Special Report
Privacy & Security Opinion

Why K-12 Cybersecurity Is Only as Good as the Leadership at the Top

By Doug Levin — March 19, 2019 5 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

Born in the 20th century, most superintendents and school board members are not experts in issues of technology, much less cybersecurity. As schools are growing increasingly reliant on 21st century technology for teaching, learning, and school operations, this lack of expertise has consequences and introduces new risks to school district operations.

Consider that of the 18 peer groups investigated by the Multi-State Information Sharing & Analysis Center in a recent review, local K-12 schools were reported to have the least mature cybersecurity risk-management practices of any state or local government agency. Similarly, a survey published last year by the National School Boards Association found that school officials are less prepared for cyberattacks than their peers in private sector companies.

As they juggle other critical priorities, superintendents and school board members may wonder what the scope of their responsibility should be in weighing cybersecurity risks and protecting against threats. After all, isn’t that the purpose of cybersecurity insurance and the role of district technology staff? Why would district leaders be expected to do more? In what ways could they do more?

The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities. Just as district leaders maintain the responsibility to manage risks to students’ physical safety and health in the context of natural and man-made incidents, they also need to take a lead role in ensuring that their school systems are appropriately managing the digital risks to school communities introduced by the embrace of technology. These include risks to the confidentiality of data collected by school districts and their vendors, risks to the integrity (i.e., the accuracy and completeness) of that data, and risks to the availability of IT systems and data integral to the day-to-day experiences of students, teachers, and administrators.

There are three primary ways that superintendents and school board members—working in partnership with district technology staff—need to exercise their cybersecurity governance responsibilities.

The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities.

The first is via their ability to set priorities for their school district. Every district needs to develop, formally adopt, and implement a plan to manage the cybersecurity threats and risks they are facing. Such a plan should identify the district’s critical IT and data assets, and detail how risks to those assets will be mitigated through policies, practices, and/or technology tools. It should explain for which risks insurance will be purchased, and—given that there are no 100 percent guarantees with cybersecurity—which risks will be accepted.

See Also

On-Demand Webinar: Attacking the K-12 Cybersecurity Challenge

K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.

Register now.

In addition, a district cybersecurity plan should include procedures and guidelines for how the district will respond to cybersecurity incidents experienced by the district (or its vendors) when they inevitably occur. This is a question of liability—districts have been sued for negligent cybersecurity practices in the wake of significant incidents—as well as legal compliance under evolving federal and state privacy, cybersecurity, and data-breach notification laws. Indeed, district leaders would do well to anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, government agencies and law enforcement, insurance providers, and the media all will come to them seeking public answers and accountability.

Superintendents and school board members also need to show leadership on cybersecurity through their authority over the budget process. As part of their fiduciary oversight of school districts, superintendents and board members should be able to crosswalk their cybersecurity risk-mitigation plans to budget expenditures and track that spending over time. That is not to suggest that there is a magic dollar figure or percentage of a school IT budget that should be spent on cybersecurity-related activities as evidence of good practice. But by working with district technology staff to make explicit budget assumptions and expenditures, district leaders can ensure and document that cybersecurity measures are being supported and are keeping pace with emerging threats and protections. In cases where spending does not match the need, budget transparency can help garner the data necessary to re-allocate or seek out additional funding.

District leaders would do well to anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, government agencies and law enforcement, insurance providers, and the media all will come to them seeking public answers and accountability.

Finally, superintendents and school board members need to put in place a process to assess the quality of their cybersecurity plans and spending at least once a year through clear organizational metrics. Such metrics should include—at a minimum—a reporting of the number, variety, and severity of cybersecurity incidents affecting or targeting the district and its vendors and partners, as well as one or more measures of the cybersecurity awareness of district staff. The process of determining and periodically tracking progress against a small set of meaningful metrics will go a long way toward moving cybersecurity risk management from district technology staff’s hands alone to weaving it throughout the culture of the district.

About This Report

This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.

District leaders are not only accountable to the public for managing cybersecurity threats; they are themselves disproportionately targeted by hackers. That means it’s critically important for superintendents and school board members to set a good example via participation in cybersecurity training and awareness events and strict adherence to district policies.

Schools’ reliance on technology for teaching, learning, and school operations will continue to grow. Every district needs to adopt a plan to manage cybersecurity risks, make sure they’re putting the money and resources into supporting that plan, and track the success of their strategy over time. District technology staff can’t do all of that work on their own. Superintendents and school board members should commit to creating a culture across their districts that anticipates cyber risks, rather than waiting to respond to attacks from malicious actors after the fact.

Events

Classroom Technology K-12 Essentials Forum Making Technology Work Better in Schools
Join experts for a look at the steps schools are taking (or should take) to improve the use of technology in schools.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Budget & Finance Webinar
The ABCs of ESSER: How to Make the Most of Relief Funds Before They Expire
Join a diverse group of K-12 experts to learn how to leverage federal funds before they expire and improve student learning environments.
Content provided by Johnson Controls
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
Modernizing Principal Support: The Road to More Connected and Effective Leaders
When principals are better equipped to lead, support, and maintain high levels of teaching and learning, outcomes for students are improved.
Content provided by BetterLesson

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security 'There Are So Many Issues’: Why Schools Are Struggling to Protect Student Data
While efforts have been made to protect student data, there are still troubling examples of data breaches.
8 min read
Illustration of numerous computer windows overlapping with creepy eyeballs inside the close, open, and minimize circles within the various window screens.
Daniel Hertzberg for Education Week
Privacy & Security Download Be Ready When Parents Ask These 7 Questions About Data Privacy
These questions offer a roadmap for issues that K-12 leaders should be prepared to discuss.
1 min read
Data security and privacy concept. Visualization of personal or business information safety.
iStock/Getty Images Plus
Privacy & Security Cyber Hackers Attack Schools More Often Than You Think: 8 Ways to Stop Them
Experts say there’s no magic formula for districts to completely protect themselves from these incidents, but there are ways to reduce risk.
1 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security What Schools Can Learn From the Biggest Cyberattack Ever on a Single District
Hackers infiltrated a New York City school district vendor, jeopardizing personal information for 820,000 current and former students.
2 min read
Gloved hand reaching into a laptop screen hacking someone's account.
iStock/Getty Images Plus