EDTECH: What are some things administrators can do to get started with cybersecurity? To be informed about what they need to do and why?
MCLAUGHLIN: Here’s the thing: School administrators are educators. They know a lot about learning. My first suggestion is that they go do some basic reading, do some learning, ask questions — the same things we tell students when they’re learning something new. Learn to read your email with discretion.
Ask your IT department to remove your administrative rights. Now, this is always confusing to administrators because they think, ‘I’m an administrator, I should have administrative rights.’ These two things are not related at all. Administrative rights give you power to install software on your computer. Most administrators don’t need that in school districts, and the access also opens up vulnerabilities. Be the first person to ask your IT department to take that away.
MORE FROM EDTECH: Learn why K–12 schools are easy targets for cyberthieves and how administrators can reduce that risk.
EDTECH: What are some aspects of cybersecurity that administrators tend to overlook?
MCLAUGHLIN: Administrators tend to overlook the training and people elements of cybersecurity. Most breaches start with a person, not with a technology — a person who clicks on a link, a person who opens a phishing attack or attachment. Most administrators tend to rely too heavily on IT to protect the organization and don’t spend enough time and effort training staff, students and educators on how to protect themselves.
In the school environment, one of the areas that administrators tend to overlook is student-run attacks. You have buildings full of curious young people with talents and skills but not necessarily the framework or knowledge to know when and how to use those.
EDTECH: What should administrators do to address the types of vulnerabilities inherent to these ‘buildings full of curious young people?’
MCLAUGHLIN: It’s really important to have conversations with students about responsible use of computers and the internet, and cyber citizenship. And I don’t mean just having it once or putting it in your school policy book, but doing it every time an instructor introduces a new task or an activity that leverages online resources.
For example: ‘Hey, today we’re going to work on blogs. But before we start writing our first blog, let’s talk about what’s appropriate to do in a blog, and what’s not. Is it appropriate to edit somebody else’s blog because you got hold of their password? What does it mean if you use somebody else’s credentials?’ Having these conversations helps people start thinking about their behavior and what is appropriate.
People assume that students should know what is right and what is wrong online without thinking, but has anybody told them? We assume that somebody has told them how to behave in an online environment and how to make a password. But in most cases nobody’s told them, and it’s better to tell them multiple times than to never tell them at all. Start with the basics: Here’s your new online account. Here’s how you create a password that is a good password.