Usually, I’m not concerned with other organizations’ security posture and digital culture if I’m not sharing data with them. As a director of information technology, I focus on building a security-conscious culture in my own district and protecting the data that we’re responsible for.
But when cybercriminals broke into the Los Angeles USD system that manages payments to contractors over Labor Day weekend, I took note. While the hackers fell short of stealing confidential student data, the nation’s second-largest district experienced “significant disruption.”
Unfortunately, it wasn’t an isolated incident: in just the first few months of this year, six other U.S. school systems have faced ransomware attacks. In 2021, over 60 schools faced attacks that cost districts an estimated $3.5 billion in downtime.
While teachers and administrators alike understand the sensitivity of their data and the consequences of it falling into the wrong hands, they may be underestimating their security vulnerability. One in four administrators in a recent survey commissioned by Clever said their district had experienced a cyberattack in the past year.
But among teachers surveyed, only 11% said they thought a cyberattack on a school near them would be “very likely”. Put another way—only about one in 10 teachers say it’s likely, but one in four administrators say it’s happened. This makes it more important than ever to get the entire school community on the same page when it comes to cybersecurity.
In truth, nothing is safe from a determined attacker. But the good news is that most would-be cyberattackers are opportunistic, not determined. They zero in on the easiest target. And opportunistic attackers can be easily deterred by both implementing best-practice security standards such as the cybersecurity framework recommended by the National Institute of Standards and Technology as well as nurturing a culture of cybersecurity awareness within their school communities.
With that in mind, here are three steps that school districts can take to build a more secure digital culture and ensure that they are not easy marks for data predators:
1. Make security a team sport
In that same survey from Clever, about one-quarter of administrators said teachers present the greatest source of vulnerability to cyberattacks, while about 60% of teachers believe it is students. They’re both right. In fact, everyone who engages with technology in a district is a possible point of vulnerability. That means they also need to be part of the solution.
I call this the “stone soup” model of cybersecurity. In the old folk story, hungry travelers brought an empty pot to a town, filled it with water and rocks, then proceeded to make a soup. One by one, townspeople add vegetables and meat, until, together, they had created an actual soup that could feed the whole town.
Similarly, everyone in a school district has a role to play in cybersecurity—because every digital choice could lead to cyber-risk. Creating a digital culture of security starts with building trust from different constituencies and then layering in training and best practice policies. For example, I often meet with teachers to connect and understand their challenges and needs when it comes to IT. When they know that I’m invested in their success, they’re more likely to work with me and better adhere to security controls.
2. Make security training meaningful
Part of the reason the travelers in the stone soup folktale are successful in getting the townspeople to donate food is that they make them feel invested in the soup. To ensure that security training really resonates with educators, I try to make it personal to who they are and what they care about. In Clever’s survey, about 85% of teachers say they receive training on digital security annually or less (including 28% who say they never receive such training). This means there aren’t that many opportunities to reach teachers—and when we have them, we need to do it right. It also means that learning can’t be limited to formal training.
More from DA: How 3 superintendents of the year are promoting public service
Many training companies use the “name-and-shame” approach: they send phishing attacks to users, who receive a digital slap on the wrist when they click on bad links. My strategy is to celebrate the little wins instead—like a teacher who recognized and reported a phishing email without opening it—to reinforce positive behavior with approval. I try to be a partner to educators in their cybersecurity learning journey and enforce that there are no stupid questions.
IT department leaders also need to make our communication fit into the teachers’ schedules, not the other way around. If you want a message to stick, it’s best to deliver training and security information multiple times and in a variety of formats so that it can be absorbed by all your education stakeholders who have different backgrounds and different priorities.
3. Whenever possible, make jobs easier while maintaining secure practices.
I work hard to build rapport with my teachers, so whenever I can say “yes” to a request, I try to do so. But it’s important to lay out for them when policies are industry best practices and required by our cyber-liability insurance so they know the reasoning behind decisions. While we follow the principle of least privileged access, if teachers have verified reasons for needing elevated privileges I work to find a solution that fits the teacher’s need and the security posture of our organization.
This is about more than just lifting the burden off of teachers, though that’s significant in and of itself. Making teachers’ jobs easier ultimately better supports student learning, which is why we’re all there in the first place. When teachers know that their technology automatically safeguards student information and privacy, they’re able to focus on delivering that instruction.
We’re all trying to do our best for students. Just like the townspeople in the “stone soup” fable, everyone has a role to play in building a security-conscious culture within their districts. That begins with building trust among teachers, administrators and other stakeholders who are on the front lines. They deserve the right training and tools to safeguard data.
