Digital devices are everywhere in schools these days. They are used to complete assignments, conduct research, play educational games, and generally enhance teaching and learning. In an increasing number of schools, every student has access to at least one digital device during the school day. Oftentimes, they can take those devices home after school. That proliferation of school-issued devices can open schools up to all kinds of cybersecurity problems.
Education Week asked K-12 technology leaders in districts with 1-to-1 computing environments to offer tips on minimizing those cybersecurity risks. Here’s what they suggested:
1. Invest in the right products.
It’s impossible to protect school districts from the wide range of security threats without outside help—but not all available products are created equal.
Anti-virus and endpoint security are two basic products that help improve cybersecurity. Chris Sette, the IT manager for the Meriden public schools in Connecticut, recommends splurging for a product that utilizes machine learning that “actually analyzes what’s happening on the machine and makes a determination that there is something out of the ordinary.” Sette’s team checks outputs from those tools every day.
Tools that offer transparency for parents as well are especially worthwhile, according to Bryan Weinert, who runs the 1-to-1 program at Leyden High School District 212 in Illinois.
The district uses Securely to offer parents a portal they can access to see their children’s activity outside the school day. The tool also offers the option to allow parents to see students’ activity during the school day, but the district opted out of that feature. “If a parent is concerned about what they’re using Chromebook at home for, now we’ve provided parents a way to look as well,” Weinert said.
2. Make hackers work for it.
Maintaining strong lines of communication between teachers and parents is important—but there are ways to accomplish that goal without putting cybersecurity at risk. Last summer, the Meriden district’s tech team scoured district and school websites, as well as other sites hosted by the district, to remove all email addresses for staff members and replace them with contact forms.
Weinert’s district has installed content filters that allow his team to monitor all activity on the devices students receive through the 1-to-1 program. Parents and students have been informed that they should have no expectation of privacy on those devices, he said.
“We’re not actively monitoring—that would be multiple people’s full-time jobs,” Weinert said. “If there’s ever anything that does come up, our deans, disciplinarians, principals have the ability to go in and look at what’s going on.”
3. Communicate constantly with teachers and set them up for success.
Sette’s team emails teachers any time there’s a chance they’re receiving a spam message cleverly disguised to look legitimate.
Melissa Tebbenkamp, the director of instructional technology for Raytown Quality schools in Missouri, says a high priority in her district is ensuring that teachers’ and students’ devices don’t have administrative privileges unlocked. “There’s not a single user in my district, not a single technician, not myself, not my superintendent, not my students that are local machine administrators. Their accounts don’t have permission to install programs.” [The district has one special account that has the power to make those changes.]
Why not? Many cyberattacks require some sort of download or the ability to edit the device’s internal registry. “If the user account that it’s executing under doesn’t have the permissions to do that, then that virus or that malware or that trojan can’t go anywhere,” she said.
4. Start teaching cyber hygiene in kindergarten.
Meriden students start getting lessons on online safety, and warnings about indiscriminately sharing information in kindergarten. Those lessons continue throughout elementary and middle school, so that by the time they reach 6th grade and are taking devices home, “we have created a culture of internet safety,” Barbara Haeffner, the director of teaching and innovation for the Meriden public schools in Connecticut, said.
5. Never assume that what you’re doing is enough.
Districts that stop at simply installing a firewall aren’t likely to see all their problems solved. “Having a broken lock on a door is really not gonna help you that much,” said Sette.
District leaders emphasized consulting state laws around data privacy. In Connecticut, for example, each school district is required to get a data-privacy agreement from a vendor partner, whether it’s paying for the vendor’s product or getting it for free. The district has procedures in place for teachers asking students to sign up for accounts or interface with products that fall under the law, Haeffner said.