Without People, Cybersecurity Falls Flat

#Technology

Austin Anderson

by Austin Anderson

Austin Anderson Edtech Thought Leader

Read time:

Lack of dedicated staffing is the leading challenge to districts looking to increase cybersecurity.

CoSN reports 66% of districts do not have a full-time cybersecurity position, and 55.5% of districts surveyed by Clever responded that cybersecurity is primarily the IT department’s responsibility.

36% of all data breaches involved a phishing email. It’s estimated that about 1% of all emails sent are malicious. That scales up to 3.4 billion phishing emails per day. Anyone can receive a phishing email, and everyone does—they just might not know how to tell yet.

While every district could benefit from a full-time cybersecurity pro, the real flaw in these responses is the fallacy of cybersecurity being an IT function alone.

Cybersecurity is a team sport. Everyone does better when we all do better. Here’s how a holistic approach to security helps draft everyone into the Cybersecurity Starting Line.

Educational institutions have seen a 75% increase in cyber-attacks, but in terms of building security against them, schools rank very last compared to other sectors. There’s no better time to improve than now.

1. Awareness and training

The majority of cyber insurance policies require staff training. Luckily, training programs perfect for K12 school districts already exist, so there’s no need to start from square one.

Look for a training program that:

defines and explains each term and concept.
uses relatable scenarios, humor, and repetition.
requires user participation.

The training should be delivered regularly in bite-sized sessions: think watching a video and answering less than five questions. Monitor who is actively participating and who skips training. Other bells and whistles for a training program may include leaderboards, personal risk scoreboards, and a periodic report of how the organization is progressing with training.

2. Security drills

Once the human firewall has some knowledge in their tackleboxes, it’s time to set up a phishing trip. The IT department spends some time setting up fake phishing emails and sends them out at regular intervals. Then they can measure who clicked (oops!), who clicked then realized and reported it, and who spotted the phony email and reported it without clicking.

These metrics give you a good idea of how frequent and intensive cybersecurity training needs to be. Every district is different, but in every district, cybersecurity needs to be a priority.

3. Reminders everywhere for everyone

Data security is building security. Just as school leaders, students, and families have come to accept increased physical security, teach them to respect and honor cybersecurity.

Reminders might include posters, catchy campaigns, celebrations, and rewards. This is in addition to the regularly scheduled training and the phishing drills delivered to everyone’s inboxes. Even the inbox can provide valuable real estate reminding users not to click on unfamiliar emails using default message options.

After users get the hang of it all, being a cyberhero becomes second nature. Even better, staff and students take the lessons home and increase their personal network security, too. All this knowledge also provides a strong foundation for individual staff members. They not only know what to do if they accidentally click, but they know the IT department will be glad they reported the situation before it got any worse. Cybersecurity training takes the shame out of being hooked by a phishing email—something that can (and probably will) happen to any of us!

Maximize your most valuable resource: the people in your district. Cybersecurity is everyone’s job, and IT can lead the way as a seasoned coach.