Educational organizations are easy, lucrative targets for cybercriminals. Successful scams can compromise sensitive data, steal funds from stretched budgets, and erode public trust. Promoting an all-hands-on-deck mentality is the best way to combat the growing threat, but that can be challenging.
After all, the science teacher’s job description probably doesn’t include installing firewalls, virtual private networks, or multifactor authentication systems. The same goes for the maintenance supervisor, groundskeeper, and even the principal. But strong cybersecurity programs are built on more than technical solutions best left to information technology (IT) professionals.
To keep criminals at bay, people have to embrace their role. When they do, the organization is on its way to building a culture of cybersecurity awareness. Here are seven tips to help you get there.
1. Get leadership buy-in
Cultivating a cybersecurity culture starts at the top. When board members, superintendents, chief financial officers, and principals make it a priority, employees are more likely to do the same. Investing the necessary funds is just part of the job. Leadership should help set goals, create and communicate policies, and follow the same security procedures they expect employees to follow.
2. Personalize cybersecurity
We live in a wired world. Most of us would no sooner leave the house without our cell phone than our wallet or purse. Remind employees that they are vulnerable to cybercrime in their personal lives, as well. They can use the best practices they learn at work to protect themselves on and off the clock.
3. Use plain language
Did you know cloud security has nothing to do with the weather? Would your employees recognize the red flags for vishing, smishing, pharming, and scareware? Sometimes, it seems like IT professionals speak their own language. To create a culture of cybersecurity awareness, you have to use plain language. If you do, the threat actors (crooks) targeting your organization won’t stand a chance against your highly informed VAPs (very attacked people)!
4. Start on day one
The best time to start instilling cybersecurity as a value is the first day an employee walks through the door. During new-employee orientation, introduce the organization’s cybersecurity policies and procedures. Stress the importance of creating strong passwords, keeping them private, using screen savers when computers are unattended, and avoiding public Wi-Fi. Orientation is also a good time to cover cybersecurity training employees are expected to participate in.
5. Train year-round
Cybercrimes constantly evolve, and employees need to stay one step ahead. Training resonates best as a year-round, relevant initiative delivered in bite-sized pieces. For example, take a few minutes during the purchasing department staff meeting to share tips on recognizing and responding to suspicious vendor payment requests. To keep the conversation going, deliver nuggets of educational content through employee newsletters, the intranet, and internal social networks such as Yammer.
Remember that training your employees is not only a best practice; it is also the law. House Bill 3834 requires annual cybersecurity training for elected officials and school district employees.
6. Make it fun
Some employees respond well to policy manuals, PowerPoint presentations, and classroom sessions. Others want training to be fun. Meet them where they are by gamifying cybersecurity. The concept is similar to reward systems offered by credit card companies. Employees earn points for practicing good cybersecurity habits. Along the way, they are rewarded with free lunches, certificates, time off, and other perks. You could even organize theme-based challenges to keep employees engaged.
7. Celebrate success
Two recent cyberattacks against a California school district left staff without access to vital data, networks, and educational platforms. The district estimates it will spend $1 million recovering. High-profile incidents like this will make headlines, but small victories also deserve to be recognized. Let’s say the IT department tries to trick employees into sharing their network passwords. If 30 percent take the bait, down from 50 percent last year, employees need to hear about it. They also need to hear about the single employee who reports a suspicious email to the chief information security officer without opening it.
Expert Help from the Fund
The Fund provides cybersecurity and data privacy coverage, guidance, and resources to members of the Property and Liability programs. To report a Privacy & Information Security claim, call the Fund at 855.295.8344. For more information about cybersecurity or to request guidance on this topic, contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.
Editor's note: This article was originally published in September 2019 and has been updated for accuracy and comprehensiveness.