Special Report
Privacy & Security

6 Steps for Preventing and Cleaning Up Cyberattacks

By Sean Cavanagh — March 19, 2019 4 min read
Conceptual image showing varying shades of blue and white numbers representing data and a lock with a computer's power button inside the lock's key hole.
  • Save to favorites
  • Print

Districts face an intimidating array of cybersecurity threats. What are some of the common-sense steps they can take to make sure they’re protected, or that they’re at least lessening the risks?

1—Determine the systems you need to protect the most and build your cyber protections out from there.

Districts should identify information—such as students’ personal data, or financial records—that must be safeguarded and set a “baseline of controls” around that information, says Doug Levin, the president of EdTech Strategies, LLC.

The first steps in protecting that information from hackers are likely to include actions such as running anti-virus products, having proper firewalls, and segmenting networks so a hacker can’t get access to everything at once.

More sophisticated protections can be scaffolded on from there, such as two-factor password authentication. But many of those more rigorous steps require a heavier lift from the IT department, and potentially for district employees and students. Districts need to make a judgment about how sophisticated hackers coming after their information are likely to be, says Levin, and what protections are worth it.

2—Train your staff, and retrain them.

Teachers, administrators, and other employees need help on how to identify threats. And they need reminders throughout the year. Some districts have sought to make this training engaging, through videos and gamification.

As part of their training, staff should be given information that details what phishing e-mails and other scams look like. When districts are hit by cyberattacks, it’s often because staff members don’t recognize the threat. As one district administrator told Education Week: “Our biggest threat is ourselves.”

In addition, key staff should regularly be trained on how to respond to crises, and the K-12 system’s crisis plan should be revised after an attack, based on how well the district performs during a simulation, according to a checklist put forward by the Consortium for School Networking.

3—Think about restricting administrative access.

Some districts don’t allow teachers, students, or even top district administrators to download software on their machines that could allow malware or a virus to penetrate their networks.

About This Report

This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.

This doesn’t mean district officials can’t download anything. But it means they can’t download resources that will install software or make system changes that could infect a machine and eventually a network, says Melissa Tebbenkamp, the director of instructional technology for the 9,000-student Raytown, Mo., Quality Schools, which has put in place those types of controls.

Keep in mind that in many districts, restricting administrative access will come as a huge cultural shift, especially for teachers and administrators who are used to downloading what they want. Try to figure out what essential resources these staff need to do their jobs, then limit the amount of freelance downloading of software on devices throughout the district.

4—Have an emergency-response plan in place for when a cyberattack hits.

Key personnel in a district should be trained on how to respond to a cybersecurity crisis, which means putting staff through simulations of attacks, advises CoSN. Districts need to make sure that plan has been updated relatively recently; COSN advises a refresh at least every two years.

District tech leaders should also be prepared in other ways. They should know who their point of contact is in local law enforcement, advises Levin. And they should make sure the school system’s attorney knows about cyber threats and how the district should respond.

In addition, K-12 officials need to know whether the district and its vendors have cyber insurance, and what it covers. Pinning all of this down up front is easier than trying to scramble for help after a crisis has struck.

5—Monitor your networks for intrusions.

CoSN recommends that districts have live monitoring in place to keep track of network intrusions and viruses.

That’s important, because the focus of many hackers is not stealing students’ or school employees’ personal information, says Tebbenkamp. For some, the main focus is “resource utilization”—gaining access to the district’s network to launch attacks on other users, so the attack can’t be traced back to the hacker. If a district is tracking information on its server, it has a better chance of knowing when malicious activity is underway.

6—Set clear expectations for education and technology companies.

Make sure you have a point person or group of people who are evaluating software for data-security and vulnerabilities. That evaluation needs to occur even if a district is only using an ed-tech product for a short term, such as with a pilot, says Tebbenkamp.

She also advises districts to have data-governance contracts with vendors, ensuring that they follow best practices. Contract provisions include making sure data is secure, including the times when it is transmitted; that any company staff who come in contact with district data have background checks; and that data gets deleted when it is no longer needed by the school district.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Well-Being Webinar
When SEL Curriculum Is Not Enough: Integrating Social-Emotional Behavior Supports in MTSS
Help ensure the success of your SEL program with guidance for building capacity to support implementation at every tier of your MTSS.
Content provided by Illuminate Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Teaching Profession Webinar
Professional Wellness Strategies to Enhance Student Learning and Live Your Best Life
Reduce educator burnout with research-affirmed daily routines and strategies that enhance achievement of educators and students alike. 
Content provided by Solution Tree
English-Language Learners Webinar The Science of Reading and Multilingual Learners: What Educators Need to Know
Join experts in reading science and multilingual literacy to discuss what the latest research means for multilingual learners in classrooms adopting a science of reading-based approach.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity?
Answer 5 questions to assess your knowledge on cybersecurity.
Content provided by Bluum
Privacy & Security Download Be Ready When Parents Ask These 7 Questions About Data Privacy
These questions offer a roadmap for issues that K-12 leaders should be prepared to discuss.
1 min read
Data security and privacy concept. Visualization of personal or business information safety.
iStock/Getty Images Plus
Privacy & Security Cyber Hackers Attack Schools More Often Than You Think: 8 Ways to Stop Them
Experts say there’s no magic formula for districts to completely protect themselves from these incidents, but there are ways to reduce risk.
1 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security What Schools Can Learn From the Biggest Cyberattack Ever on a Single District
Hackers infiltrated a New York City school district vendor, jeopardizing personal information for 820,000 current and former students.
2 min read
Gloved hand reaching into a laptop screen hacking someone's account.
iStock/Getty Images Plus