Cybersecurity Is Not Just an IT Thing

Educational organizations are tempting targets for cybercriminals. Successful scams can compromise sensitive data, steal funds from stretched budgets, and erode public trust. Promoting an all-hands-on-deck mentality is the best way to combat the growing threat, but that can be challenging.

After all, the science teacher’s job description probably doesn’t include installing firewalls, virtual private networks, or multifactor authentication systems. The same goes for the maintenance supervisor, groundskeeper, and even the principal. But strong cybersecurity programs are built on more than technical solutions best left to information technology (IT) professionals.

To keep criminals at bay, people have to embrace their role. When they do, the organization is on its way to building a culture of cybersecurity awareness. Here are seven tips to help you get there.

1. Get leadership buy-in

Cultivating a cybersecurity culture starts at the top. When board members, superintendents, chief financial officers, and principals make it a priority, employees are more likely to do the same. Investing the necessary funds is just part of the job. Leadership should help set goals, create and communicate policies, and follow the same security procedures they expect employees to follow.

2. Personalize cybersecurity

We live in a wired world. Most of us would no sooner leave the house without our cell phone than our wallet or purse. Remind employees that they are vulnerable to cybercrime in their personal lives, as well. They can use the best practices they learn at work to protect themselves on and off the clock.

3. Use plain language 

Did you know cloud security has nothing to do with the weather? Would your employees recognize the red flags for vishing, smishing, pharming, and scareware? Sometimes, it seems like IT professionals speak their own language. To create a culture of cybersecurity awareness, you have to use plain language. If you do, the threat actors (crooks) targeting your organization won’t stand a chance against your highly informed VAPs (very attacked people)!

4. Start on day one

The best time to start instilling cybersecurity as a value is the first day an employee walks through the door. During new-employee orientation, introduce the organization’s cybersecurity policies and procedures. Stress the importance of creating strong passwords, keeping them private, using screen savers when computers are unattended, and avoiding public Wi-Fi. Orientation is also a good time to cover cybersecurity training employees are expected to participate in.

5. Train year-round

Cybercrimes constantly evolve, and employees need to stay one step ahead. Training resonates best as a year-round, relevant initiative delivered in bite-sized pieces. For example, take a few minutes during the purchasing department staff meeting to share tips on recognizing and responding to suspicious vendor payment requests. To keep the conversation going, deliver nuggets of educational content through employee newsletters, the intranet, and internal social networks such as Yammer.

Remember that training your employees is not only a best practice; it's also the law, as described in this TASB eSourcre document: School Cybersecurity: Texas Requirements (pdf).

6. Make it fun

Some employees respond well to policy manuals, PowerPoint presentations, and classroom sessions. Others want training to be fun. Meet them where they are by gamifying cybersecurity. The concept is similar to reward systems offered by credit card companies. Employees earn points for practicing good cybersecurity habits. Along the way, they are rewarded with free lunches, certificates, time off, and other perks. You could even organize theme-based challenges to keep employees engaged.

7. Celebrate success

If you want to encourage employees to embrace best practices, you have to celebrate success, even the small victories. Let’s say the IT department tries to trick employees into sharing their network passwords. If 30 percent take the bait, down from 50 percent last year, employees need to hear about it. They also need to hear about the single employee who reports a suspicious email to the chief information security officer without opening it.

Editor's note: This article was originally published in September 2019 and has been updated for accuracy and comprehensiveness.