Cybercrime is a real issue for any business, but there are several risks specific to schools. For instance, aside from the usual security concerns with employees, the students themselves may present another risk source: Educational organizations have to deal with the young minds, which have ample access to technology, spare time and, more often than not, poor judgment as to the consequence of their actions. From simple situations such as improper online conduct, to more damaging issues like cyberbullying, which in some extreme cases has led to the loss of life, educators need to be aware of what the risks are and how to take the proper course of action. The protection of students’ personally identifiable information is another important issue. Educational institutes usually have a lot of personal data, such as birth certificates, medical records, social security numbers, and even biometrics. Unfortunately, as any cybercriminal is quite aware, security controls at most schools are not on the same level as those at a major company, making them an easy and juicy target. Also, if a school or university handles credit card transactions, they must comply with the payment card industry data security standard (PCI DSS) or they may face severe consequences, including a hefty fine, suspension of credit card acceptance, loss of reputation, and even possible civil litigation if a breach occurs. Another point is the great number of laws and regulations pertinent to information security that educators must be aware of, during the 2000s, the Children’s Internet Protection Act (CIPA) already imposed safety requirements on schools or libraries regarding Internet access, in order to prevent access to adult content or any other form of information considered harmful to children, but since California’s 2014 Student Online Personal Information Protection Act (SOPIPA), the first to legislate the permissible activities of online school service providers in the digital age, legislation has become much more strict. In 2016, student data privacy was a priority issue in state legislatures. SOPIPA served as a model for many of the 34 states where a total of 112 bills were introduced last year addressing student data. Schools not only have to deal with privacy concerns regarding education data collection, but they must also pay attention to how to govern the data use and privacy activities of online services they provide while ensuring the capacity and resource needs of districts, especially given the increased data privacy and security responsibilities many districts and school boards were charged with in 2014. Yet another major point educators must be aware is the Family Educational Rights and Privacy Act (FERPA), a federal law that applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records, which are transferred to the student when he/she reaches the age of 18 or attends a school beyond the high school level. These include the right to inspect and review the student’s education records maintained by the school and the right to request that a school correct records which they believe to be inaccurate or misleading. Now imagine what may happen if a school loses every record due to a ransomware attack? FERPA also prohibits the disclosure of any confidential student information (i.e., name, student identification number, Social Security Number) in a personally identifiable manner, without the student’s or authorized party’s written consent. As stated before, a major data breach may have severe consequences, including, in extreme cases, the loss of all or part of the funding provided by the Department of Education. So, back to the title: Why do educators need security awareness training? Well, considering the multitude of risks and security issues, an awareness program is one of the most basic and effective controls that can be put in place to change the security mindset and ensure educators at all levels do their part in including cyber security as a basic aspect of their routine.
How to Make Educators Aware of Security?
The first bit of good news is that an education environment has a huge advantage when compared to other industries: There is already a quite obvious focus on educating people. Most of the structure required for an awareness campaign is already in place, including communications experts that can make sure the right message is transmitted. Many people have the mistaken impression that security awareness requires a strong technical background, but the truth is that, aside from having to follow a few simple guidelines, most awareness efforts will focus on enhancing common sense. A security aware person basically includes a “security” step in his cognitive processes. For instance, simple actions such as thinking for a second before clicking on a not-entirely-trusted link or opening an attachment that requires an “enable macro” function, can avoid a painful ransomware infection. The secret to a successful awareness program is making it relevant. People must be able to identify themselves with security issues and as a major part of security controls. Embracing security is by no means an easy task, but most educators are quite protective regarding their students’ safety and, given the proper message, they will be more than willing to be helpful. On the other hand, you cannot forget to include student awareness in your program, and that requires a whole different approach. In our post-consumerization world, where everything is connected and shared in less than a heartbeat, students might be resistant to information security. Here are some tips that will help you create an information security awareness campaign:
Security ambassador—The main focus of your awareness program is making people embrace security in their daily activities. Having representatives from both employee and students assigned as ambassadors for information security will help communicate that security is everyone’s responsibility. These ambassadors will be able to explain to both employees and students what reasonable security precautions they are expected to take and what would be the consequences of security-related incidents.
Please keep in mind that selecting the right person for the job and providing a proper training are the keys to ensuring that your representative will be more than a placeholder. Again, there is no need of a technical background, although it would not hurt, but a good ambassador must be a great communicator and a people person who is committed to the importance of information and the college’s safety.
Create a security handbook for employees/students—Once you start talking about security, questions will arise instantly. How do I protect myself on the Internet? What am I allowed to access? What can I do if I suspect that my security has been compromised? A security handbook will provide quick answers to the more common questions and will also direct your users to other information channels that can help with more complex issues.
One important aspect is public segmentation. Having different handbooks for employees and students can help you communicate better and focus on topics that are specific for each group. Your employees must be made aware of policies, controls, legislation, and every security-related topic in the same way the employees of any other business are. For your students, you should focus on making them understand why information safety is so relevant for their current and future lives. Behavior-related topics such as proper internet conduct, cellphone safety, how to prevent cyberbullying, grooming, and sexting should be covered.
Keep your communication channels working—An awareness campaign at its core is a focused communication effort on a specific subject and its sub-topics. As stated before, a handbook is great for informing your employees/students of basic rules and providing information on the most common questions, but you must also be prepared to answer more complex queries, and you should also provide a way for people to report security issues.
Making use of current technology such as chatbots, wikis, or any form of real-time communication (e.g., a dedicated security line) is a sound way to be prepared to provide a proper response once a relevant security issue arises.
Put security on your calendar—Making security relevant requires a continuous education effort. For instance, most organizations like to have an information security week to discuss the subject, but that might not be enough. People tend to forget that security is an issue if there is no constant reminder.
Dedicating an entire week focused on discussing security matters is great, and every organization should do it at least once a year. Aside from that, your efforts should be on keeping the momentum going. Here are some great examples of what you can do:
Use official channels to periodically send basic information security tips. Your e-mail, social networks, intranet, and instant messengers are all powerful awareness weapons if properly used. Use your class time to discuss security with the students. Having a teacher read the school/district acceptable use policy (AUP) and explaining in terms the students can comprehend is excellent. This goes for any other security-related policy or rule that may apply to students. Another great way of engaging people is to hold a security Q&A reception. This can be easily turned into an interactive quiz game, where a panel of students/teachers/employees does its best to answer security related questions. Gamification is also a trend in the awareness market. If properly used, it is an effect and fun way to make people aware of security.
Do not forget about the parents—Your awareness efforts should focus on your employees and students, but it is also very important to have the parents know about your organization’s initiatives and how they can also help. Make sure they understand the basics of cyberbullying prevention, the do’s and don’ts of internet monitoring, and any other security-related issue that arises in your environment.
Also, in some cases, parents might even be required to be aware that your school/district has an AUP by requiring them to sign and return the policy, stating that they have read it. This kind of effort, if done correctly, can land you another ally to ensure student cyber-safety.
Concluding Thoughts
Since the human factor is directly involved in most security issues, awareness will remain a key control in ensuring an acceptable level of protection. This is especially true for an education organization, since controls are not so strict, thus making them a valued target for cybercriminals. Both your staff and your students should be prepared to recognize, avoid, and report any situation that can affect the safety of their or the school’s information, but keep in mind that real change takes time to consolidate. Make your awareness efforts a continuous process and it will not be long before you can see good results.