How school leaders can instill a culture of data safety in your staff, students, and parents
Principals and school directors know all too well the constant threat of cybersecurity attacks on schools. You work with your IT team to keep data safe, but the number of threats continues to rise, and attacks regularly make the news.
The good news is that there is something you can do to help prevent attacks. Over eight in 10 breaches—or 82%—involve a human element, according to the Verizon 2022 Data Breach Investigations Report.
That means that by educating your students, staff, and families about the importance of K-12 digital citizenship and data security best practices, you can help significantly reduce the risk of data breaches. Districts are charged with ensuring a high-level of cybersecurity on their system hardware and software. Principals and school directors can significantly impact data safety within individual schools, primarily by training all their students, staff, and parents on how to practice digital citizenship to create a safe, secure technology environment.
What is Digital Citizenship and Why Does It Matter?
Digital citizenship describes how we should act when using digital tools and interacting with others online. Good digital citizenship is about using technology in an appropriate, responsible, and empowered way, which includes best practices of protecting data and eliminating vulnerabilities. Students continue to use technology in school and in their personal lives, so it’s critical to establish good habits early in students’ academic careers.
Principals can help instill digital citizenship by teaching students the dos and don’ts of posting content, sharing information, and interacting with others online. One of the top priorities of digital citizenship for students is protecting themselves online and maintaining positive digital relationships. Students must exercise caution and be aware of potential online risks, including cyberbullying.
Another technique of promoting good digital habits is to focus on digital contribution, or proactively cultivating positivity online. Benefits of digital contribution include digital contributors developing habits of relationship building, growth mindset, and lifelong learning, and taking ownership of their digital footprint.
Here’s how principals and school directors can provide students, staff, and parents with the tools to improve digital citizenship and ultimately better protect student data:
Digital Citizenship and Cybersecurity Tips for All Ages
Principals can promote a culture of digital citizenship and data security at all levels by implementing cybersecurity awareness training by working with the school technology staff and their edtech vendors. Training can help students, staff, and families learn how to recognize and avoid phishing attacks, malware or viruses, ransomware attacks, student hacks, and DoS/DDoS attacks.
Some training basics to focus on include using unique passwords (see more below), being aware of social engineering, learning how different devices pose different risks, carefully verifying emails, and reporting a cybersecurity incident or threat immediately. Knowing what to do in the event of a cyberattack or data breach can help mitigate the impact. This includes knowing who to contact when there’s an incident, protocol steps for reporting, and communicating new and emerging threats.
You can offer users multiple ways to learn cybersecurity, including courses and resources like email newsletters and lunchroom posters. As part of national cybersecurity awareness campaigns—such as October’s Cybersecurity Awareness Month—resources are available to help train others and promote good habits. Continue to teach through repetition, reminders, and patience.
Additionally, principals can work with IT staff to create student tech teams that can both help bolster security and teach students practical experience to help throughout their educations and careers.
Here are basic guidelines to help improve passwords to keep student data more secure:
- Use a password that is at least eight characters long. Make it longer if it is an administrative account. Avoid using dictionary words or passwords that are easy to guess, like your school mascot. Instead, use passphrases—a sequence of words or other text.
- Passwords should never be written on “sticky notes”
- When available, use multifactor authentication (MFA), which requires more than one method of authentication from independent categories of credentials
- Avoid using the same password across different systems as this could lead to a total compromise of all systems if one password is breached
- When available, districts should implement Single Sign On (SSO) for easier authentication across systems
- When available, use a robust password manager that allows you to have unique and complex passwords for each account you have
Cybersecurity Tips for Elementary Schools
Digital safety is important for all learners, and especially so for young students. A 2020 survey of education and school officials by cyber.org showed that only 37% of elementary and middle schools were practicing cybersecurity education in their curriculums. Data security may not mean a lot to young learners. But even at a young age, they’ve still been introduced to several devices and need to know the basics of how to navigate digital tools and sites. In fact, research shows that many children start using online devices before age five.
Principals can adapt cybersecurity training to young students as well as their teachers, and families. They can also instill basics of how to become a contributing member of your human firewall, which at an early age can have lasting effects that continue through older grades and beyond school. Basics include how to recognize threats, password protection, phishing training, and reporting suspicious activity.
