Information security can be intimidating, even for the most technically skilled professional. School administrators and teachers, who have had to shift all learning to online in the wake of COVID-19, are especially overwhelmed at having to teach while trying to protect students online.
To keep intimidation at bay, remember that information security is really about identifying and assessing risk, not eliminating it. We can’t get rid of cyber risk but we are all skilled at making risk-based decisions in our lives every single day. We put on our seat belts to limit injury should we get into a car accident. We have smoke detectors in our homes to give us an early warning should fire threaten our families.
Teachers and administrators that want to help protect students can take a big step forward by educating themselves, students and parents about applying this same preventative thinking mindset to our online activities. Let’s look at five ways to improve internet safety for students and educators.
Know Your Personal Risk
Before you can protect yourself, you have to know your level of risk. Companies perform risk assessments to unearth their corporate vulnerabilities, so why should individuals not do the same? At the very least, get curious about how to protect yourself.
Ask questions – and encourage your students to do the same – about what things you don’t know that you need to. Ask your district for support in identifying how to help students stay safe from cyber crime.
One way to definitively know your risk is to take a personal risk assessment. Tools like S2Me are free, give you a baseline score to gauge your cyber risk know-how, as well as a roadmap for improving your security posture.
Understand – And Avoid – Scams
It’s stunning how much cyber-crime is related to simple scams. Phishing– where bad guys try to get unsuspecting people to click on a malicious link or give up important information like passwords, addresses, bank account numbers, student identification numbers, etc. – was the leading cause of data breaches in 2019 and shows no signs of slowing down. Phishing emails can be very realistic and extremely topical, making it hard to recognize them.
Teachers, administrators and students all need to embrace the phrase, “trust but verify.” This means that when they are asked for personally identifiable information (PII) or to click on a link, even by an authority figure like a teacher or superintendent, confirm the person asking is really making the request. Again – these are very realistic scams that don’t necessarily relate to school. An email offering two free months of Netflix Premium might just be a bad link that puts malicious software on your computer.
When was the last time you updated your Wi-Fi router at home? Odds are that you either didn’t know you could or are woefully overdue in doing so. That means you could have a vulnerability on the very device that lets you teach remotely.
It’s critical that we learn to protect our devices, which means updating and patching them when we need to. In particular, we want to focus on our Wi-Fi router and our smartphones and tablets. A few tips:
- Wi-Fi Router: when you install the router, change the password immediately and be certain to update the device regularly. Make sure to set up guest networks that people entering your home can use to minimize threats they could bring to your network and don’t forget to enable parental controls that help you protect the children in your home.
- Smartphones/Tablets: Never leave your device unprotected; use a PIN or a password to access it and consider using both. Be mindful about what you’re installing on the device – if it feels strange or is too good to be true, pass on hitting install. Phishing happens on phones and tablets, too, so, again, verify links before clicking on them. And parental controls exist on these devices for a reason – use them.
You don’t have to be a cyber-security guru to teach yourself, your team and your students some basic practices that make a big difference in protecting everyone. A security quadruple security check is as simple as a quick checklist:
- Check the link – look to see if the link matches what you expect
- Check the sender – is that email coming from the person you think it should be?
- Check the request – what’s being asked of you? If it deals with money, accounts or PII, consider it a red flag
- Verify – hop on a video chat, send a separate email or text, make a phone call or meet face-to-face (with proper social distancing in place) to verify what’s being asked of you if it seems phishy.
The 2019 – 2020 school year may be complete, but we don’t yet know if online learning is on the docket for the 2020 – 2021 schedule. Even if we are back in classrooms in what has been our traditional routine, it’s important for our school districts to help drive home the message that information-security is a personal responsibility. We have to look out for ourselves, as well as our school community, and the tactics spelled out above are smart and practical during COVID-19 and long after.
Ryan Cloutier, CISSP, is the principal security consultant at SecurityStudio, which works to fix information security industry problems through simplification. A passionate cybersecurity thought leader Ryan is an advisor on the Consortium for School Networking (CoSN) Cyber Security Advisory Panel and can be reached at [email protected].