Antivirus software, firewalls and other solutions are a necessity for any organisation operating in the digital age, and your school likely already has a range of systems in place to protect your systems.
However, even top-of-the-line security systems aren’t a foolproof way to protect your school – not when research shows that 85% of data breaches can be traced back to ‘human error’.
Often called the ‘weakest link’ in an organisation’s cyber security efforts, well-meaning, uninformed, or distracted humans can pose one of the greatest threats to your security; but this doesn’t have to be the case.
Rather than thinking of your community as a ‘weak link’, consider that they’re actually one of the most important lines of defence between your school and any number of cyber threats, alongside your dedicated security systems.
Arming your staff, students and parents with the skills and knowledge to detect and avoid cyber threats can greatly reduce security risks to your school – and can help them keep their personal information safe online as well.
So, where do you start improving cyber security in your community?
Know where you stand
Before launching into anything, you need to evaluate where your school is in its cyber-security journey. If you haven’t recently undertaken some form of evaluation, doing one is a great way to identify potential gaps in your security efforts, so that you know what risks and education opportunities should be addressed first.
There are a number of different frameworks available to measure an organisation’s cyber security maturity level. For some common starting points, you could consider:
- The ‘Essential Eight’ model developed by the Australian Government,
- This benchmark developed by cyber security research and training firm SANS
In either of these models, and many of the others available online, there’s specific guidance for how to develop from one stage to the next. A lower maturity level typically indicates a higher vulnerability to common incidents, with a higher maturity level requiring attackers to use more sophisticated tools or techniques to gain access to systems or data.
For this reason, the steps for earlier stages are crucial in defending against the most common attacks, so don’t try to skip ahead. Any further stages will build on the knowledge and awareness required for early stages, and none of the recommendations will be instant fixes – time and effort will be needed for any changes to school culture around cyber security.
Once you’ve measured your school’s security maturity level, you’ll have a better idea of what risks to target first, and be able to better tailor your efforts to the current level of knowledge across your community.
Find a Champion
Now that you know what you’ll want to address first, it’s time to look at who will be leading this charge. As we’ve spoken about before, getting the right person to influence change in your school can make a huge difference.
With a single person leading cyber security awareness initiatives, you reduce the risk of missed messages and make it easier for people with questions to know who to talk to.
This doesn’t have to be an expert - it can be anyone at your school that’s interested in learning more about security, and is willing to spread awareness.
As it’s common for people to think of cyber security as purely a technical issue, there is an advantage to having someone outside of the IT department champion the importance of security, and help make people aware that everyone has a part to play, not just the IT team.
Have a Report Process
There’s a very common but often not considered side effect of conducting security training or improving awareness – the rush of ‘confessions’ and reports that come through all at once.
Before you launch any education efforts, it’s important to nail down a process for how people can report an incident, ask questions, or even just flag something they’ve noticed. If you already have a process in place, make sure it will be able to handle a potential onslaught of new reports.
If you don’t make it clear how to report these issues or ask questions, IT teams can end up trying to manage a slew of random phone calls, or get bombarded with questions over lunch, which makes it easy for reports or issues to get lost or forgotten.
Support tickets are a common way to manage this if your school already has a solution for that in place, but make sure you consider how easy it is for each member of your community to engage with this – will students and parents submit tickets the same way, and who is responsible for responding if a parent reports a concern?
Keep in mind that students may be reluctant to report issues if they think they’ll get in trouble for something that they’ve ‘stumbled upon’ accidentally. You may want to make it clear in your messaging for students that if they can find a weak point, so could a potential hacker – so IT staff will be grateful to learn about the issue regardless.
Make it Engaging
It’s no secret that security can be a bit of a dry topic, and many people are not going to be particularly excited to learn more about it. On top of this, teachers especially receive dozens of emails a day – so to stand out, your security awareness activities will have to be as interesting as possible.
Finding ways to make it enjoyable – or at least more fun or engaging, is the key to getting people to actually absorb the information you’re giving them.
People tend to think of cyber security as a very abstract concept, so visualisations are important to help people understand key concepts. Offering multiple ways for people to learn will also better cover the wide spectrum of technological skills/experiences at your school.
