Happening Today: Live Q&A with Secretary of Education Miguel Cardona. Register to attend.
Special Report
Privacy & Security Commentary

Why K-12 Cybersecurity Is Only as Good as the Leadership at the Top

By Doug Levin — March 19, 2019 5 min read
BRIC ARCHIVE

Born in the 20th century, most superintendents and school board members are not experts in issues of technology, much less cybersecurity. As schools are growing increasingly reliant on 21st century technology for teaching, learning, and school operations, this lack of expertise has consequences and introduces new risks to school district operations.

Consider that of the 18 peer groups investigated by the Multi-State Information Sharing & Analysis Center in a recent review, local K-12 schools were reported to have the least mature cybersecurity risk-management practices of any state or local government agency. Similarly, a survey published last year by the National School Boards Association found that school officials are less prepared for cyberattacks than their peers in private sector companies.

As they juggle other critical priorities, superintendents and school board members may wonder what the scope of their responsibility should be in weighing cybersecurity risks and protecting against threats. After all, isn’t that the purpose of cybersecurity insurance and the role of district technology staff? Why would district leaders be expected to do more? In what ways could they do more?

The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities. Just as district leaders maintain the responsibility to manage risks to students’ physical safety and health in the context of natural and man-made incidents, they also need to take a lead role in ensuring that their school systems are appropriately managing the digital risks to school communities introduced by the embrace of technology. These include risks to the confidentiality of data collected by school districts and their vendors, risks to the integrity (i.e., the accuracy and completeness) of that data, and risks to the availability of IT systems and data integral to the day-to-day experiences of students, teachers, and administrators.

There are three primary ways that superintendents and school board members—working in partnership with district technology staff—need to exercise their cybersecurity governance responsibilities.

“The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities.”

The first is via their ability to set priorities for their school district. Every district needs to develop, formally adopt, and implement a plan to manage the cybersecurity threats and risks they are facing. Such a plan should identify the district’s critical IT and data assets, and detail how risks to those assets will be mitigated through policies, practices, and/or technology tools. It should explain for which risks insurance will be purchased, and—given that there are no 100 percent guarantees with cybersecurity—which risks will be accepted.

See Also

On-Demand Webinar: Attacking the K-12 Cybersecurity Challenge

K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.

Register now.

In addition, a district cybersecurity plan should include procedures and guidelines for how the district will respond to cybersecurity incidents experienced by the district (or its vendors) when they inevitably occur. This is a question of liability—districts have been sued for negligent cybersecurity practices in the wake of significant incidents—as well as legal compliance under evolving federal and state privacy, cybersecurity, and data-breach notification laws. Indeed, district leaders would do well to anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, government agencies and law enforcement, insurance providers, and the media all will come to them seeking public answers and accountability.

Superintendents and school board members also need to show leadership on cybersecurity through their authority over the budget process. As part of their fiduciary oversight of school districts, superintendents and board members should be able to crosswalk their cybersecurity risk-mitigation plans to budget expenditures and track that spending over time. That is not to suggest that there is a magic dollar figure or percentage of a school IT budget that should be spent on cybersecurity-related activities as evidence of good practice. But by working with district technology staff to make explicit budget assumptions and expenditures, district leaders can ensure and document that cybersecurity measures are being supported and are keeping pace with emerging threats and protections. In cases where spending does not match the need, budget transparency can help garner the data necessary to re-allocate or seek out additional funding.

“District leaders would do well to anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, government agencies and law enforcement, insurance providers, and the media all will come to them seeking public answers and accountability.”

Finally, superintendents and school board members need to put in place a process to assess the quality of their cybersecurity plans and spending at least once a year through clear organizational metrics. Such metrics should include—at a minimum—a reporting of the number, variety, and severity of cybersecurity incidents affecting or targeting the district and its vendors and partners, as well as one or more measures of the cybersecurity awareness of district staff. The process of determining and periodically tracking progress against a small set of meaningful metrics will go a long way toward moving cybersecurity risk management from district technology staff’s hands alone to weaving it throughout the culture of the district.

About This Report

This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.

District leaders are not only accountable to the public for managing cybersecurity threats; they are themselves disproportionately targeted by hackers. That means it’s critically important for superintendents and school board members to set a good example via participation in cybersecurity training and awareness events and strict adherence to district policies.

“District leaders are not only accountable to the public for managing cybersecurity threats; they are themselves disproportionately targeted by hackers. That means it’s critically important for superintendents and school board members to set a good example via participation in cybersecurity training and awareness events and strict adherence to district policies.”

Schools’ reliance on technology for teaching, learning, and school operations will continue to grow. Every district needs to adopt a plan to manage cybersecurity risks, make sure they’re putting the money and resources into supporting that plan, and track the success of their strategy over time. District technology staff can’t do all of that work on their own. Superintendents and school board members should commit to creating a culture across their districts that anticipates cyber risks, rather than waiting to respond to attacks from malicious actors after the fact.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Law & Courts Webinar
The Future of Criminal Justice Reform: A Sphere Education Initiative Conversation
America’s criminal justice system is in crisis and calls for reform are dominating the national debate. Join Cato’s Sphere Education Initiative and Education Week for a webinar on criminal justice and policing featuring the nation’s
Content provided by Cato Institute
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Well-Being Webinar
Equity, Care and Connection: New SEL Tools and Practices to Support Students and Adults
As school districts plan to welcome students back into buildings for the upcoming school year, this is the perfect time to take a hard look at both our practices and our systems to build a
Content provided by Panorama Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Classroom Technology Webinar
Here to Stay – Pandemic Lessons for EdTech in Future Development
What technology is needed in a post pandemic district? Learn how changes in education will impact development of new technologies.
Content provided by AWS

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Download Cyberattacks Are on the Rise. Here's How Schools Should Respond (Downloadable Guide)
When hackers disrupt a district's network, consequences can be wide-ranging, from unexpected costs to communication challenges.
1 min read
Conceptual image showing varying shades of blue and white numbers representing data and a lock with a computer's power button inside the lock's key hole.
Vitalii Gulenok/iStock/Getty Images Plus
Privacy & Security Teachers Are Watching Students' Screens During Remote Learning. Is That Invasion of Privacy?
The tools help teachers keep remote students on track and pinpoint who needs help. Some parents and students worry about over-surveillance.
16 min read
Image is a close up of an illustrated robotic eyeball.
Brandon Laufenberg/DigitalVision Vectors
Privacy & Security Cyberattacks on Schools Soared During the Pandemic
The number of cyberattacks on school districts surged by a whopping 18 percent in calendar year 2020, a new analysis shows.
3 min read
Image shows a glowing futuristic background with lock on digital integrated circuit.
iStock/Getty Images Plus
Privacy & Security What Educators Should Know About Digital Self-Harm During Hybrid and Remote Learning
Some research suggests the phenomenon known as "digital self-harm" is on the rise and schools need to address it more directly.
6 min read
Conceptual image of cyberbullying.
iStock/Getty