Cybersecurity training still lacking in schools, some IT leaders say

Survey of K-12 technology decision-makers shows that half of their districts did not offer guidance on this key piece before the start of the school year.

More than 50% of information technology leaders recently surveyed said no one at their schools received new training in cybersecurity before the start of the 2020-21 school year, according to a study released by security protection provider Malwarebytes.

The report “Lessons in Cybersecurity: How education coped in the shift to distance learning” highlighted the struggles of districts to cope with embracing the idea of cybersecurity despite the push to add new software and devices for teachers and students.

Just over 46% of those who took part in the two parallel surveys – 500 students in one survey and 75 IT leaders in the other – also said their schools failed to provide simple antivirus installations, a critical element for safeguarding networks.

“Students during the pandemic are struggling with digital access, engagement and a severe sense of isolation. Cybersecurity should be the least of their concerns, and yet, it’s concerning to find that nearly half of educational institutions show a lack of preparedness,” said Marcin Kleczynski, CEO of Malwarebytes. “It is essential that schools – and all organizations – stop viewing cybersecurity as an afterthought; protecting our students and their data online should be a top priority for educators.”

School districts throughout the U.S., from Miami to Baltimore, have suffered cybersecurity attacks in some form since the start of the pandemic, whether it be from bad actors or other less dramatic hacks. Some districts have lost a day or more of learning time this year – not to mention the other impacts of these breaches, including financial costs and potential privacy implications to educators, students and staff.

And yet despite the trends and the technology push, nearly 20% of those IT leaders surveyed said they faced difficulties in getting their schools to “invest in cybersecurity protections [such as antivirus software, training and updated devices].”

By contrast, many of those who reported having the necessary training and cybersecurity measures to prevent attacks also reported having few budget constraints. That group also said that because of the training they received before making the transition to distance learning, they have not reported an attack or lost a day of learning.

Other notable findings

Respondents were asked the steps their schools took to get onto a school network when the school year began:

  • 49% said they were asked to read through a guide of distance-learning protocols
  • 46% said there were no additional requirements
  • 16% said they took part in a webinar or other training session on cybersecurity
  • 9.3% said they installed antivirus on all devices accessing the district
  • 5.3% said they installed antivirus on school devices only

Of those who were offered additional training, only 16% of students – those who might be most affected as end users – received any training, according to the results

More than 70% of those surveyed said their schools offered software such as Zoom or Google Classroom during the pivot to remote learning, leaving open the possibility of an attack. Those who had cybersecurity training reported better outcomes (18%) than those who didn’t (30%) in sustaining Zoom-bombing attacks.

More concerns

Some districts have concerns beyond the cybersecurity piece. Of the IT leaders polled, 28% reported that their schools still don’t have enough devices for teachers and 40% said students still don’t. More than one third are concerned that those who use hotspots are gobbling up data too quickly.

The biggest red flags raised among IT leaders related to digital learning include teachers having connectivity issues (80%), teachers and students suffering Zoom-bombing attacks (49%), teachers and administrators not having the time to deal with cybersecurity (43%) and teachers and students not having the devices they need to do distance learning (40%).

Unfortunately, for many of those leaders, they are using the same tools in the fight against the attacks. More than 80% say they are using the same antivirus tools they were using before the pandemic and 37% say they must use the built-in protection installed on devices. Only 25% said schools purchased new tools to protect their devices this year.

Malwarebytes offered a number of solutions for those still trying to get on board with cybersecurity:

  1. Aside from providing training to faculty and staff , schools should ensure teachers and administrators know when and who to go to if they should encounter potential issues.
  2. Districts periodically should be polling teachers, parents and students on technology problems and any potential cybersecurity breaches they are seeing.
  3. Districts also provide quick training sessions for both parents and students that discuss common vulnerabilities.
  4. Schools should install antivirus software that covers all devices, from Chromebooks to laptops.

Most Popular