Phishing, ransomware, and data breaches are among the top cybersecurity threats facing schools today, but IT directors can find it difficult to gain buy-in from teachers or other school staff members to cybersecurity efforts.
Pete Just, the chief technology officer for the Metropolitan School District of Wayne Township in Indiana, said this points to a need to shift the culture, as some teachers believe cybersecurity is not their responsibility. During a recent online presentation about cybersecurity presented by District Administration, Just said the shift could be as simple as changing the mindset from “What do I need to do to stay out of trouble?” to asking “What do we need to do to keep our students safe?”
School technology directors should frame cybersecurity goals as being directly related to the district’s mission. “If we tie the district goals to the missions, people will be more engaged,” he said.
Involving the entire school community is another way to improve district cybersecurity efforts, he said. “Include people like bus drivers, school resource officers, and school custodial staff. All have access to technology, and sometimes we forget about that. We need to keep them in the conversation.”
Following are some of the approaches Just recommended as part of cybersecurity training efforts:
• Mentoring. Just said there are organic opportunities to develop advocates for cybersecurity and technology in most schools. For instance, he said, it might be a Title I person who is tech-savvy, or a science teacher who really enjoys using technology in her classroom. Seek out and empower these individuals with training to allow them to become cybersecurity mentors in school buildings.
These building-level mentors often have more success in convincing their peers of the importance of cybersecurity, he said. “If it’s just the IT team with the megaphones, it just doesn’t resonate.”
Mentors can also help expand the reach of district training efforts when the IT staff is small or overburdened, he said.
• Personalized learning. Just said a personalized learning approach, similar to that used in the classroom by teachers, can be an effective way to educate school staffers about the importance of cybersecurity. Just said many candidates for personalized cybersecurity training are self-selecting. For example, those who click on links in phishing emails should be provided training on what to watch for or be aware of in the future with a goal of prevention, not punishment. Those individuals could become advocates in the building or department for cybersecurity.
Similarly, he said personnel in school or district business offices who may be targeted for data breaches or phishing can be identified for more intensive cybersecurity awareness and prevention efforts. This approach is met with less resistance, Just said, in that it makes it about the position being at risk, not the individual.
• Marketing. Make cybersecurity part of the conversation by seeking out opportunities throughout the year for reminders or lessons. For example, Just said, a worksheet on how to create a secure password with Airheads candy attached with the message “Don’t be an Airhead; change your password” can get traction during cybersecurity awareness month in October. While enjoying the treat, school staffers may do the associated task. Tie campaigns to significant school or district events, like a big football game in the fall or a track event in spring, to leverage the existing attention around those events.
Timing is important. Just suggested IT department limit nonemergency efforts during times when educators are overwhelmed. The first few weeks of school are not an effective time to roll out a cybersecurity campaign, as teachers and administrators are busy with open houses, parent meetings, and other demands on their time. Rolling out a campaign in December as schools prepare for winter break is much less effective than beginning in January when teachers and students return for a fresh start to the year.
• Gathering input. Just said IT departments should get feedback from a cross-section of staff who may identify strengths and weaknesses. Conduct a semiannual review to figure out what works and what can be improved. Are there things happening that CIOs aren’t aware of that are effective and can be replicated or expanded?
This also provides an opportunity to identify future cybersecurity training topics. Ask staff what they know about being cybersecure and ramp up training opportunities where they are most needed.
Charles Hendrix covers school safety, Title IV, and other Title I issues for LRP Publications.
Copyright 2018© LRP Publications, Education Daily®