COVID-19 Increased Security Gaps in K-12 Schools. Here’s How to Fix Them.

Pre-COVID, when schools were functioning “normally,” K-12 information security proficiency varied greatly from district to district. Larger school districts tended to employ dedicated cybersecurity professionals, while some smaller districts relied on teachers to be their makeshift IT teams. True, security gaps existed before the pandemic.

Now, millions of kids receive their education through distance learning, and new security complications have emerged across all districts.

Challenges Posed by COVID-19 and the Security Gaps They Have Created

Physical boundaries have disappeared. When kids and teachers were in a single location, or limited number of locations, physical boundaries were easily defined, and defenses were straight-forward. Most districts and schools had simple and effective controls like firewalls or virtual private networks (VPNs) to protect network ingress/egress points.

COVID-19 changed everything related to physical boundaries. eLearning creates a vast number of networks. The security of every home network, the security of every device connected to every home network, and the security of every person using every device connected to every home network must be accounted for in an effecting K-12 cybersecurity strategy.

Cybersecurity expertise is lacking. If you were under the impression that K-12 technology, cybersecurity expertise were lacking before COVID-19, imagine things now. Security gaps are increasing substantially. Parents suddenly find themselves in the unfamiliar role of IT helpdesk, network administrator, and cybersecurity expert all-in-one. Unfortunately, they lack the experience and knowledge to succeed in this new role.

Even if parents are well-equipped, they struggle to meet the challenges of the role while at the same time trying perform at work. Most parents are happy if the technology works, let alone if it’s secure. Taking extra steps for security means more demands on their time and energy, both of which are already stretched terribly thin.

Mental distraction creates a perfect storm. Finally, the psychological toll that COVID-19 is taking on students, parents, teachers and administrators cannot be ignored. Students face difficult learning challenges when they lose the face-to-face interaction they were used to. Couple this with the fact that parents are burdened under the weight of virus fears, economic instability, politics, and/or social unrest in the world. How can they be expected to prioritize cybersecurity when their own lives and situations feel anything but secure?

Unfortunately, the attackers know all this too. If parents and kids are distracted, they’re more likely to become prey. Attackers increase the frequency and relevancy of their attacks at the same time parents and kids are paying less attention. It’s a perfect storm.

Challenges Bring Information Security Opportunities

There’s a common denominator in all three challenges: people. If people secured home networks better and shored up security gaps, physical boundaries would be less of an issue. If people had better cybersecurity skills, they’d be able to secure their systems better. If people possessed good cybersecurity habits, distractions wouldn’t be nearly as impactful.

There isn’t a better way to reach people than through K-12 school districts embedded in their communities.

A few points we can agree on:

#1 – People are motivated by what they care about the most: themselves and their loved ones.
#2 – People are creatures of habit.
#3 – Cybersecurity is a life skill, a skill all people need to manage activities and challenges of everyday life.

We must motivate people to develop good cybersecurity habits as a life skill.

So, let’s break it down.

Motivate – Find what motivates parents and students, then stay focused on it. Protecting someone else’s stuff or the school district is not nearly as strong a motivator as protecting yourself and your children’s safety.
Habits – Habits are behaviors that are repeated regularly and tend to occur subconsciously; reducing the impact of distraction.

Life Skill – Drive home that cybersecurity is a life skill for everyone, it’s NOT an IT skill reserved for geeks.

The key is finding motivators, using them consistently to form habits, and destroying misconceptions along the way.

Empower Your Remote Team (Parents)

Here are a few ideas to increase the community’s knowledge, and ensure we’re individually and collectively less vulnerable:

Trainings & Workshops – Start at the very beginning. Offer a mix of basic workshops, recorded tutorials and live informational sessions to educate students and parents about risk factors, protecting home networks, using multi-factor authentication, and security dangers in common apps (TikTok, Tellonym, SnapChat, MeetMe, etc.). Invite parents to a cybersecurity Q&A via a virtual happy hour or share a short video explaining something in an entertaining manner.

Earlier this month, @Athens_ISD went through a harrowing experience. Hackers targeted their servers with #ransomware. The board voted to pay – but their IT team found an unaffected backup before the deal went through. #cybersecurity #edtech #education https://t.co/HOe28UcRVy

— eLearningInside (@elearninginside) August 17, 2020

Manuals & Resources – Create simple cybersecurity manuals for parents to read at their pace, on their time. Include an FAQs section for quick reference. Consider launching a simple online forum where parents can ask other parents for help.

Fun Competitions – Use games, jigsaw puzzles, and digital scavenger hunts to incentivize students in demonstrating what they’ve learned; recognizing achievements.

Linked as a Community

Communities of people move together. In addition to educating students and their families about cybersecurity, it’s important to emphasize the community perspective.

Here are a few things to try:

Ensure parents are aware that they don’t live on an information security island. What they do (or don’t do) can impact their neighbors.

Share relevant news, stories, and educational articles about security threats, locally and globally.

Use the student body to test the community’s security knowledge. Encourage them to think of ideas for quizzes or contests for their peers. Task each grade level with researching and presenting about a certain aspect of information security. Making kids part of the process will foster deeper understanding and appreciation for the seriousness of cybersecurity.

There’s no doubt, COVID-19 has made K-12 districts more vulnerable. Focus on education and community empowerment, and we’ll all be poised to overcome weaknesses and emerge stronger – together.

Evan Francen is the CEO of SecurityStudio, which exists to fix information security industry problems through simplification. His thirty-plus years of information security experience includes extensive work on high profile breaches (Target, Blue Cross Blue Shield, etc.), building enterprise information security programs for fortune 500 organizations, author of the book UNSECURITY, and much more. He is the chief designer of the S2Score®, the information security language spoken by more than 2,500 companies in the United States, and S2Me™, the personal information security risk assessment used by thousands, among others.

Featured Image: Adi Goldstein, Unsplash.