A Wealth of Data, a Dearth of Resources
Schools are easy and attractive targets for cyberattacks for a number of reasons. Historically, they have a lower level of protection because of funding, McLaughlin said. Staffing is also an issue, with some organizations estimating a shortage of about 500,000 cybersecurity professionals in the U.S. alone.
Another key reason that K–12 schools are a popular target for cyber incidents? Data, McLaughlin said.
Data is valuable on the black market, particularly that of children. Schools collect information such as students’ dates of birth and, sometimes, their Social Security numbers.
“The value of identity is higher for people who do not have a credit history,” McLaughlin said.
The attacks also come at a cost. On the high end, it could cost hundreds of thousands of dollars, or even millions, to mitigate cyberattacks — money districts don’t have just sitting around, McLaughlin said. The incidents also create nonmonetary costs, such as damage to equipment and data integrity, as well as lost confidence in the school district.
— EdTech K–12 Magazine (@EdTech_K12) January 16, 2020
Those realities don’t mean K–12 administrators are helpless, nor that leaders who aren’t tech savvy should leave cybersecurity to the IT pros. For example, administrators can go to the CTO or an IT staffer at their schools and ask about what’s being done to prevent attacks, such as phishing, McLaughlin said. What’s not being done that should be?
How to Build a Security Culture
Here are some additional steps administrators can take to get involved in cybersecurity:
- Educate yourself. Cybersecurity is not a one-stop process, and instead requires continuous learning, McLaughlin said: “There are always new, interesting and weird things people do to get into the system.”
- Model secure behaviors. “If your password is stuck to your monitor,” McLaughlin said, “why would you expect anyone else to do anything differently?”
- Train your staff. Understand that the training won’t be “one and done,” McLaughlin said. The training doesn’t have to be long, but it should be ongoing and progressive so the information sticks.
- Demonstrate interest. Ask questions, learn, connect with other people in the district and invest, McLaughlin said. One of the cheapest things that staff can do to protect computer devices is to remove administrative rights, even from administrators such as principals, restricting or limiting permissions for actions such as software installation, she said.
- Integrate cybersecurity and cyber safety with other components of learning. “Cybersecurity is a part of everything we do now,” McLaughlin said.
- Support your IT staffers. They can’t control cybersecurity alone and they shouldn’t try to, McLaughlin said. IT staffers need to be part of a community and an integrated approach, she said. Ask about ways to help them.
- Sponsor and participate in training. For example, administrators can give a cybersecurity scenario and have people discuss how to respond. It’s like practicing for a fire evacuation, McLaughlin said. These conversations help reveal holes in the process and don’t require knowledge of technology.
- Transform the culture to embrace, welcome and support good actions around security. Praise people when they do the correct things, such as having strong passwords and locking screens.