Security

Build a Culture of Cybersecurity Awareness in K–12 Schools

Training educators and staff can greatly strengthen a district’s cybersecurity posture. Make all users responsible for practicing good cyber hygiene habits.

Rebecca Torchia

Twitter

Rebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.

Before St. Vrain Valley Schools began closely examining its cybersecurity posture, its staff didn’t have the best cyber hygiene.

“Unfortunately, many teachers would take their keyboard and write their password on the back,” says Michelle Bourgeois, the Colorado district’s CTO and one of EdTech’s 2022 K–12 IT influencers. Educators would also use personal passwords for their district accounts, she adds, increasing the risk of cyberthreats such as credential stuffing.

“We asked teachers and staff to start thinking about pass phrases, rather than passwords,” Bourgeois says. “In creating that secure pass phrase, we asked teachers to think about things that are personal: A favorite place they visited, or the author that they love, or a color that is their favorite, and combining all of those things in some random format.” The district also encouraged them to use capital letters and special characters to add security to their passwords.

DIVE DEEPER: Protect your network against bad password habits.

This change is one of many St. Vrain made in its push to strengthen its cybersecurity. When IT leaders looked at the district’s security, they found that human error contributed to a lot of vulnerabilities. As such, many of the changes they made targeted the culture and thinking around cybersecurity.

A New Mindset Benefits Security and Public Perception of Districts

“In K–12, there are very few requirements on cybersecurity,” says Taylor Armstrong, managing consultant for FORVIS and a former K–12 and higher education technology director. “It is so undervalued and so underfunded. Nobody does any of this because it’s not required.”

However, the spike in cyberattacks against K–12 institutions isn’t the only reason schools should work on their security posture.

Watch the full video to learn more about districts' steps toward modern cybersecurity.

“In public education, and in K–12 education especially, we are entrusted to be stewards of student data. We have a responsibility to protect and hold close the data that our students generate as part of their educational environment,” Bourgeois says. “We have a responsibility back to our community to keep students safe and keep their data safe. One of the biggest benefits our community provides to us is the funding to serve our students.”

Changing the culture around cybersecurity within a district can improve the public’s perception of the school and its leaders. When school leaders work to make their staff aware of cybersecurity’s importance, they can achieve a better sense of security for the entire community.

“Every incident that happens starts with a person,” Armstrong says. “Somebody had to send it. Somebody had to click on it. Somebody had to execute it. It all comes back to a person.”

“When we talk about security, this is the most undervalued aspect in K–12. Yet, name one thing you can do without a piece of technology,” he adds. “It touches every aspect of what we do, and if it went down, how long before your school could recover?”

Tackle K–12 Phishing Scams with Staff Training and Awareness

Like St. Vrain, Virginia’s Chesterfield County Public Schools is also acutely aware of the role human error plays in K–12 cybersecurity.

“Security awareness training seems like a compliance activity, but it can be the training of your elite soldier force that will stop a phishing attack. Phishing is probably the No. 1 attack vector for schools right now,” says Tim Tillman, CTO at CCPS.

He explains that educators may be more susceptible to phishing scams because they are inherently helpful and therefore fall victim to phishing emails that ask for help.

UP NEXT: How can K–12 schools push back against the consent phishing trend?

“If you start training employees to be suspicious, if you start empowering them and giving them agency over things that they do on their computers, they will feel much more confident to inform you of problems,” Tillman says. This was one of the changes he made when he took the CTO position at CCPS. He also hired a full-time cybersecurity analyst for the district.

“We do recognize that we have gaps and that we have weaknesses. We are trying to change the culture,” he says. “We’re trying to educate people.”

Jay Yuno/Getty Images