares an image on Chat, it is stored using a publicly assessable URL. Anyone who knows about the structure of URLs (such as cybercriminals) could easily find, download, and use an image sent via Google Chat.
Users who have discovered this security issue have brought it to Google’s attention. It’s unusual because Google apps security in general doesn’t allow for unauthorized access to images. Unfortunately, Google doesn’t see this as a problem.
But, it is a problem when you’re the one responsible for protecting students!
2. Google account takeovers risks
Account takeovers are a problem that can have widespread repercussions. Once someone has taken over one of your accounts, they can access private data, send lateral phishing emails, steal personally identifiable information, and generally cause a great deal of harm.
Once a hacker has taken over one of your accounts, they will have full access to the account’s Google Chat history. They can misappropriate any sensitive information or images that were sent to or from that account.
All school districts need to ensure that account takeover prevention is part of their security landscape to protect both student and district data.
3. Phishing, malware, and scam risks
If you aren’t using the right G Suite for Education security features, and if you haven’t configured your Google Chat settings properly, a user could chat with someone outside of your domain. When that happens, the unauthorized user could share a link containing a phishing email or malware. If the user clicks on the link, it’s just as damaging as it is in Gmail. Cybercriminals use Google Chat for a number of scams that can fool students, faculty, and staff.
When you set permissions for Google Chat, make sure that you turn off outside domain capabilities to anyone who doesn’t absolutely need it.
4. Student safety signals
Students chat with each other about a variety of personal topics, especially now that they’re physically isolated from their social circles. The chat environment also feels like a more personal conversation than email, for example. It is your district’s responsibility to ensure that Google Chat CIPA compliance processes and monitoring are in place, just as it is for filtering content in your building networks.
They may share text or images that relate to self-harm, suicide, discrimination, bullying, sexting, or other harmful issues. Self-harm detection can be difficult without the right type of monitoring, and Google Chat just compounds the problem.
Students sharing images and/or text of a sexual nature can easily become both safety and compliance risks. It doesn’t matter if those things are shared with a community user or someone outside of your domain. If explicit, discriminatory, or other types of harmful content are being distributed on school technology, your district is exposed to serious issues.
Schools have a responsibility to monitor for and control explicit, cyberbullying, violence, and discriminatory behavior in technology provided to students. If you can’t spot those issues on an app like Google Chat, you’re not in compliance with federal regulations. You’re also leaving students exposed to physical and emotional risks themselves. Digital altercations have a habit of bubbling over into the physical world in the form of violence and/or suicide.
So, how secure is Google Chat? The answer is that Google Chat doesn’t really provide the security a school district needs. Many districts have made the decision to simply not use Google Chat, and that may be the right thing to do.
On the other hand, those that have proper Google Meet and Chat monitoring in place prefer to allow students to use Chat instead of un-controlled messaging apps or text. This way, they’re able to keep in touch with what is happening in their students’ digital world. Without it, your students will simply find another app to use, and you will lose all opportunity to monitor that interaction.
But, you can solve the problem by making Google Chat monitoring an integral part of your overall cybersecurity and student safety strategies. Watch our on-demand webinar to find out how ManagedMethods can help you monitor Google Meet and Chat to achieve your cybersecurity and student safety goals.