Special Report
Privacy & Security Opinion

Why K-12 Cybersecurity Is Only as Good as the Leadership at the Top

By Doug Levin — March 19, 2019 5 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

Born in the 20th century, most superintendents and school board members are not experts in issues of technology, much less cybersecurity. As schools are growing increasingly reliant on 21st century technology for teaching, learning, and school operations, this lack of expertise has consequences and introduces new risks to school district operations.

Consider that of the 18 peer groups investigated by the Multi-State Information Sharing & Analysis Center in a recent review, local K-12 schools were reported to have the least mature cybersecurity risk-management practices of any state or local government agency. Similarly, a survey published last year by the National School Boards Association found that school officials are less prepared for cyberattacks than their peers in private sector companies.

As they juggle other critical priorities, superintendents and school board members may wonder what the scope of their responsibility should be in weighing cybersecurity risks and protecting against threats. After all, isn’t that the purpose of cybersecurity insurance and the role of district technology staff? Why would district leaders be expected to do more? In what ways could they do more?

The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities. Just as district leaders maintain the responsibility to manage risks to students’ physical safety and health in the context of natural and man-made incidents, they also need to take a lead role in ensuring that their school systems are appropriately managing the digital risks to school communities introduced by the embrace of technology. These include risks to the confidentiality of data collected by school districts and their vendors, risks to the integrity (i.e., the accuracy and completeness) of that data, and risks to the availability of IT systems and data integral to the day-to-day experiences of students, teachers, and administrators.

There are three primary ways that superintendents and school board members—working in partnership with district technology staff—need to exercise their cybersecurity governance responsibilities.

The hard truth is that we won’t see fewer data breaches, fewer successful phishing attacks, and fewer ransomware incidents in schools until superintendents and school board members jointly embrace their cybersecurity governance responsibilities.

The first is via their ability to set priorities for their school district. Every district needs to develop, formally adopt, and implement a plan to manage the cybersecurity threats and risks they are facing. Such a plan should identify the district’s critical IT and data assets, and detail how risks to those assets will be mitigated through policies, practices, and/or technology tools. It should explain for which risks insurance will be purchased, and—given that there are no 100 percent guarantees with cybersecurity—which risks will be accepted.

See Also

On-Demand Webinar: Attacking the K-12 Cybersecurity Challenge

K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.

Register now.

In addition, a district cybersecurity plan should include procedures and guidelines for how the district will respond to cybersecurity incidents experienced by the district (or its vendors) when they inevitably occur. This is a question of liability—districts have been sued for negligent cybersecurity practices in the wake of significant incidents—as well as legal compliance under evolving federal and state privacy, cybersecurity, and data-breach notification laws. Indeed, district leaders would do well to anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, government agencies and law enforcement, insurance providers, and the media all will come to them seeking public answers and accountability.

Superintendents and school board members also need to show leadership on cybersecurity through their authority over the budget process. As part of their fiduciary oversight of school districts, superintendents and board members should be able to crosswalk their cybersecurity risk-mitigation plans to budget expenditures and track that spending over time. That is not to suggest that there is a magic dollar figure or percentage of a school IT budget that should be spent on cybersecurity-related activities as evidence of good practice. But by working with district technology staff to make explicit budget assumptions and expenditures, district leaders can ensure and document that cybersecurity measures are being supported and are keeping pace with emerging threats and protections. In cases where spending does not match the need, budget transparency can help garner the data necessary to re-allocate or seek out additional funding.

District leaders would do well to anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, government agencies and law enforcement, insurance providers, and the media all will come to them seeking public answers and accountability.

Finally, superintendents and school board members need to put in place a process to assess the quality of their cybersecurity plans and spending at least once a year through clear organizational metrics. Such metrics should include—at a minimum—a reporting of the number, variety, and severity of cybersecurity incidents affecting or targeting the district and its vendors and partners, as well as one or more measures of the cybersecurity awareness of district staff. The process of determining and periodically tracking progress against a small set of meaningful metrics will go a long way toward moving cybersecurity risk management from district technology staff’s hands alone to weaving it throughout the culture of the district.

About This Report

This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.

District leaders are not only accountable to the public for managing cybersecurity threats; they are themselves disproportionately targeted by hackers. That means it’s critically important for superintendents and school board members to set a good example via participation in cybersecurity training and awareness events and strict adherence to district policies.

Schools’ reliance on technology for teaching, learning, and school operations will continue to grow. Every district needs to adopt a plan to manage cybersecurity risks, make sure they’re putting the money and resources into supporting that plan, and track the success of their strategy over time. District technology staff can’t do all of that work on their own. Superintendents and school board members should commit to creating a culture across their districts that anticipates cyber risks, rather than waiting to respond to attacks from malicious actors after the fact.

Events

Artificial Intelligence K-12 Essentials Forum Big AI Questions for Schools. How They Should Respond 
Join this free virtual event to unpack some of the big questions around the use of AI in K-12 education.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
Harnessing AI to Address Chronic Absenteeism in Schools
Learn how AI can help your district improve student attendance and boost academic outcomes.
Content provided by Panorama Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Science Webinar
Spark Minds, Reignite Students & Teachers: STEM’s Role in Supporting Presence and Engagement
Is your district struggling with chronic absenteeism? Discover how STEM can reignite students' and teachers' passion for learning.
Content provided by Project Lead The Way

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security What Teachers Need to Know About Changes to Instagram Teen Accounts
The adjustments come as Meta faces multiple lawsuits from states and school districts.
4 min read
Close up photo of Black teen looking at Instagram photos on her cellphone.
Anastasia_Prish/Getty
Privacy & Security Download A Tip Sheet to Help Teachers Prevent and Respond to Doxxing
Teachers can be a target for malicious actors. Use this tip sheet to prevent and respond to doxxing.
1 min read
Image of digital safety against doxxing and privacy invasion.
Laura Baker/Education Week via Canva
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
E+