Schools are now among the top targets for cyberattacks in the United States.
Last year, attacks against K-12 schools made up 74% of all cyberattacks against educational institutions, according to a report by Comparitech, a UK-based technology research firm. Schools are rich targets for data-hungry hackers: they contain reams of personal information about students, store sensitive data such as educators’ Social Security numbers, and manage significant sums of money.
School districts have limited budgets and staff to combat cyber threats, which, thanks to artificial intelligence, have become increasingly sophisticated and targeted. These attacks don’t just steal data; they also disrupt learning if a school needs to be closed for a few days to reset a compromised computer system.
In some cases, a single infected device can cripple an entire district’s network. That’s why experts say at the school level the principal can play a key role in ensuring that staff and students stay hyper-aware of phishing schemes.
“Principals play an important leadership role when [they] encourage staff to report concerns quickly and reinforce that strong cybersecurity protects the time dedicated to teaching and learning,” said Michelle Bourgeois, chief technology officer for the St. Vrain Valley school district in Colorado. The district provides an Apple iPad to all its students. High school students use the device both in school and at home, while elementary students primarily use their iPads in school, with some limited at-home use by students in upper elementary grades.
But do school leaders welcome this new responsibility on top of all their other tasks?
Deborah Dennie, the principal of Leonardtown Middle School in Leonard, Md., said she was “surprised” when her district expected her to repeat training on cybersecurity for teachers who’d fallen for two or more phishing attempts. Dennie had to train them again, ensure they took and passed an online test, and issue a verbal warning. This was in addition to the schoolwide training sessions that Dennie had already given to her staff, based on the training that she received from the district.
If principals now have the added responsibility to ensure their staff and students stay vigilant against attacks, experts say there are four key strategies that can help them.
1. Scrub emails off school websites
Posting direct email addresses on school websites can make teachers and other school employees easy targets for hackers, said Sean Buzon, the technology director for the Uxbridge school district in Massachusetts. When he took over the position 18 months ago, Buzon advised school leaders in his district to opt for a contact form instead for people who want to get in touch with school employees. His advice to principals: “hyperlink your name to anything else, but not to your email address.”
2. Reward vigilance, do not just punish mistakes
Bourgeois, the technology director for St. Vrain, said that the most “effective protection [is] staff who are informed and alert.” The district gives out a “CyberSmart Award” to employees who report suspicious emails, reinforcing the idea that everyone is an ally in protecting district data.
Experts say principals can reinforce vigilance proactively rather than focusing on discipline for repeat offenders. Dennie said it would also help if all teachers were asked to take the “test” that is currently only given to those who fall for phishing attempts. This would be a proactive step instead of waiting for an incident.
3. Emphasize the “pause, verify, report” protocol
Buzon encourages school leaders to promote a simple habit: pause before clicking.
Requests for financial or personal information should be verified through a separate channel, such as a phone call or internal messaging system. Teachers should carefully check the sender’s email address for subtle misspellings or incorrect domain extensions.
Phishing attempts are getting more creative. Some fake emails may include the superintendent’s picture to make it seem more legitimate. Hackers have also used Google Calendar invites to send links that ask educators to fill out a form with their Google credentials, Buzon learned from a regional group of district leaders that he’s part of. His response: “You have to go [to] your email to read [the request]. It doesn’t automatically show up on the calendar.”
4. Get students and families involved in preventing cyberattacks
Cybersecurity doesn’t stop with staff.
Dennie said her school monitors the websites students access on their school-issued devices. Students who visit unauthorized sites face consequences, not only to enforce rules, but to reduce the risk of inadvertently exposing the network through malicious links.
Buzon said schools can gamify cybersecurity training for students by hosting “Cyber Escape Rooms” or “Capture the Flag” competitions to teach threat detection strategies. Student-led cybersecurity clubs could help too—older students can mentor younger peers on safe social media use, and how to create stronger passwords for their devices.
Since students use their school-issued devices at home, Buzon said parents have become a part of the “school’s network.” Schools can train parents to recognize whether an email from a principal or coach is real, or a phishing attempt. Parents should also understand the risks of sharing the use of school devices with other family members.
