Cybersecurity? - The Weakest Link!

The New Hampshire chapter of CoSN held a CTO Clinic recently.  New Hampshire has a new law requiring every district to create and review a security plan, including cybersecurity and student privacy.  The meeting had a lot of good discussions about strategic planning, involving stakeholders, engaging parents and community, utilizing providers to do vulnerability and penetration testing, and technical security solutions, but when it came to solutions to fix the weakest link it was like using duct tape to repair a cable on the Golden Gate.

More than 9 of 10 attacks start with phishing!

CoSN has good materials for addressing cybersecurity, such as its infographic on the top 5 threats for schools.  Number 1 is Phishing…”over 90% of cyberattacks start with phishing...” Training staff was the key component in the solution.  This theme was repeated throughout the CTO Clinic…..lists of what faculty and staff needed to know, understand, and be able to do, how to change the culture of the tech team so they were more effective in their work with faculty, links to websites with readings, videos, and digital citizenship tools.  Only one presenter was more pragmatic about training staff, noting that you would be lucky to get 15 minutes a month with faculty.

Given the potential for real costs to the school and district operation, this deserves serious attention by school and district leadership.  A district can have the most comprehensive network, backups, firewalls, and intrusion prevention systems, and a single click on an e-mail can open the door to an invader.  EdWeek cited 122 school cybersecurity attacks in 2018, and those are the ones that were made public. A single ransomware attack on a district generates costs in political capital far beyond the impact of the cleanup (if you are well prepared) or ransom cost.  A single district audit for cybersecurity can cost tens of thousands of dollars, but all the vulnerability and penetration testing can’t prevent intrusion when someone opens the door.

Should we legislate a solution?

How can schools and districts address this?  

Legislating student data privacy and security as part of the mandatory annual training by itself will not solve the issue...although it will bring it to attention as a formal process.  

Also, adding cybersecurity to the list of professional development needs, without addressing the already existing PD issues (see previous blogs) is not results-oriented.  Changing behavior is not a one-shot process. This topic is abstruse, it can quickly get technical (DDoS, phishing, geekspeek) leading to eye rolls and brain shutdown, and the perpetrators get more creative with their social engineering.  

Relying on a digital citizenship curriculum for students and faculty will leave staff out of the mix...and you may find that the more technical topics of data privacy and security tend to be harder for faculty to work with, compared to cyberbullying and talking to students about protecting their personal information.

We need a quality process for keeping faculty and staff up to speed on cybersecurity - consistent, available for multiple learning styles, individualized, and built into the culture of the community.  Involving faculty and students in creating a cybersecurity culture, building in a regular and adaptive professional development strand, and engaging the school community in regular communications would be good starting steps.