Mar 17 2020

Q&A: Amy McLaughlin on Why Cybersecurity Leadership Should Extend Beyond IT

K–12 administrators can help shoulder the work of preventing cyber incidents even if they aren’t tech-savvy, says CoSN's Amy McLaughlin.

When schools are targeted in cyberattacks, the work of mitigation and communication doesn’t rest with IT teams alone. It actually makes organizations more vulnerable if leaders beyond the IT department are not involved in cybersecurity, says Amy McLaughlin, cybersecurity project director for the Consortium for School Networking (CoSN).

“You cannot put all of this on one unit,” she says. Cybersecurity “requires a systemic approach in order to be successful.”

McLaughlin was scheduled to give presentations about cybersecurity at the 2020 CoSN conference, which was postponed and is now slated to be a virtual event in May. She talked with EdTech about ways K–12 administrators outside of IT can play a greater role in cybersecurity.

EDTECH: What role should K–12 leaders play in school and district cybersecurity?

MCLAUGHLIN: We sometimes treat cybersecurity like it’s completely different than any other security or safety question. But cybersecurity is really cybersafety. How do I keep my organization safe in the digital realm, just like I keep it safe in the physical realm from fire, theft, active shooter events and other safety-related issues? Administrators definitely need to be the leaders. They need to be the champions. They don’t have to do the work, but they certainly need to model the work, support it and emphasize that it has value.

EDTECH: With cybersecurity, how do the roles of IT staff differ from those of other administrators?

MCLAUGHLIN: IT is there to provide the safety net, to put systems in place to reduce the risk, to help catch threats as they come in. But you can’t catch everything with a technology solution because so many cybersecurity attacks prey on individual vulnerabilities. They prey on fears: ‘You must respond to this email right now or we will cut off your access.’ You can’t solve for that with a technology solution; you have to have a people solution.

EDTECH: What are some things administrators can do to get started with cybersecurity? To be informed about what they need to do and why?

MCLAUGHLIN: Here’s the thing: School administrators are educators. They know a lot about learning. My first suggestion is that they go do some basic reading, do some learning, ask questions — the same things we tell students when they’re learning something new. Learn to read your email with discretion.

Ask your IT department to remove your administrative rights. Now, this is always confusing to administrators because they think, ‘I’m an administrator, I should have administrative rights.’ These two things are not related at all. Administrative rights give you power to install software on your computer. Most administrators don’t need that in school districts, and the access also opens up vulnerabilities. Be the first person to ask your IT department to take that away.

MORE FROM EDTECH: Learn why K–12 schools are easy targets for cyberthieves and how administrators can reduce that risk.

EDTECH: What are some aspects of cybersecurity that administrators tend to overlook?

MCLAUGHLIN: Administrators tend to overlook the training and people elements of cybersecurity. Most breaches start with a person, not with a technology — a person who clicks on a link, a person who opens a phishing attack or attachment. Most administrators tend to rely too heavily on IT to protect the organization and don’t spend enough time and effort training staff, students and educators on how to protect themselves.

In the school environment, one of the areas that administrators tend to overlook is student-run attacks. You have buildings full of curious young people with talents and skills but not necessarily the framework or knowledge to know when and how to use those.

EDTECH: What should administrators do to address the types of vulnerabilities inherent to these ‘buildings full of curious young people?’

MCLAUGHLIN: It’s really important to have conversations with students about responsible use of computers and the internet, and cyber citizenship. And I don’t mean just having it once or putting it in your school policy book, but doing it every time an instructor introduces a new task or an activity that leverages online resources.

For example: ‘Hey, today we’re going to work on blogs. But before we start writing our first blog, let’s talk about what’s appropriate to do in a blog, and what’s not. Is it appropriate to edit somebody else’s blog because you got hold of their password? What does it mean if you use somebody else’s credentials?’ Having these conversations helps people start thinking about their behavior and what is appropriate.

People assume that students should know what is right and what is wrong online without thinking, but has anybody told them? We assume that somebody has told them how to behave in an online environment and how to make a password. But in most cases nobody’s told them, and it’s better to tell them multiple times than to never tell them at all. Start with the basics: Here’s your new online account. Here’s how you create a password that is a good password.

EDTECH: After a cyber incident, what are things other administrators should do in terms of mitigation and rebuilding stakeholder trust?

MCLAUGHLIN: First, before anybody even has a cyber incident, they should have a plan for how they would deal with it. You don’t need to reinvent the wheel here. That plan should leverage the same communication structure that the district has for other incidents. Who handles communications? It shouldn’t be your IT director; that person has to deal with mitigation. Is it the superintendent, or a communications director?

Don’t panic. Only give information that you know is relevant and valid at the time. Be cautious. Work with your IT director or whoever is actually handling the incident response to make sure that you don’t give out too much information. Giving out too much information can tip the attacker that their attack was successful. For example, you could say, ‘We’ve been hit by a ransomware attack, and these are the steps we’re taking.’ There are multiple flavors of ransomware.

Be very clear about what you’re doing, how you’re planning to mitigate the problem, and how long you expect it to take to restore the district to full service. What you don’t want is a superintendent and the communications director to have one set of communications, and then have a vice principal in another building posting something completely different on Facebook.

If people see calm, clear handling of an incident, it builds trust.

In light of CoSN2020 hosting their virtual conference in May, we’re doing special coverage on remote learning. Keep this page bookmarked for our ongoing coverage. Follow us on Twitter @EdTech_K12 and join the conversation using the hashtag #CoSN2020.

FatCamera/Getty Images