Across my 21-year tenure in educational tech and school cybersecurity, I’ve witnessed a common issue. School district technology departments are often understaffed, leaving cybersecurity vulnerabilities. Their focus on daily IT troubleshooting leaves little room for crucial preventive measures, leading to the 7.4 million malware attacks on school devices reported by Microsoft in the past month.
This urgency is amplified by the Cybersecurity & Infrastructure Security Agency’s findings, revealing cyber incidents for kindergarten-12th grade schools are so prevalent that, on average, there is more than one incident per day. The reason: the vast data repositories within schools, which contain sensitive information on students, staff, and families, make them prime targets.
Compounding the issue, most schools lack cybersecurity budgets. To address this, I’ve curated four cost-effective strategies to bolster school and district cybersecurity measures.
1. Keep up with current security news
To stay ahead in cybersecurity, school administrations must focus on keeping their school technology and leadership teams updated and on top of the latest security news. This is crucial because threats evolve daily, demanding adjustments to your security measures.
Plus, understanding recent attacks helps refine defenses and strengthen cybersecurity measures. I recommend bookmarking CISA and MS-ISAC for virtual school-focused resources that are either free or low-cost. Also, explore cybersecurity podcasts and news sites like The Hacker News, Security Week and Wired.
2. Train, train, train!
Understanding school cybersecurity can seem daunting, which can lead to avoidance in discussions. However, all users must grasp basic cyber-safety practices through training. Recognizing real threats is key, as cyberattacks often masquerade as phishing scams, social engineering tactics, USB malware or accessing a device that was left unlocked.
Do your students, teachers, staff and families recognize phishing emails? Can they spot suspicious links or emails from unknown sources? How about text messages with harmful information? Additionally, do they know there is malware on USB sticks, or do they understand how dangerous it is to leave a computer unattended?
More from DA: How rebranding has this superintendent living in the moment—for now
Equipping your school stakeholders with cybersecurity knowledge is vital. Free training resources from organizations like the National Cybersecurity Alliance and Common Sense Education exist, yet personal, story-driven sessions prove most effective in my experience.
3. Evaluate your identity management program
The best way for school and district leaders to enhance their security is to review and evaluate their identity management program. To start, administrators should consider these questions:
- Are your students’ passwords unique and complex?
- Do your students understand the importance of robust passwords? Are teachers educated about this, too?
- Do you have forced password changes in place?
- Are you using multi-factor authentication?
For non-MFA users, consider biannual student password changes and quarterly changes for staff. MFA users can follow the National Institute of Standards and Technology’s recommendation for an annual change unless facing an immediate threat. These small adjustments can make all the difference, and many tech companies offer free MFA tools within their directories.
4. Discuss artificial intelligence
With the launch of public generative artificial intelligence applications such as ChatGPT, Bard, Claude, Otter, Jasper Chat and more, the world is discussing their benefits and challenges. One critical distinction that needs to be made is between public and private AI.
Cybersecurity and technology professionals must clarify with all users that any information entered into public AI becomes publicly accessible. This means if they enter sensitive or confidential information such as student rosters or personally identifiable information, that data is saved for public use and could violate FERPA laws. Private AI offers more data control, but implementing IT best practices like encryption, FMA and auditing is crucial to safeguard student, parent, and teacher data.
The main takeaway
School and district leaders must prioritize minimizing cyberattack fears through training. The more your students, teachers, staff, and families are exposed to what cyberattacks look like, the better.
Additionally, if your school or district has a digital learning program—such as a virtual school or blended learning option—I recommend partnering with a third-party organization that has the capabilities to keep your student information safe. Let’s demystify cybersecurity and implement these preventive measures, together.
