Digital devices are everywhere in schools these days. They are used to complete assignments, conduct research, play educational games, and generally enhance teaching and learning. In an increasing number of schools, every student has access to at least one digital device during the school day. Oftentimes, they can take those devices home after school. That proliferation of school-issued devices can open schools up to all kinds of cybersecurity problems.
Education Week asked K-12 technology leaders in districts with 1-to-1 computing environments to offer tips on minimizing those cybersecurity risks. Here鈥檚 what they suggested:
1. Invest in the right products.
It鈥檚 impossible to protect school districts from the wide range of security threats without outside help鈥攂ut not all available products are created equal.
Anti-virus and endpoint security are two basic products that help improve cybersecurity. Chris Sette, the IT manager for the Meriden public schools in Connecticut, recommends splurging for a product that utilizes machine learning that 鈥渁ctually analyzes what鈥檚 happening on the machine and makes a determination that there is something out of the ordinary.鈥 Sette鈥檚 team checks outputs from those tools every day.
Tools that offer transparency for parents as well are especially worthwhile, according to Bryan Weinert, who runs the 1-to-1 program at Leyden High School District 212 in Illinois.
The district uses Securely to offer parents a portal they can access to see their children鈥檚 activity outside the school day. The tool also offers the option to allow parents to see students鈥 activity during the school day, but the district opted out of that feature. 鈥淚f a parent is concerned about what they鈥檙e using Chromebook at home for, now we鈥檝e provided parents a way to look as well,鈥 Weinert said.
2. Make hackers work for it.
Maintaining strong lines of communication between teachers and parents is important鈥攂ut there are ways to accomplish that goal without putting cybersecurity at risk. Last summer, the Meriden district鈥檚 tech team scoured district and school websites, as well as other sites hosted by the district, to remove all email addresses for staff members and replace them with contact forms.
Weinert鈥檚 district has installed content filters that allow his team to monitor all activity on the devices students receive through the 1-to-1 program. Parents and students have been informed that they should have no expectation of privacy on those devices, he said.
鈥淲e鈥檙e not actively monitoring鈥攖hat would be multiple people鈥檚 full-time jobs,鈥 Weinert said. 鈥淚f there鈥檚 ever anything that does come up, our deans, disciplinarians, principals have the ability to go in and look at what鈥檚 going on.鈥
3. Communicate constantly with teachers and set them up for success.
Sette鈥檚 team emails teachers any time there鈥檚 a chance they鈥檙e receiving a spam message cleverly disguised to look legitimate.
Melissa Tebbenkamp, the director of instructional technology for Raytown Quality schools in Missouri, says a high priority in her district is ensuring that teachers鈥 and students鈥 devices don鈥檛 have administrative privileges unlocked. 鈥淭here鈥檚 not a single user in my district, not a single technician, not myself, not my superintendent, not my students that are local machine administrators. Their accounts don鈥檛 have permission to install programs.鈥 [The district has one special account that has the power to make those changes.]
Why not? Many cyberattacks require some sort of download or the ability to edit the device鈥檚 internal registry. 鈥淚f the user account that it鈥檚 executing under doesn鈥檛 have the permissions to do that, then that virus or that malware or that trojan can鈥檛 go anywhere,鈥 she said.
4. Start teaching cyber hygiene in kindergarten.
Meriden students start getting lessons on online safety, and warnings about indiscriminately sharing information in kindergarten. Those lessons continue throughout elementary and middle school, so that by the time they reach 6th grade and are taking devices home, 鈥渨e have created a culture of internet safety,鈥 Barbara Haeffner, the director of teaching and innovation for the Meriden public schools in Connecticut, said.
5. Never assume that what you鈥檙e doing is enough.
Districts that stop at simply installing a firewall aren鈥檛 likely to see all their problems solved. 鈥淗aving a broken lock on a door is really not gonna help you that much,鈥 said Sette.
District leaders emphasized consulting state laws around data privacy. In Connecticut, for example, each school district is required to get a data-privacy agreement from a vendor partner, whether it鈥檚 paying for the vendor鈥檚 product or getting it for free. The district has procedures in place for teachers asking students to sign up for accounts or interface with products that fall under the law, Haeffner said.