Common threats for this age group include cyberbullying, cyber predators, posting private information, phishing, falling for scams, and accidentally downloading malware. It’s important for these students to make sure they have a safe space to share concerns. Principals can help families by providing resources to teach and practice cybersecurity at home, or ways to teach students about cybersecurity. Also, the CyberPatriot Elementary School Cyber Education Initiative (ESCEI) provides interactive learning modules and activities for students grade K-6.
Cybersecurity Tips for Middle Schools
Cybersecurity threats and cyberbullying become increasingly more sophisticated and aggressive as students get older. “Most students are already using the internet by middle school, but they don’t understand how it works,” says Kristen Bjork of the Education Development Center. “We have to help kids understand how messages and data are passed through the internet so that they can stay safe and secure.”
Tips for middle school students and teachers include:
- Secure your social media activity
- Use apps, tools, and websites that encrypt data, which protects any data you send online from hackers, network snoopers, and third parties
- Have a recovery plan, including informing parents when mistakes happen
- Use a VPN for all education-related tasks
- Use strong and unique passwords
- Be vigilant of phishing scams
- Know terms and conditions when you join a website, sign up for a social media account, or download an app
- Don’t share personal information, and be aware of who might read or find out about what you enter online
Cybersecurity Tips for High Schools
High school students and teachers have even more rigorous cybersecurity needs. In addition to the need to protect 1:1 devices, such as Chromebooks or iPads, they’re also using a wider variety of remote devices and software. And as they approach 18, they’re more vulnerable to having their valuable Personally Identifiable Information (PII) or social security numbers stolen, with more credit opportunities for bad actors. According to the Department of Education, a student record on the black market can be worth between $250 and $350.
And even more likely at this age is the possibility of cyberbullying with the prevalence of social media. According to the Cyberbullying Research Center, 33.8% of students aged 12-17 have been victims of cyberbullying.
In addition to the basic cybersecurity tips and best practices outlined throughout this blog, here are topics and tips principals can address with their high school students:
- Mobile safety – protect smartphones by knowing where they are at all times, setting a password, disabling Bluetooth, and avoiding open public Wi-fi networks
- Computer safety – cover your webcam, don’t open emails from people you don’t know, and don’t click on links you don’t recognize
- Gaming safety – set strong passwords to protect your accounts, only download games from legitimate sites, be wary of people you don’t know, and don’t share personal information on gaming sites
- Social media safety – don’t “friend” people you don’t know, don’t post questionable material or photos of yourself, and be aware of cyberbullies and online stalkers
Cybersecurity Tips for Principals Themselves
As the head of the school, principals and school directors are responsible for ensuring there is a prevention and response plan in place and communicated to key stakeholders. Work with IT colleagues and other school leaders to create plans for dealing with any situation. An example is using the PICERL process (Preparation, Identification, Containment, Eradication, Recovery, and Lessons) as a best practice to prepare for each step of any security risk.
Additionally, you should have a transparent response process for cybersecurity and cyberbullying attacks involving students. This includes your immediate and long-term steps when you are attacked to minimize the risk to students.
Make sure your school has conducted a security audit in the past six months. A third-party audit gives you a holistic view of how your technology is laid out and how to take appropriate actions when needed. It also informs you of vulnerabilities and the physical and virtual resources that support the flow and storage of data and gives you a better understanding of required improvements.
Ensure your edtech vendors are practicing good custodianship of your student data. Things to look for in quality companies include having a dedicated security team and 24×7 Security Operations Center, signing the national Student Privacy Pledge, and adhering to FERPA, HIPAA, the Children’s Online Privacy Protection Act, Breach Laws, Data Residency Laws, and others. Other vendor qualifications to look for include SSO/MFA, ISO 27001/SOC 2 Controls, and a Responsible Disclosure Policy.
As an additional step, you can implement interoperable edtech that works together to decrease vulnerabilities, create a more controlled environment, and secure data.
Working with your IT staff, principals should lead efforts to provide security awareness training for their staff and students, and continually reinforce the need to ensure data is kept private and secure.
Be Proactive and Consistent with Digital Citizenship and Security
When working to improve digital citizenship and deal with cybersecurity threats and attacks, principals should focus on being proactive and consistent. It’s important to do as much as possible to both prevent an attack and prepare for attacks once they do happen. And keep at it. Keep working on best practices, educating your staff, students, and parents, and staying vigilant.
No one can make their systems and schools 100% safe from cybersecurity threats. But by creating digitally responsible citizens, strengthening your human firewall, and implementing best practices, you can make your student data safer and more private.
