With COVID-19 sweeping the globe, many school districts around the country find themselves in the midst of an unprecedented shift from the routine of a normal spring on campus to a largely remote work and distance learning experience. This crisis has revealed remarkable strength: teachers, administrators, and other essential school personnel are showing creativity and tenacity as they continue serving students remotely, while students, parents, grandparents, and guardians rise to the occasion from home. And behind the scenes are tireless district technology teams that make it all possible.
Even under normal circumstances, school districts face an increasing risk of data breaches; EdWeek reports that the number of K-12 cyber attacks more than doubled from 2018 to 2019. And as the far-reaching ripple effects of the current pandemic become clear, many districts will find that this crisis only exacerbates those vulnerabilities. According to Doug Levin of the K-12 Cybersecurity Resource Center, devices and networks that are not secured are at the center of increased security threats. With staff, teachers, and students working remotely, the risk increases.
Another source of increased risk: regular cybersecurity policies are easily overlooked in the midst of changed routines. And with near-constant news alerts related to the crisis, users are more likely to trust a phishing email that promises timely information, or requires immediate attention or action and demands urgency. All of these factors lead to greater risk for cyber criminals to capitalize on uncertainty and lack of ordinary structure.
But there’s good news, too!
Many of the best cybersecurity measures are simple and possibly already in place. And taking the time to address cybersecurity now means that, on the other side of this pandemic, your district can return to a normalcy that is more secure and more flexible than ever before ― an opportunity worth seizing! Here are a few best practices to keep your district “cybersafe.”
1. Train Students and Staff
According to Amy McLaughlin, cybersecurity director for the Consortium for School Networking, the first thing a district should do to ensure cybersafety (a term she recommends over “cybersecurity,” which may sound too techy to some users) is train staff to be on the lookout for potential problems. School districts have an opportunity to use the present moment to make this a regular part of their staff’s functioning. As you establish protocols for remote work, include regular reminders — what McLaughlin calls “an ongoing marketing campaign” — for staff and students alike to report every possible phishing scam or suspicious activity.
And make it easy for staff and students to report anything suspicious. Enabling a one-click reporting mechanism can help encourage reporting. If the one-click functionality also includes an automated message that appears after someone clicks, that is an opportunity for you to use that message to remind staff and students how their actions are helping your district stay safe. Positive reinforcement will go a long way in encouraging the reporting of suspicious emails and websites.
Consider testing staff and students by using phishing simulations and sharing out the results to further raise awareness. For example, if 25% of users failed a simulation, that lets your community know to strive for even greater vigilance.
You may enjoy this hand-picked content:
Cyber Attack at Springland City Schools: Walk a day in the shoes of an IT director working to make sure his district is ready for whatever comes its way.
2. Maximize Security
Ensure that, whatever programs your district is using, your users are making the most of the security features that are already available to them. EdWeek tells the story of one district that ― only after a significant data breach ― moved to a cloud-based email system with two-factor authentication to avoid further compromise. Proactively check to be sure that you are requiring the most secure options, such as two-factor authentication, and make cybersecurity best practices part of your district’s routine. Educate staff on these practices so that they understand why they are required to regularly change passwords, and make district-wide security practices a priority before an attack makes it a priority for you.
3. Maintain Backups
Regular backups should be a part of every district’s protocol, now more than ever. And backups should be encrypted and segregated and secured at a site that is easily accessible (for example, a vendor that can ensure security and availability of the backup files). Having takes or files secured by a trusted vendor helps keep them separate from the rest of the network. So, in the event of an attack, backups won’t be affected.
In the wake of a ransomware attack, compromised backups limit your district’s ability to recover. Jason Dial, a superintendent whose district experienced an attack, says it’s wise to be ready: “If it hasn’t happened to you yet, it’s going to happen.” Being prepared for a quick return to normal makes the difference between an inconvenience and a disaster.
4. Beware of the Seemingly Simple
A data breach often comes down to just one person clicking on just one suspicious link or attachment. McLaughlin notes that one of the greatest dangers to school cybersafety is a classic phishing attack, often an email that requests information or money under the pretense of an emergency. She’s backed up by Paul Lipman, of BullGuard cybersecurity, who says, “We’re seeing a rise in phishing attacks as a result of the rapid move to remote working for a large number of people.” Remind remote workers and learners to approach their emails with healthy skepticism. When in doubt, report!
We’re being reminded regularly that the simplest measures can be the most effective: wash your hands well, cover your mouth when you cough, and wash your hands again. The same principle goes far for districts feeling overwhelmed by the need to keep sensitive data safe in an unprecedented, remote situation. Simple measures can be very effective, and their usefulness will remain long after the crisis has passed.