5 Cybersecurity Tips For Schools From CISA’s Deputy Assistant Director

A cybersecurity shield with curved lines behind it.
(Image credit: Image by Pete Linforth from Pixabay)

Cybersecurity attacks on schools across the U.S. are increasing in frequency. 

“They are a target-rich but resource-poor environment that really houses incredibly sensitive information about some of our most vulnerable populations,” says Trent Frazier, Deputy Assistant Director of The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security.

When these attacks are successful and student data becomes compromised, it can be held for ransom but is also doubly valuable to cyber criminals because students generally have pristine credit records and are not worried about identity theft.

Cybersecurity is now the No. 1 concern among school leaders. However, the good news is that there are simple and inexpensive steps that can be taken that will have a huge positive impact on cybersecurity, Frazier says. He offers the following cybersecurity tips.  

1. Don’t Get Overwhelmed  

When they hear about the rising number of cyber attacks, those untrained in cybersecurity can get the mistaken sense that there’s nothing to be done.

“They view this as an almost insurmountable challenge, that to take on cyber security means getting a second degree and becoming a cybersecurity professional,” Frazier says.

In reality, the most effective forms of cyber protection are generally simple, common sense, good cybersecurity best practices with which most of us are already familiar. He notes that while there are more complex attacks occurring, the majority are still simple efforts that involve basic tasks, such as cracking a weak password.

By removing the low-hanging fruit in cybersecurity systems, schools can really beef up their protections. “If we're taking steps to address those things, we're making it harder for our adversaries and forcing them to go to the much more challenging, and frankly much more expensive, types of attacks across all of our infrastructure communities,” he says.  

2. Do The Little Things 

Keeping with the idea that small steps can have a big impact on cybersecurity, Frazier points to Secure Our World, a recent PSA developed by CISA aimed at schools and other organizations that offers four easy-to-implement tips:

  • Recognize and report phishing
  • Use strong passwords
  • Turn on multifactor authentication
  • Update software

3. Utilize CISA Resources  

District technology leaders should be aware that there are many CISA resources for schools.

“We have regional staff throughout the country that can assist you in assessing vulnerabilities within your system,” Frazier says.

These staff members can help school leaders prioritize and plan how to best invest in and build more robust cybersecurity systems. “We've developed what we call our Cybersecurity Performance Goals, which is really a tool that's essential in helping to prioritize where you want to make investments, and then ultimately start to make those investments, and grow over time,” Frazier says.

Additionally, CISA has its Cybersecurity for K-12 Education resource, which offers a variety of tips for schools. “Applying those two resources and engaging with our folks is going be a really important tool to help you identify what the long-term sustainable approach to the program that you need to design ultimately will look like," Frazier says. 

4. Consider Adding a Full-Time Cybersecurity Resource 

A recent CoSN report found that 66% of K-12 districts do not have a full-time cybersecurity resource.

Adding this type of full-time staff member is a step districts should consider, but it’s not always about hiring someone new. Often, existing IT staff members can be trained in the fundamentals of good cybersecurity.

“Once you do that, those individuals can oftentimes make a lot of progress in helping you build the basics of your cybersecurity program,” Frazier says. “Once you've reached a certain posture, then it becomes meaningful to start to look for the more highly credentialed cybersecurity professionals who are going to be able to in implement even more advanced mitigation measures within your program.” 

But, once again, schools don't have to undertake this process alone. “I highly encourage both schools and school districts to think about where they can partner with local government and state government agencies who may be able to also provide them with capabilities," Frazier says. 

5. Cybersecurity Is A Team Sport

Frazier says it's also important for school leaders to realize cybersecurity is everyone’s responsibility, and that includes students, staff, teachers, and parents.

“Oftentimes someone will say, ‘Well, that's the IT Department's problem,' or, 'That's the state's problem or the Federal Government's problem,' or, 'It's the service provider's problem.' It's really critical that schools understand cybersecurity is entirely a team sport,” Frazier says. “No one is capable of adequately defending [alone] from all of the various threats that we see today. It has to be integrated and we all have our part to play.” 

Erik Ofgang

Erik Ofgang is a Tech & Learning contributor. A journalist, author and educator, his work has appeared in The New York Times, the Washington Post, the Smithsonian, The Atlantic, and Associated Press. He currently teaches at Western Connecticut State University’s MFA program. While a staff writer at Connecticut Magazine he won a Society of Professional Journalism Award for his education reporting. He is interested in how humans learn and how technology can make that more effective.