K-12 district technology leaders know what steps they need to take in order to protect their network systems from cyberattacks.
They’ve seen news report after news report about another district falling victim to a cyberattack. They know one day their district could be next. They’ve implemented guidance from the federal Cybersecurity and Infrastructure Security Agency and other cybersecurity organizations about how to lessen their risks.
But one of the most vexing challenges, some district technology leaders emphasize, is getting the rest of the district—all staff, parents, and students—to follow cybersecurity policies and best practices.
“Not to lessen or underestimate the technical things that are required, but so much of managing security is more about those human management things,” said Rod Russeau, the director of technology and information services for Illinois’ Community High School District 99.
Patricia Brown, the director of technology for Missouri’s Ladue school district, agreed: “Some may view security measures as burdensome and intrusive to their daily work processes, leading to a reluctance to implement them.”
The reality is that cybersecurity policies and best practices won’t reduce the risk of cyberattacks if no one is following them. Here are five tips from Russeau and Brown on how to get buy-in from everyone in the district:
1. Start with the leadership team
“It’s essential to get the leadership team on board with the cybersecurity policies,” Brown said. “If they are not committed to it, it will be challenging to get buy-in from others.”
Talk to the leadership team often about the importance of cybersecurity. Engage them early when creating mitigation plans. Explain the risks and potential consequences of a security breach and the importance of having strong policies and practices in place.
District technology leaders can provide plans and figure out the risks, but “leadership is ultimately accountable for everything that happens in the school district,” Rousseau said.
2. Get everyone involved in the process
Ensure that all district staff, educators, administrators, and even students, are involved in the development of the policies and best practices. Involving all stakeholders leads to policies that are practical, relevant, and that everyone feels they have had input into creating, Brown said.
For example, Russeau said tech leaders can go through an exercise with district staff “to identify critical assets,” which could “open the door” for staff to think about other strategies that could be added to a district’s incident response plan.
3. Communicate in simple language and avoid cybersecurity technical jargon
When explaining the policies and best practices, make sure to use clear and simple language and avoid jargon, so that everyone can understand them, Brown said. District technology leaders should also explain the benefits of the policies, such as the protection of sensitive information. “This can help build support for the policies,” she added.
Although some policies “can be annoying,” it’s important to remind district staff, students, and parents that the policies and best practices are there to protect them and their data, Russeau said.
4. Provide training on how to prevent cyberattacks
Russeau and Brown underscored the importance of educating staff, students, and parents on the importance of cybersecurity and the new policies and best practices. Districts should also provide training on how to identify and prevent cyber threats.
One example would be conducting an email phishing awareness campaign regularly and providing resources to those who are not that successful at identifying phishing emails, Russeau said.
5. Enforce the policies consistently
Finally, it’s essential to enforce the policies consistently, they said.
“If there are no consequences for violating the policies, they will not be taken seriously,” Brown said. “Enforcing the policies will help demonstrate the importance of cybersecurity and encourage everyone to follow the rules.”
When Russeau’s district sends out fake phishing emails as part of its cybersecurity awareness campaign, employees who click on those emails are prompted to participate in mini-training on cybersecurity best practices.