I found my 17-year-old son happily playing video games last year when he was supposed to be in virtual school. But after a few questions, I learned he wasn’t skipping school. His class had been canceled after his teacher fell for a phishing attack, and their computer was infected with a virus. This isn’t an isolated incident. Take a look at how schools can protect student data and other important information from today’s digital attacks.
The K-12 Cybersecurity Resource Center reported 408 publicized school cyberattacks in 2020, up by 18% over 2019. Many more attacks weren’t publicized, like my son’s teacher’s issue. So that number represents just a fraction of school cybersecurity issues over the past year. The threats against schools and universities became so significant that the FBI named K-12 schools the public agency with the most attacks.
However, a study by Morning Consult and IBM found that 44% of teachers had not received any cybersecurity training, and one-third had not received education on protecting devices they used for instruction. While the past year was spent reacting to the ‘new normal’ and doing our best on the fly, now is the time to step back and make sure that teachers have the training they need to keep their devices, their school network and student data safe. By focusing on school cybersecurity policies and data security in schools, administrators can help their schools stay safe.
Create a Cyber Training Course for Teachers
Schools should create a required cyber training course for teachers and other school employees. Require a core course for all new hires and then a refresher course each year at the beginning of school. Consider creating the course as an online class to work with teachers’ schedules. An online course also allows you to get the best experts possible to speak during the course without taking time away from their schedules for each course.
However, resist the urge to use a pre-made course on general cybersecurity. With at least some remote classes likely to continue after the pandemic, such as for hurricane and snow days, your employees need skills and knowledge that are specific to online teaching. When you create your own course or use one created specifically for teachers, you can connect the importance of cybersecurity back to the reason that most teachers went into the profession — their students. The course should clearly explain how attacks that compromise student data can cause long-term issues, such as identity theft. In addition, these attacks often mean less learning time for students, which can cause them to miss an important unit or fall behind.
Student Data Safety Checklist
A complete training should cover the following topics:
- Password safety:
- Using passwords on all devices, including mobile devices, used for teaching
- Importance of changing passwords
- What makes a strong password
- Why and how to use biometrics
- What is phishing and its impact
- How to spot common educational phishing schemes
- What to do if you receive a potential phishing scam
- What to do if you fall for a phishing scam
- What is ransomware and how it works
- How to spot common ransomware attacks targeting student data and other aspects of school networks
- What to do if you become a victim of a ransomware attack
- Connecting to Wi-Fi:
- Risks of accessing student data on public or unsecured Wi-Fi
- Processes for safely connecting remotely, such as using a virtual private network
- Importance of keeping operating systems up to date on all devices
- How to report lost or stolen devices
Student Data Safety Training Best Practices
Keep the following in mind when designing the course:
- Keep it short. You want to fully cover the material in as little time as possible. Try to keep it between 15 and 30 minutes.
- Provide practical advice. Most teachers aren’t interested in the details of cybersecurity. Instead, they want to know what they need to know and do to keep student data and their school safe. Focus on steps that teachers should take, such as not clicking on unknown links and keeping operating systems up to date on all devices.
- Use humor. While you want the course to be professional, it’s possible to create training that is both educational and interesting to listen to.
- Include examples. Go through common scenarios related to cybersecurity at schools, such as Zoom bombing or a ransomware attack, and walk through the correct actions to take.
- Use a quiz. Everyone pays closer attention if they know there will be a quiz at the end. Require teachers to pass a short quiz each year to ensure that they understand the content and are able to follow cybersecurity guidelines.
Keep Student Data Safety at the Forefront
Cybersecurity should not be a check-the-box type of training, meaning it’s not something your teachers think about once a year and put to the side the rest of the time. You must actively work to keep cybersecurity at the forefront at your school. It should be a part of the decision-making process for every action.
Use these strategies for creating a culture of cybersecurity:
- Post reminders in teachers’ workrooms and lunchrooms. Create simple posters with reminders, such as not to download unknown files or to update your operating system this month. Change the messages and location regularly to keep their attention. Use humor whenever possible so employees remember the message.
- Have a cybersecurity expert talk at a teachers’ meeting. Once or twice a year, have a cybersecurity expert come to talk to the staff about current threats and practices. This also gives teachers a chance to ask questions.
- Have an email or phone number for cybersecurity questions. Often, teachers don’t know whom to ask when they have a question about cybersecurity. Designate a person or email address to help with non-emergency issues, such as questions about installing antivirus software.
- Create a process to inform teachers of known and emerging threats against student data and teachers. For example, a ransomware attack surfaced late last year where a threat actor pretended to be a parent asking about a child’s assignment to get an unsuspecting teacher to download a fake assignment that launched malware. By sending out an email or posting on the school’s internal communication channel, you can let teachers know what to look for and reduce the odds that they will fall victim.
- Celebrate Cybersecurity Awareness Month in October. Each year, the FBI hosts National Cyber Security Awareness Month to help educate and remind people about cybersecurity. The website provides ideas, topics and posters that you can use at your school. The bonus is that you are educating both teachers and students at the same time.
- Give cybersecurity awards to educators who spot and prevent potential attacks. To help encourage others to be on the lookout for attacks, create a program where staff are recognized and receive a small prize, such as a coffee gift card. When you recognize employees who spotted attacks or potential issues, you are also educating other teachers on what an attack looks like in real life.
- Start a competition between schools or departments to reduce cybersecurity incidents. Everyone loves a friendly competition, especially if prizes are involved. Launch a competition to see which school or department goes the longest without a cybersecurity incident. This encourages teachers and staff to keep an eye out for potential issues and to practice good cybersecurity processes.
- Require educators to teach a lesson on cybersecurity to students. One of the best ways for teachers to internalize student data safety is to teach it to students themselves. For middle and high school teachers, assign specific topics to each department to ensure that cybersecurity is woven throughout your students’ education. Teachers can use some of the lessons and handouts created by the National Initiative for Cybersecurity Careers and Studies as a starting point. In addition to improving cybersecurity in the school through your students learning to be safer, the teachers will more fully understand the subject after researching and answering questions.
With many priorities on their plate, it’s important to remind teachers about cybersecurity in a way that is easy to understand and practice. By including it throughout the year and as part of a decision in processes, you can keep student data and other information safe. It’s all part of creating a culture of digital safety.