Whilst the way this is done will depend on the unique environment at your school, we’ve outlined a few ideas for this below:
Communication and resources should focus on making concepts easy to understand, rather than an exhaustive deep dive into complex cyber security terms and practices.
Multi-Factor Authentication (MFA), for instance, is a common security measure that staff and parents are likely already using for some services – but they may not be familiar with the actual term. Whilst saying ‘MFA’ might garner a blank stare, explaining that this is when they use a password and an SMS code to log into their bank account will make a lot more sense to someone that’s not as comfortable with technical lingo.
Explaining these concepts in simple terms can help to combat the idea of cyber security as a mammoth, complex concept that only IT people need to worry about or understand.
Another way to engage staff, in particular, is to share real-life examples of things like phishing emails that your team have intercepted or reported. This can help them understand that anyone can be a potential target, by connecting the threat to someone they know, rather than thinking of the abstract ‘hacker’ concept.
For a simple way to keep security in focus, Posters can be highly effective.
As with games and quizzes, there are plenty of pre-made posters and resources available, such as this… eye-catching design from cyber security company SANS.
To encourage further engagement, you could run a competition for poster designs on various cyber security concepts, and have the winners displayed across the school.
It’s also possible to incorporate interactive elements like QR codes, to quickly report an incident or get more information on a topic.
Posters are most effective in places where people tend to stand or gather, for instance, near offices or in parent pickup areas, rather than in hallways or thoroughfares where people don’t have time to stop.
There’s been significant research into gamification strategies in the classroom, but studies have also shown that the practice can have success outside the classroom too, in workplaces with a range of ages or demographics.
Quizzes are one form of this that offer a great way to drive engagement from your community, with the same study noting that
“When learners receive content on a daily or weekly basis and are quizzed on that content with some additional game elements, the effect is long-term retention and knowledge application.” (CLO Media, 2014)
Whether it’s through your existing platforms, like Google Classroom, Canvas or Microsoft Teams, or via a dedicated quiz platform like Kahoot!, there are a number of ways this can be implemented depending on the topics your school needs to cover.
For some starting points, check out the resources below:
- For staff: These quizzes from the US Government’s Federal Trade Commission cover a range of key Cyber Security topics.
- For parents: This beginner-friendly quiz from the Australian Cyber Security Centre helps evaluate everyday cyber secure skills, and offers tips to improve.
- For younger students: Google offers a free program for teaching digital safety fundamentals called ‘Be Internet Awesome’. The initiative includes lesson plans and take-home resources, plus an interactive adventure game that teaches key fundamentals of online security.
- For older students: ‘The Lost Summer’ is a video game with an accompanying teacher guide and lesson plans, developed by the Australian eSafety Commissioner. Split into standalone chapters that cover topics from cyberbullying to critical thinking, the third chapter, ‘Shockwave’ focuses on cyber security and reducing online risks.
Keep the Momentum Going
Once you’ve started, it’s important to keep security front of mind for everyone going forward. The only way to make cultural change is to continue with consistent messaging and activities, so plan ahead for what your school could do on a regular basis.
Monthly emails or other regular communication can keep cyber security front of mind, without distracting too much from day-to-day work.
Consistency is important here – align your messaging with wider security awareness activities and try to send them from the same individual, to make it easier for people to search their inboxes. A consistent subject line format can help with this too, such as “Cyber Security: (Specific topic)” to help people refer back to any resources they’ve been sent.
If your school has a newsletter, consider adding tips or other discussion around the importance of cyber security in a dedicated column. This will help keep the topic front of mind for parents, and potentially start conversations between students and parents, to reinforce cyber security topics at home.
Finally, the Australian Government distributes a range of useful resources that your school could utilise for ongoing security awareness, by:
- Encouraging members of your community to sign up for the free cyber security alert service available from the Australian Cyber Security Centre.
- Sharing content from the ‘Act Now, Stay Secure’ campaign, through email or your school’s social media platforms.
- Encouraging anyone that thinks they may have been a victim of a cybercrime to access support - “Have You Been Hacked?” provides tailored tips and resources for various cyber incidents.
- Incorporating content from the eSafety Commissioner, which develops a wide range of classroom resources, games and quizzes for students at every age level.