4 Big Cybersecurity Priorities for Schools: Training, Purchasing, Monitoring, and Budgeting
Cyberattacks are on the rise in computer networks across the country, leaving many schools scrambling to contain threats and educate communities on device etiquette. To get a better sense of what’s working to address this challenge, Education Week partnered with the Consortium for School Networking, or CoSN, to survey 513 K-12 technology leaders on how they are dealing with the latest cybersecurity challenges. Education Week followed up with interviews of chief technology officers to better understand what approaches are working to curb and clean up cyberattacks. Here are four key areas ed-tech leaders should address:
The survey of K-12 technology leaders featured a list of techniques for dealing with cybersecurity challenges, asking them to mark “yes” for the ones that apply and “no” for the ones that don’t. Techniques involving training ranked highest: 77 percent of respondents said they’re training IT staff, 69 percent said they’re encouraging staff members to upgrade passwords, and 63 percent said they’re working on training end users, such as teachers and students.
A little more than a year ago, Keith Bockwoldt was promoted to chief information officer for Hinsdale Township High School District 86 in Illinois. Only a few months after he started in the role, a teacher clicked on an email that purported to be from a former student. It ended up creating a malware infection that required Bockwoldt to tap into cybersecurity insurance for the first time in his 21 years working in the district.
That experience underscored for him the importance of arming teachers with knowledge of real-world situations in which they can play a major role. Bockwoldt started offering lessons to teachers during their prep periods, showing them videos that opened a window into a day in the life of a hacker.
“They were like, ‘Wow, that really happens,’ ” Bockwoldt said. “It really gave them an awareness.”
Bockwoldt naturally has had more success getting through to teachers when he speaks “in layman’s terms” rather than overloading them with tech jargon. He also recommends getting the board of education involved in the discussions.
Melissa Tebbenkamp, the director of instructional technology for the Raytown Quality schools in Missouri, said her team tries to engage teachers with humor, tossing memes into short weekly emails to keep the issues top of mind throughout the year.
Training has made a difference, Bockwoldt said. He’s started getting more suspicious emails forwarded to him from teachers who haven’t opened them.
Tackling cybersecurity often means acknowledging areas where the school needs outside help. Sixty-three percent of respondents to the CoSN/Education Week survey said they’re purchasing specific cybersecurity products and services.
Diane Doersch, who retired last year as chief technology and information officer for the Green Bay public schools in Wisconsin, likes the tool ClassLink, which provides single sign-on infrastructure for online applications, keeping the data secure. In general, she found that the most valuable way to get the most out of products was to meet regularly with the companies that provide them.
“I had quarterly meetings with the company that provided our firewall,” Doersch said. “They had the very specifics on how many times your district was pinged by a foreign nation.”
Tebbenkamp is less bullish on the potential for outside companies to help schools. “There’s a lot of products and services out on the market that aren’t a good fit for us,” she said. “Every district should take the time to evaluate whether it’s a good fit.”
She’s found that many existing products have cheaper open-source alternatives. Sometimes, an investment is worthwhile, such as an intrusion-detection system that scans her district’s online traffic, identifies threats, and paints a picture of the district’s normal traffic patterns. Tebbenkamp said the investment was small but the district got a lot out of it.
More than half of survey respondents said they’re engaged in real-time monitoring to detect security threats. School networks present an overwhelming amount of information, Tebbenkamp said. It’s important to prioritize—she deputizes two people each morning to look at dashboards, scan daily reports, and flag items that appear out of the ordinary. Part of her team combs through news threads and weekly briefings; if one person doesn’t catch something, another might.
“I think the biggest piece is what data do you really need to be looking at. You need to establish: What logs should you be collecting and reviewing? What network activities do you need to be monitoring?” Tebbenkamp said. She’s also resigned herself to accepting that “something slips through the cracks” no matter how much monitoring takes place.
Resources are always at a premium in K-12 schools, which means finding adequate funds for cybersecurity initiatives can be challenging. Only 12 percent of survey respondents said their district has a budget line item for cybersecurity, and just 20 percent have created a cybersecurity team.
Tebbenkamp said in a perfect world, she would add a chief privacy officer, rather than having her network system administrator lead her security team, and hire a data-security specialist. More cybersecurity experts couldn’t hurt, she said. But she’s found success with designating a “core group of individuals” on her broader team who have cybersecurity among their duties.
“They’re not going to have all that knowledge, so you need all of your key knowledge stakeholders to be part of a team so you’re not making decisions in isolation,” she said.
Added Hinsdale High’s Bockwoldt, “I’ve seen that happen at so many places: You didn’t have the processes in place to take care of it. All of a sudden, something bad happens, you’re throwing all kinds of money at it,” he said. “Having that conversation at a cabinet level is extremely important.”