Navigating cybersecurity and establishing best practices presents one of the greatest administrative challenges for an increasingly digital K-12 environment. Schools and districts are favored targets for hackers due to the treasure trove of personal data they maintain from both students and employees, and ransomware in particular has become a popular method of attack.
Having embraced digital platforms several years earlier than most of their K-12 peers, colleges and universities are all too familiar with these threats and tend to have a more robust framework for preventing and addressing them. For more insight, we asked four higher education IT administrators what advice they'd give schools and districts.
Raechelle Clemmons - Associate VP for Technology and CIO, Texas Woman’s University
I think we all know that people are our biggest asset, and one of our largest security threats. Double down on user education and awareness — there's no such thing as too much. Also, we need to consider our role in not only securing our systems and educating our employees, but also in educating our students.
We may not focus on this as much as we should or would like, because students don't have significant access to systems and data, so they pose less of a risk to the institution. But educating this next generation will serve us in the long run, advances the mission of the organization, and helps to fill an important gap in students' education.
Melissa Woo - Senior VP for IT and CIO, Stony Brook University
I think the most important lesson is that awareness and training is key to reducing cybersecurity risk. We can spend millions of dollars on technological tools to protect data assets, but an individual's behavior can nullify those investments.
It would be great if students could obtain an education in safe computing behaviors before they get to college. Given the popularity of social networks, etc., it's important that safe computing principles be learned at an early age.
Shana Bumpas - Director of Information Security, University of Richmond
That’s a great question and difficult to boil down to just one thing. Cybersecurity is about reasonable policies and good behavior in order to be effective. Colleges and universities that have suffered a data breach have realized that the amount of effort and money spent to remediate a breach was far more than the effort or money it would have cost to prevent it.
Most security incidents are a result of poor human behavior and is usually unintentional, such as falling for a phishing email. I believe one lesson schools/districts should learn from higher ed is the need to engage all employees in cybersecurity awareness and encourage good cyber hygiene so that it is almost second nature — similar to looking both ways before crossing the street.
Leadership must take the lead in driving the culture toward embracing better cybersecurity habits, because attackers have learned that it’s easier to hack the user than hack the system. Shoring up human cyber defenses is just as important as the investment in technical security controls.
Thomas Skill - Associate Provost and CIO, University of Dayton
In thinking about the K-12 challenges regarding cybersecurity, we did a small study last spring that explored how the different generations encounter cybersecurity awareness and practices. A key group that we analyzed was Generation Z — all the kids now in high school who will soon be entering college and the broader workforce. Our study applied our Cyber-Mindfulness model to our analysis of the various generations, from Babyboomers & Gen-X to Millennials and Gen-Z. Using both our original data and existing data sources, we were able to craft descriptive profiles of the generational differences with regard to cybersecurity attitudes and behaviors.
While this study is broader than just K-12, it is really interesting to see the differences in generations, and how these Gen-Z students are going to bring a very disruptive set of expectations and new behaviors to both college and career!
In terms of the Gen-Z engagement with technology and cybersecurity, this is a generation that views their technology as totally and almost exclusively mobile! Their personally owned smartphone reflects their "always connected" lifestyle. They expect to use these devices for personal and work activities — and they strongly believe that their personally owned and self-managed device allows them to be substantially more productive than any technology provided by their school or employer.
So, this Gen-Z "BYOD" world will be very disruptive to traditional cybersecurity models and practices. A critical finding is that traditional "rules-based" security practices that use the typical lecture-based training is not only ineffective, but it is viewed very negatively by the Gen-Z population — they interpret these approaches as similar to the "parental lecture" and hate it! The more effective way to engage Gen-Z'ers in good cybersecurity behaviors is to ground them in a values-based approach. For example, educational outreach on cybersecurity should emphasize values such as "shared responsibility in protecting our community" (thereby engaging in thoughtful actions when entering personal data in a website).
As we explored the attitudes and behaviors of millennials and Gen-Z, we applied our cyber-mindfulness model in terms of the three core elements — awareness, agency and action. The agency role truly emerged as critical to sustainable good practices because it addresses the need for users to feel a sense of ownership for cybersecurity. Addressing this gap is a challenge with all generations — however, in building agency with Gen-Z, it is very important to drive that training around the concept of shared values and community engagement. With many of the other generations, pushing compliance to rules can be reasonably effective. Gen-Z does not accept rules very easily.