By: Belinda Fries, Senior Manager, Cybersecurity, FlexPoint Education Cloud

Throughout my 21-year career in educational technology and cybersecurity, I have seen that most school district technology departments are understaffed, leaving gaps in cybersecurity. Many are struggling to keep up with daily IT ‘fires’ to put out and don't have time for preventive measures that protect their networks and data. But with Microsoft reporting more than 7.4 million malware attacks on Kindergarten-12th grade workplace devices in the last 30 days, it’s critical we discuss what cyber attacks look like and measures that can be put into practice to protect our schools and districts

To start, let’s talk about the state of cybersecurity in education. According to the Cybersecurity & Infrastructure Security Agency (CISA), cyber incidents for Kindergarten-12th grade schools are so prevalent that, on average, there is more than one incident per school day. This influx in incidents is due to the wealth of information that schools and districts store, including personal information about students, families, teachers, and support staff that is processed daily.

In addition, most schools don’t have cybersecurity budgets to contract with security vendors or purchase expensive protection software. With this in mind, I’ve put together four inexpensive but effective ways to create a more secure environment in your school.

1) Review Your Identity Management Program

The first step school and district leaders can take is to look at your identity management program to see if there are areas you can improve upon. Here are some questions to help you get started:

1. Are you allowing students to have their own unique passwords, rather than forcing passwords with their birthdate, ID number, or some other easily guessed information? 
2. Are you ensuring passwords are complex?
3. Are you educating students about why it’s important to have complex passwords?
4. Are you educating teachers about why it’s important to have complex passwords?
5. Are you making forced password changes?
6. Are you utilizing multi-factor authentication (MFA)? 

If you aren’t enforcing the use of MFA, then I would recommend password changes at least twice a year for students and every 90 days for staff. If you are using MFA, the National Institute of Standards and Technology (NIST) recommends one password change a year, unless there is an immediate threat. These little changes can make a huge difference. Especially MFA because users have to supply two or more pieces of evidence to prove they are the person who should be logging in. There are several technology companies that provide tools in their directories to force MFA at no extra cost. 

2) Train Your Teachers, Support Staff, and Students

School cybersecurity can often be misunderstood because people think it’s complex and don’t want to discuss it. They believe it’s too technical, or beyond their understanding, which isn’t true. We need end users to practice cyber safety every time they touch an electronic device, which they’ll only learn through training. 

Ask yourself, “If users don’t know what to look for when it comes to a cybersecurity attack, how can they stay safe?” Cyber attacks usually don’t look like what we see on TV. They are phishing scams, social engineering tricks, USB malware, or accessing a device that was left unlocked. Do your students, teachers, staff, and families know what a phishing email looks like? Do they know they need to pay attention to things like the time of day the email was sent, what the email address you received it from looks like, not to click on external links from email addresses they don’t know, etc.? 

The same goes for text messages. Recently, I received a text message from a shipping company claiming that my package couldn’t be delivered and asking me to click a link to reschedule the delivery. But I hadn’t ordered anything, so I deleted the text and reported it as spam. 

Additionally, do your students, teachers, staff, and families know that there is malware on USB sticks that can infect their computers before an antivirus starts a scan? Do they understand how dangerous it is to leave a computer unattended, especially if you are allowing them to save their passwords to any cloud app they log into? 

Ensuring that your teachers, support staff, and students have at least a general knowledge of cybersecurity and ways to stay safe is imperative. There are free training courses schools and districts can use, including from the National Cybersecurity Alliance, National Initiative for Cybersecurity Careers and Studies, Common Sense Education, and My Cyber Hygiene. While these tools are a great resource, I’ve found that in-person training, with real stories and real threats, work best. 

3) Stay up to Date on the Latest Security News

I recommend enacting a concentrated effort within your technology department and district leadership level to stay on top of the latest security news. The reason for this is twofold: 

1. Cybersecurity attacks change daily. By monitoring best practices and the news, you may discover that you need to change or update existing measures. 
2. Knowing about recent school cybersecurity attacks can help further refine and strengthen your measures. 

To stay up to date on cybersecurity news and best practices, I recommend bookmarking CISA on your browser. In addition to overall security updates, they also have an entire page dedicated to school cybersecurity. This section includes resources such as a toolkit to help schools and districts address systemic cybersecurity risk, ways to strengthen the nation’s cybersecurity workforce, and more. MS-ISAC is another organization to bookmark and join. MC-ISAC memberships are free for any government agency staff, including public school employees. Beyond cybersecurity news and information, MS-ISAC has several free and low-cost tools to help with cyber defense. 

Podcasts are another great resource. Splunk recently released a blog post called “The Very Best Cybersecurity Podcasts” This list includes all my favorites, as well as new podcasts I’ve started listening to. Beyond that, I also read articles from The Hacker News, Security Week, and Wired. How do I find the time? I listen while driving. I read in doctors' offices, grocery store lines, and while waiting for my lunch order at a restaurant. I even discuss many of the topics with my children. 

4) Talk about AI non-STOP!

With the launch of public generative artificial intelligence (AI) applications such as ChatGPT, Bard, Claude, Otter, Jasper Chat, and more, the world is discussing the benefits and challenges they pose. One challenge is understanding the difference between Public Generative AI and Private AI. Cyber and technology professionals have a duty to explain to users that information they enter into a public generative AI application becomes public information for anyone to find. So, if they enter sensitive or confidential information such as a student roster to help make a class schedule or personal identifiable information to create a unique email to parents, that data is saved for public use. 

FERPA laws, along with many state laws, require school officials to keep student data private. Entering names, grades, phone numbers, addresses, emails, and other information into these AI programs could result in a FERPA or local law violation with huge consequences. Beyond that, ChatGPT suffered a data breach in March 2023 that allowed user data to be seen by unauthorized parties, possibly resulting in a violation of student privacy laws. 

If your school is using or hopes to eventually use a private generative AI, you have more control over students’, parents’, and teachers’ data. I recommend ensuring IT best practices are implemented such as keeping data encrypted while at rest and moving, securing data via a MFA, and adding protections like auditing, tracking, and more.  

Takeaway

The biggest takeaway I hope school and district leaders have after reading this article is the importance of reducing the fear of cyber attacks through training and learning. The more students, parents, teachers, and support staff are exposed to what cyber attacks look like with real-life demonstrations and practices, the better. 

I also encourage school and district leaders to think outside the box. For example, if you don’t have team members who are dedicated to school cybersecurity, speak with your computer or IT teachers to see if one of them would be interested in taking on a cybersecurity training program. Or could you challenge students in a cybersecurity or journalism class to write articles on the topic to help educate their peers? 

Lastly, if your school or district has a digital learning program (i.e., virtual school, blended learning, hybrid, etc.), I recommend partnering with an organization that has the capabilities to keep your student information safe. At FlexPoint, our digital courses can be uploaded to your learning management system of choice, which protects your student and school data. Learn more about what we offer and how we can help.