Jan 23 2020

FETC 2020: 8 Ways Administrators Can Support Cybersecurity

A wealth of student data and lack of resources make K–12 schools easy targets for cyberattacks. But leaders can foster collaborative prevention efforts.

For K–12 schools and districts, the work of preventing cyberattacks and staying knowledgeable about cybersecurity does not rest with IT teams alone.

District leaders, for example, lead efforts to build school culture around cybersecurity. They also can support the work of their IT professionals.

“It’s a team effort,” Amy McLaughlin, a consultant and cybersecurity project director for the Consortium for School Networking (CoSN), said recently during the 2020 Future of Education Technology Conference in Miami. “It requires systematic thinking and a systematic approach, changing our culture and how we do things.”

District leaders should also understand that cybersecurity is a people problem, she said. Employees respond to phishing emails or store passwords in easy-to-spot places, such as Post-it notes affixed to monitors. Mischievous students hack into district computers and networks. Educators install software or download unvetted apps.

And while technology can help prevent cybersecurity problems, it can’t solve them, McLaughlin said.

The ongoing cybersecurity woes of K–12 schools and districts aren’t new; headlines trumpet the latest attacks almost daily. Cyberthieves have targeted schools hundreds of times since 2016. Numerous sessions at FETC focused on the topic of cybersecurity in some form.

A Wealth of Data, a Dearth of Resources

Schools are easy and attractive targets for cyberattacks for a number of reasons. Historically, they have a lower level of protection because of funding, McLaughlin said. Staffing is also an issue, with some organizations estimating a shortage of about 500,000 cybersecurity professionals in the U.S. alone.

Another key reason that K–12 schools are a popular target for cyber incidents? Data, McLaughlin said.

Data is valuable on the black market, particularly that of children. Schools collect information such as students’ dates of birth and, sometimes, their Social Security numbers.

“The value of identity is higher for people who do not have a credit history,” McLaughlin said.

The attacks also come at a cost. On the high end, it could cost hundreds of thousands of dollars, or even millions, to mitigate cyberattacks — money districts don’t have just sitting around, McLaughlin said. The incidents also create nonmonetary costs, such as damage to equipment and data integrity, as well as lost confidence in the school district.

Those realities don’t mean K–12 administrators are helpless, nor that leaders who aren’t tech savvy should leave cybersecurity to the IT pros. For example, administrators can go to the CTO or an IT staffer at their schools and ask about what’s being done to prevent attacks, such as phishing, McLaughlin said. What’s not being done that should be?

CHECK IT OUT: A data privacy expert shares best practices for preventing cyberattacks against schools.

How to Build a Security Culture

Here are some additional steps administrators can take to get involved in cybersecurity:

  1. Educate yourself. Cybersecurity is not a one-stop process, and instead requires continuous learning, McLaughlin said: “There are always new, interesting and weird things people do to get into the system.”
  2. Model secure behaviors. “If your password is stuck to your monitor,” McLaughlin said, “why would you expect anyone else to do anything differently?”
  3. Train your staff. Understand that the training won’t be “one and done,” McLaughlin said. The training doesn’t have to be long, but it should be ongoing and progressive so the information sticks.
  4. Demonstrate interest. Ask questions, learn, connect with other people in the district and invest, McLaughlin said. One of the cheapest things that staff can do to protect computer devices is to remove administrative rights, even from administrators such as principals, restricting or limiting permissions for actions such as software installation, she said.
  5. Integrate cybersecurity and cyber safety with other components of learning. “Cybersecurity is a part of everything we do now,” McLaughlin said.
  6. Support your IT staffers. They can’t control cybersecurity alone and they shouldn’t try to, McLaughlin said. IT staffers need to be part of a community and an integrated approach, she said. Ask about ways to help them.
  7. Sponsor and participate in training. For example, administrators can give a cybersecurity scenario and have people discuss how to respond. It’s like practicing for a fire evacuation, McLaughlin said. These conversations help reveal holes in the process and don’t require knowledge of technology.
  8. Transform the culture to embrace, welcome and support good actions around security. Praise people when they do the correct things, such as having strong passwords and locking screens.

EdTech is covering FETC, so keep an eye on this page for conference coverage. Follow @EdTech_K12 on Twitter for live updates, and join the conversation at #FETC

Cecilie_Arcurs/Getty Images