For the better part of the last 25 years, I served public education. But a year ago, I transitioned from public education leadership into a role on the education strategy team at Dell Technologies. Along with learning many new acronyms and adjusting to remote work, I gained new perspectives on the technological challenges and opportunities across hundreds of school districts. It didn’t take me long to realize that my previous approach to cybersecurity (which might best be described by the phrase “head in the sand”) could have easily landed me on the front page of a newspaper and left countless headaches and consequences in the wake.
How Cybersecurity Has Changed
The job I signed up for in 1991 as an educator morphed and changed into something I never could have predicted. Security in 1991 meant remembering where you put the key to your desk drawer so a mischievous six year old wouldn’t sneak in and either find your candy stash or rearrange your pile of papers for the afternoon lesson (both of which I experienced). Security in 2023 means much, much more, and to be honest, I was so focused on caring for the well-being and learning progress of the children in my care, I didn’t make space to consider the unseen factors that could derail lots of my good work.
One of the first conversations I had upon joining Dell was with the Chief Technology Officer of a central Texas school district. His district had recently experienced a ransomware attack, and every aspect of their teaching, learning, security, and basic facility functionality was interrupted. I thought back to my aware-but-not-imminently-concerned approach to cybersecurity in the months prior. I really don’t think I had a full understanding of what was at stake. Grading systems – down. HVAC – off (GASP!). Curriculum systems – unavailable. Email – nope. Special education records – inaccessible. Large screen display monitors – virtually useless. Campus physical security systems (door locks, video cameras, intercoms, etc…) – off. When I heard him describe their experience, I thought back to the way I’d taught in 1991 and imagined trying to do that again, but without air conditioning. No thanks.
School Vulnerability Has Increased
Perhaps as penance for my previous apathy around cybersecurity, I’m on a bit of a mission. Ransomware attacks on schools have increased 837% (not a typo) in the last year. Public school entities are especially vulnerable due to the value of young people’s data and the likely length of time before their compromised data is detected. Our society has been working very hard to manage the physical security of schools – and for good reason.
Cybersecurity can be just as critical to a school’s safety, and with the drastic increase of 1:1 programming in schools, cybercriminals now have more targets. While it’s impossible to guarantee that a breach won’t happen, there are steps that can greatly reduce the likelihood of an attack and mitigate the damage if one does occur. Given the limited bandwidth, educators have to focus on the critical things that are a bit less visible than the critical things they’re doing each day with students in their classrooms, these are the things worth prioritizing.
Three Priorities for School Cybersecurity
1. Own your own security.
Create and securely store complex passwords (no sticky notes on your desk or sharing them with your colleagues). Invest the time to set up and use multi-factor authentication to frustrate or slow down a would-be hacker. Lock your laptop/ mobile device in your car’s trunk when parked. Don’t use USB drives with your computer if you don’t know their origin. And, just in case, keep printed copies of important rosters, contact information, or critical emergency records of students, staff, etc., handy in a secure location.
2. Be both a good teacher and a good student.
While compulsory cybersecurity training sessions in school districts may not be as much fun as the holiday party, they are designed to ensure that you can actually use your computers to plan and communicate for said festivities! Follow your tech department’s guidance and pay close attention to the training they provide. They know more about the current threat landscape than they may be able to disclose, so treat them like the virtual security team that they are. Talk with your students about your security efforts. Model behaviors for them that will help the whole school to be a less appealing target.
3. Build a culture of cybersecurity.
If you lead a tech department, consider your communication routines. How are you communicating your cybersecurity plan with Trustees? School leaders? The community? Sharing stories of breaches you’ve prevented or bad actors you’ve deterred can help raise awareness AND make it a bit easier if/when you have to share bad news of an attack. Additionally, know when to ask for help. With tech departments varying greatly in size, it can take a village to cover the necessary bases. Monitoring services can be key components of your security framework as well as loyal friends during the frightening hours of an attack, should one occur.
My wise grandma often said, “An ounce of prevention is worth a pound of cure.” Obviously, she wasn’t referring to cybersecurity, but the wisdom still applies. As nostalgic as it can be to remember the days when ransomware wasn’t in our vocabulary, school leadership today requires us to take this wisdom to heart in service of our students and the integrity of our systems (and, in Texas at least, to keep the HVAC functioning at optimum levels!). An ounce of cyber awareness is worth a pound of school district safety.