Creating and Communicating Your School’s Cybersecurity Plan

By Maggie Twaroski, Truth Tree Contributor

Cybersecurity attacks continue to plague education more than any other industry, with 80% occurring in lower education. Phishing emails, viruses, and ransomware are among the most common types of cyberattacks–some of which can cost schools thousands of dollars.  Of course, that cost dims in comparison to the harm families experience by losing personal data. This wagers the need for schools to have a solidified communication plan to educate and raise awareness for cybersecurity.

Why are schools such a prime target for cyber criminals?

For starters, cyber criminals know that the education industry typically has fewer security resources than other targets like the government, banking, retail, and healthcare. They also know that schools possess valuable information about families’ financial and contact information–home addresses, phone numbers, banking information and social security numbers, to name a few. 

Cyber criminals are also keenly aware of schools’ increased reliance on technology since the rise of remote/e-learning a few years ago. Teachers, parents and students are now accustomed to using technology in nearly every part of education–from school communications to gradekeeping and exams. While helpful in many ways, the ubiquitous nature of technology in school has normalized the exchange of sensitive information online (names, emails, financial data, etc.), and made individuals more vulnerable to cyberattacks. 

This was affirmed in a report  from the U.S. Government Accountability Office which stated 

“Remote education increased K-12 schools’ dependence on IT such as laptops, wireless internet access, and computer cameras and microphones. Such heavy reliance on IT to deliver educational instruction has increased the vulnerability of K-12 schools to potentially serious cyberattacks. From 2018 to April 2022, schools in most states reported an increase in cyberattacks.” 

What can your school do to protect against cyberattacks?

The unfortunate reality is that cyberattacks are only going to persist unless schools continue to prioritize cybersecurity at every level. This may be an easy task for large schools with big budgets, but what about smaller private schools operating in tighter margins? The good news is, keeping your data secure is simple and affordable with the right infrastructure and training. Let’s unpack what your school can do to maintain solid cybersecurity protocols, even on a tight budget.

• Start by adding small (but important) security updates to your current systems.
• Provide ongoing cybersecurity training to families and staff.
• Have a communication plan for cyber threats.

Here’s a breakdown of each step.

Make your current systems more secure

If you’re starting your cybersecurity plan from scratch, this is step #1. Updating your servers, network, and password-protected platforms to include additional security measures is simple, affordable, and effective. 

• Start by enforcing stricter password policies that require users to create complex passwords that need to be changed after a certain time period. 
• Set login limits so accounts are temporarily locked if a user fails to login correctly. 
• Secure devices that use school systems (in-person and remotely), with automatic screen-lock that requires users to login again after an idle period.
• Schedule updates for all software to ensure you have the latest security features installed.
• Turn on email security filters including spam detection and email warning tags.
• Maintain consistent backups for all critical systems, and perform recovery tests to ensure data can be restored quickly and accurately.
• Turn on multi-factor authentication to your CMS, LMS, portals, email, and other password-protected platforms. 

While certainly not an extensive list, these are some of the basic must-have cybersecurity measures that will hedge against digital threats. If you have extra room in the budget, consider investing in third-party cybersecurity software like Security Studio, Securus 360, or Unified Threat Management (UTM) software that consolidates your cybersecurity systems. 

Train families and staff to recognize cyber threats

Protecting your school from cyberattacks starts with education and awareness. Teachers, parents, and students need to be aware of red flags and know how to respond appropriately without accidentally disclosing any sensitive data. Creating a culture of cybersecurity awareness starts in the classroom and in your administration, but it shouldn’t stop there. Now that families are able to access school resources remotely, it’s critical they have the training needed to stay safe inside and outside the walls of the school.

Experts recognize the importance of creating a school-wide cybersecurity culture, not just limited to your IT team or administrators. Cindy Marten, deputy secretary of the U.S. Education Department emphasized in an NPR interview this year, “it can’t just be the tech person. It’s got to be every teacher, every school secretary, every student that logs into any district device.”

To keep cybersecurity protocols top of mind throughout the year, consider offering training programs once or twice per semester. The goal of these programs is to go beyond common-sense red flags and delve into more sophisticated cyberattacks that families may encounter, particularly in the form of persuasive phishing emails. Fortunately, this is an easy and affordable addition to your school resources with the help of training programs like Fortinet (free for U.S. K-12 school districts), and NICCS. While these trainings are typically geared towards staff, parents, and upper-school students, there are several age-appropriate cybersecurity resources that can help educate younger students about online safety. 

Have a communication plan for cybersecurity attacks

Does your school have a response plan in the event of a significant cyberattack? How are you going to communicate with families if your usual communication channels have been compromised? How will your messages provide clarity and reassurance? These are some of the questions schools should consider when preparing a communication response plan, because trust us–the last thing you’ll want to do during a ransomware attack is sit down at your computer (which may or may not be functional) and draft a thoughtful letter from scratch.

Keeping families informed during a school-wide cyberattack, and maintaining trust in your school starts by communicating your response plan before an attack happens. Many schools choose the beginning of each semester to inform/remind families of what they might expect during a large cyberattack. Provide a document of frequently-asked questions, and a contact list of your security response team. Communicating details in real time can be difficult during a cyberattack, so communicating basic protocols ahead of time will give families some peace of mind while you attempt to deliver updated information during a real cyberattack. 

If your school email has been compromised, you may have to communicate via mobile app, or phone calls. These mass notifications should inform families on how your school is responding to the attack, when you expect the threat to be resolved, and what parents and students should do in the meantime. Use these messages to maintain trust with your families by letting them know what your team is doing to respond to the threat in a timely, secure manner. Once the threat has been resolved and you are aware of the damage, communicate transparently with all constituents and stakeholders. Again, the key is to provide clarity while also maintaining trust and offering reassurance. 

Provide ongoing cybersecurity support

Preventing cyberattacks and building awareness among parents, teachers, and students is an ongoing commitment. As education technology evolves and we live more of our lives online, schools need to increase their cybersecurity infrastructure, and have a clear plan in place in the event of a school-wide cyberattack. Start small by updating your current systems with additional security features–whether it’s stricter email filtering, password policies, or multi-factor authentication. Then commit to training parents, teachers, and students on how to keep their data safe and recognize red flags. Finally, involve key administrators in preparing a communication plan in the event of a large cyberattack, so you can keep constituents informed while maintaining trust in your school.