Usually, I’m not concerned with other organizations’ security posture and digital culture if I’m not sharing data with them. As a director of information technology, I focus on building a security-conscious culture in my own district and protecting the data that were responsible for.
But when cybercriminals system that manages payments to contractors over Labor Day weekend, I took note. While the hackers fell short of stealing confidential student data, the nations second-largest district experienced significant disruption.
Unfortunately, it wasnt an isolated incident: in just the first few months of this year, six other U.S. school systems have faced . In 2021, over 60 schools faced attacks that cost districts an estimated $3.5 billion in downtime.
While teachers and administrators alike understand the sensitivity of their data and the consequences of it falling into the wrong hands, they may be underestimating their security vulnerability. One in four administrators in a recent survey commissioned by Clever said their district had experienced a cyberattack in the past year.
But among teachers surveyed, only 11% said they thought a cyberattack on a school near them would be very likely. Put another wayonly about one in 10 teachers say its likely, but one in four administrators say its happened. This makes it more important than ever to get the entire school community on the same page when it comes to cybersecurity.
In truth, nothing is safe from a determined attacker. But the good news is that most would-be cyberattackers are opportunistic, not determined. They zero in on the easiest target. And opportunistic attackers can be easily deterred by both implementing best-practice security standards such as the recommended by the National Institute of Standards and Technology as well as nurturing a culture of cybersecurity awareness within their school communities.
With that in mind, here are three steps that school districts can take to build a more secure digital culture and ensure that they are not easy marks for data predators:
1. Make security a team sport
In that same survey from Clever, about one-quarter of administrators said teachers present the greatest source of vulnerability to cyberattacks, while about 60% of teachers believe it is students. Theyre both right. In fact, everyone who engages with technology in a district is a possible point of vulnerability. That means they also need to be part of the solution.
I call this the stone soup model of cybersecurity. In the old folk story, hungry travelers brought an empty pot to a town, filled it with water and rocks, then proceeded to make a soup. One by one, townspeople add vegetables and meat, until, together, they had created an actual soup that could feed the whole town.
Similarly, everyone in a school district has a role to play in cybersecuritybecause every digital choice could lead to cyber-risk. Creating a digital culture of security starts with building trust from different constituencies and then layering in training and best practice policies. For example, I often meet with teachers to connect and understand their challenges and needs when it comes to IT. When they know that Im invested in their success, theyre more likely to work with me and better adhere to security controls.
2. Make security training meaningful
Part of the reason the travelers in the stone soup folktale are successful in getting the townspeople to donate food is that they make them feel invested in the soup. To ensure that security training really resonates with educators, I try to make it personal to who they are and what they care about. In Clevers survey, about 85% of teachers say they receive training on digital security annually or less (including 28% who say they never receive such training). This means there arent that many opportunities to reach teachersand when we have them, we need to do it right. It also means that learning cant be limited to formal training.
More from 91心頭: How 3 superintendents of the year are promoting public service
Many training companies use the name-and-shame approach: they send phishing attacks to users, who receive a digital slap on the wrist when they click on bad links. My strategy is to celebrate the little wins insteadlike a teacher who recognized and reported a phishing email without opening itto reinforce positive behavior with approval. I try to be a partner to educators in their cybersecurity learning journey and enforce that there are no stupid questions.
IT department leaders also need to make our communication fit into the teachers schedules, not the other way around. If you want a message to stick, its best to deliver training and security information multiple times and in a variety of formats so that it can be absorbed by all your education stakeholders who have different backgrounds and different priorities.
3. Whenever possible, make jobs easier while maintaining secure practices.
I work hard to build rapport with my teachers, so whenever I can say yes to a request, I try to do so. But its important to lay out for them when policies are industry best practices and required by our cyber-liability insurance so they know the reasoning behind decisions. While we follow the principle of least privileged access, if teachers have verified reasons for needing elevated privileges I work to find a solution that fits the teachers need and the security posture of our organization.
This is about more than just lifting the burden off of teachers, though thats significant in and of itself. Making teachers jobs easier ultimately better supports student learning, which is why were all there in the first place. When teachers know that their technology automatically safeguards student information and privacy, theyre able to focus on delivering that instruction.
Were all trying to do our best for students. Just like the townspeople in the stone soup fable, everyone has a role to play in building a security-conscious culture within their districts. That begins with building trust among teachers, administrators and other stakeholders who are on the front lines. They deserve the right training and tools to safeguard data.
