Apr 27 2023

Q&A: Laurie Salvail Urges Schools to Adopt and Teach Cybersecurity Best Practices

The executive director of Cyber.org discusses the importance of cybersecurity skills at all K–12 levels in the wake of the Biden administration’s National Cybersecurity Strategy.

In March, the Biden administration released the National Cybersecurity Strategy, adding to the recent federal attention paid to online security. K–12 schools have been particularly vulnerable to cyberattacks over the past few years, and IT leaders are eager to learn tips to keep staff and student data safe.

In addition to creating guidelines and strategies to help schools make learning safer, the federal government also wants to ensure schools build a stronger cybersecurity workforce through education. With that in mind, the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency funded Cyber.org, a cybersecurity workforce development organization, to provide cybersecurity curricula to K–12 schools.

Click the banner below for exclusive cybersecurity insights when you register as an Insider.

Laurie Salvail, executive director of Cyber.org, spoke with EdTech about what the National Cybersecurity Strategy means for schools and how students can learn necessary cybersafety skills as early as kindergarten.

EDTECH: What impact is the National Cybersecurity Strategy having on K–12 schools?

SALVAIL: There’s always this balance in cybersecurity of convenience and security. IT teams need to find where that balance is for their district and for their students. It’s really challenging our IT directors to step back and think of these best practices in cybersecurity, even for something as simple as updating students’ email passwords and the passwords students use to get into their different accounts.

What I love about having a national cyber strategy and having these concrete approaches is the ability to determine what matters. Our schools are being attacked left and right with technology, and we need to come together as a nation and develop these best practices.

RELATED: CoSN 2023 hosts cybersecurity conversations from district, state and federal leaders.

To have these higher-level officials strategize what’s appropriate at what levels — so that students, as they go to different states and as they change schools, are still set up for success — is really changing the American culture. It’s creating a set of individuals who know what the scams are and who know how to protect themselves.

EDTECH: Why is it so important to teach these cybersecurity skills at the K–12 level?

SALVAIL: As we give these devices to students, we have to prepare them to use the tech safely and in a way that empowers them to learn and become active citizens in the future.

Whether or not their job title has “cybersecurity” in it as an adult, they need the cybersecurity skills as U.S. citizens. It can help us protect the U.S. and ourselves, so this is a real-life skill for students.

By taking this skill and breaking it up in small ways, we can start to integrate these things into every classroom across the U.S. We don’t need full, hour-long courses about it, but talking about it periodically for 10 minutes is really important.

EDTECH: As teachers integrate these skills into every classroom, how can they teach cybersecurity to very young elementary students?

SALVAIL: I’m a past teacher. I taught for over 10 years in the classroom, and my first teaching position was in kindergarten.

We are giving kindergarteners devices. They are using them at school. Most of our schools now are close to a 1-to-1 ratio, even in kindergarten. But even if they’re not, students are using smartphones when they’re at home.

What are we telling them about these devices they’re using? Because they’re running into things that they shouldn’t have to run into, they need to know how to stay safe and secure. Malware attacks and phishing scams are things that 5-year-olds now have to deal with.

When they go to a site they didn’t mean to go to or something pops up on their screen that they don’t want to see, we need to help them understand that it's not something they did wrong. It happens to all of us.

They’re playing games with people, but when these little kids interact with an avatar or a cartoon character, they often see it as a computer, not as a person. So, if a computer is asking them for information about where they live or what their real name is or anything that we would tell kids not to tell strangers, they see it as a computer asking or as a friend from one of their games. They don’t think of it as a stranger asking.

EXPLORE: Game-based learning prepares students for a digital future.

There are age-appropriate cybersecurity skills that 5-year-olds and 6-year-olds can learn in a way that gets them excited about technology and that protect them. We can scaffold that learning and get them in a situation where they are going to become our future workforce.

EDTECH: How can schools maintain this excitement about cybersecurity with older students and teach them age-appropriate skills?

SALVAIL: As soon as school’s not real life, students’ interest fizzles because they don’t see a purpose. But the cybersecurity topics are very concrete.

Right now, we have Cyber.org Range, which is a virtual environment where students can practice cybersecurity skills safely. They can go and launch attacks. They can try to defend their system against those attacks. They can see what happens when they open a phishing email and click on the link and what kind of data a malicious actor can get from these types of attacks. It really lets them practice true skills.

As students analyze what makes a good password, we start running password strength testers to see how long it would take for someone to guess a password or brute-force into it. Before you know it, you’ve got students who put their district passwords into a system like that, and they realize it’s good for three months, or maybe it even says two or three years. But they’re now in fifth grade and got it when they were in kindergarten.

It's very different than someone simply telling them to change their password regularly. They can see how easy it would be for someone to get in and be a malicious actor, and that changes the perspective.


The percentage of people who have six or fewer go-to passwords

Source: nypost.com “Most people say they could easily hack their partner’s password,” Aug. 8, 2022

Schools can also let students earn industry certifications at an early age. Some schools already have this great runway developed, where their students are graduating from high school with three or four industry certifications. At that point, they can choose college, or they can go right into a job working for an amazing company and let that company pay for their college education.

EDTECH: Will the National Cybersecurity Strategy lead to more funding for K–12 cybersecurity training and solutions?

SALVAIL: As an American public, we’ve been coming together, and anytime we bring awareness to things, the awareness determines what we deem important. The more important something is, the more likely you are to add funding to it.

Part of diversifying the cybersecurity workforce in the future is going to be removing any barrier we can. Unfortunately for some of our school systems, cost is a barrier.

Thankfully, because of different grants, Cyber.org never charges school districts. It’s important not to add an extra cost to a school district and to be able to provide professional development to guide teachers and district leaders through these conversations at no cost.

UP NEXT: Discover six creative ways to use ESSER funds before they expire.

JohnnyGreig/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT