10+ Best Practices for Seamless Data Protection and Cybersecurity in your school

The Internet offers numerous opportunities to enhance learning processes and improve communication between teachers, students, and parents, but it also has its dangers. With Data Protection Day (Jan. 28) and Safer Internet Day (Feb. 6) approaching, it is an excellent time to reflect on the risks of your school’s online activities and discover some tips and best practices to improve data protection in your school.

In this blog post, we will cover as many aspects as possible related to the broad topic of online safety in schools, including 10+ best cybersecurity practices for schools and teachers. For ready-to-use lesson materials to educate students on cybersecurity, read the second part of this blog post series here.

You can read this blog post from top to bottom or jump straight to the section that interests you most:

• Why are schools prime targets for cybercriminals?
• What kind of threats are schools facing?
• 10+ Best Practices for Seamless Data Protection and Cybersecurity in your school

Why are schools prime targets for cybercriminals?

You might occasionally hear about cyber-attacks or hacking in companies, hospitals, or government institutions. While it may not get as much media attention, schools are also prime targets for cybercriminals seeking sensitive information. Here are the 5 prime reasons cybercriminals are attacking schools:

1. Rich Source of Personal Information

Educational institutions store vast amounts of sensitive and personal information, including student records, contact details, medical records, and financial information. This data is valuable on the dark web, making schools appealing targets for identity theft or selling personal information.

2. Limited IT Resources

Many schools may lack the financial resources to invest in robust cybersecurity measures. Limited budgets often translate to outdated software, insufficient training, and inadequate infrastructure, making them susceptible to cyber-attacks.

3. Inexperienced Users

Schools typically have a diverse user base, including teachers, administrative staff, students, and parents. This diversity can lead to varying levels of cybersecurity awareness and digital literacy. Cybercriminals often exploit this by targeting individuals less experienced in recognizing and thwarting cyberthreats.

4. Inadequate Security Measures

Educational institutions may not have comprehensive cybersecurity policies or may lack the implementation of best practices. This could include weak password policies, inadequate network security, and a lack of regular software updates—all of which create vulnerabilities that cybercriminals can exploit.

5. Delayed Detection

Schools may not have advanced monitoring and detection systems, making it challenging to promptly identify and respond to cyberthreats. Delayed detection allows cybercriminals to operate within a network for extended periods, potentially causing more damage.

What kind of online threats are schools facing?

Understanding the landscape of online threats is the first step toward building a robust cybersecurity strategy. Here are some of the common online threats that schools may encounter:

1. Phishing Attacks

Cybercriminals often use phishing emails or messages to trick school staff, students, or parents into revealing sensitive information such as login credentials, financial details, or personal information. These deceptive messages may appear to be from a trusted source, leading unsuspecting individuals to click on malicious links or provide sensitive information.

2. Ransomware

Ransomware attacks involve malicious software that encrypts a school’s files or systems, rendering them inaccessible. Cybercriminals then demand a ransom in exchange for decrypting the data. This type of attack can have severe consequences for schools, as it can lead to the loss of critical data.

3. Distributed Denial of Service (DDoS) Attacks

DDoS attacks involve overwhelming a school’s online infrastructure with a flood of traffic, rendering websites and online platforms inaccessible. These attacks can disrupt online learning platforms, communication systems, and other digital services, causing significant disruptions to educational activities. DDoS attacks can come from students who want to take down the school’s network, e.g., on the day of an exam. They do not need to have extensive IT knowledge to do this, there are websites that allow them to set up such a DDoS attack fairly easily.

4. Insecure digital learning tools

The widespread adoption of digital learning tools has introduced new challenges. Teachers are not always aware of what data these tools store and what external parties they may be shared with.

5. Internal hacking

In a school context, it is not unusual that some students will attempt to break into a staff member’s account to access exam questions, grade books, student records, and more. Students may also try to break into each other’s accounts, or sometimes they forget to log out on a shared device or simply pass on each other’s passwords without thinking about the possible consequences.

6. A lack of awareness among teachers

Teachers often have a hundred things on their minds, and students’ learning and well-being are their priorities. As a result, topics like cybersecurity sometimes subconsciously shift to the background. Some examples of everyday things teachers don’t do optimally when it comes to cybersecurity include:

• Using unsafe passwords;
• Using the same password on different websites;
• Typing a password while projecting the screen for the students (at the risk of typing the password in the wrong place, making it visible);
• Leaving the classroom unattended without locking the computer;
• Sending school-related information with their personal email (or vice versa);
• Saving files on USB flash drives, which are sometimes lying around in a classroom;
• Posting students’ photos or information on social media (with or without their permission)
• …

The purpose of the above list is not to point fingers at teachers. I was a teacher myself and was undoubtedly guilty of certain things in the above list. With this list, I want to show how easy it can be to unintentionally disregard online protection and compromise student privacy. These are small actions that can have big consequences.

7. A lack of awareness among students

Students frequently expose themselves to cybersecurity threats. Given their limited age, they sometimes lack judgment and are especially vulnerable. Students often overlook the fact that personal data shared on social media is virtually permanent. Everything posted online becomes part of an enduring digital footprint, potentially affecting their future. Compounding the issue is the “consequence gap,” where students may not fully grasp the long-term impact of their online actions.

The risks associated with sexting, the sharing of explicit content, and doxing, the intentional exposure of personal information, are often underestimated. Many students engage in these behaviors without fully grasping the potential consequences. Sexting not only poses immediate risks but leaves a lasting digital trail that can impact academic and professional prospects. Simultaneously, doxing can lead to severe consequences such as identity theft or stalking.

10+ Best Practices for Seamless Data Protection and Cybersecurity in your school

Your school’s measures regarding student data protection are a shared responsibility. As a teacher, you can get started with some of these cybersecurity tips immediately, while others may need to be implemented at the school or district level. Do not hesitate to have a dialogue with your superiors if you feel your school can do more regarding online safety.

To keep everything clear and enable getting started right away, we have created a checklist with all these tips:

1. Make cyber security a part of the school culture

A cybersecurity policy can be a good start, but educators and students must also realize why data protection is so important. If not, there is a chance that they will feel this is just another set of rules imposed on them, and the motivation to respect them will be limited. As a school, you can impose all sorts of measures, such as secure passwords and Two-Factor Authentication (more on that later), if teachers sometimes leave the classroom unattended while still logged in, those measures have little effect.

That’s why our number one tip is also the most important: data protection and online safety should become part of the school culture. We realize that this process takes time, but by consistently maintaining high awareness of these issues, your school will succeed in the long run.

How do you make cybersecurity part of the school culture? The tips below will certainly help you.

2. Implement robust access controls

Implementing robust access controls is crucial for ensuring the security of sensitive data within school systems. This involves defining and regulating user access to information, applications, and network resources. By assigning specific permissions based on roles and responsibilities, schools can prevent unauthorized individuals from accessing confidential data.

Keep in mind that the online platforms you use as a school will contain more and more information over time, and the needs and roles within your school may evolve. Therefore, a colleague needing access to certain information does not necessarily need access to historical data in this domain. And that colleague’s role may have evolved six months from now, at which point he no longer needs access to this information.

So regularly analyze who has access to what data and make adjustments as needed.

3. Provide cybersecurity training for teachers and students

Providing comprehensive professional development sessions on cybersecurity for teachers and students is pivotal in building a robust defense mechanism.

For educators, offering specialized cybersecurity workshops equips them with the knowledge to effectively recognize and thwart cyberthreats. Covering topics such as identifying phishing attempts, securing personal devices, and understanding the importance of strong passwords can empower teachers to create a secure online environment for their students.

Simultaneously, instilling cybersecurity awareness for students is essential for fostering a culture of digital responsibility. Conducting age-appropriate cybersecurity workshops helps students recognize potential risks, promoting safe online behaviors from an early age. Interactive sessions on online etiquette, social media safety, and the consequences of cyberbullying contribute to a well-rounded cybersecurity education.

4. Use strong passwords, or “passphrases”

The lists of most commonly used passwords discovered in various data breaches include passwords such as “123456,” “qwerty,” “abc123” and “password.” Hopefully, most of your colleagues and students have slightly more secure passwords. However, be aware that the passwords people choose spontaneously are usually not very secure.

Here’s a fun activity to raise awareness about how easy it is to figure out easy passwords. Instruct your colleagues or students to try to hack the passwords in this game:

Many websites require users to create complex passwords, with conditions such as a minimum number of characters and specious characters the password must contain. Some web sites go so far in this that it hurts ease of use. The following game is a fun activity about this struggle we sometimes experience. You can use it as a lesson starter to introduce secure passwords, and then discuss with students which of these elements they do or do not find useful in a password.

Even more dangerous is the fact that Internet users often use the same passwords for different accounts. This is because everyone has so many online accounts these days that it is impossible to remember all those unique passwords. The big danger in this is that if the password of one of those sites is leaked, hackers can also access the accounts on other sites with the same password.

One solution may be to use passphrases instead of passwords. The advantage of a passphrase is that they naturally contain more characters than passwords. The more characters, the harder to hack. In this, the number of characters is more important than the amount of special characters. Moreover, passphrases are easier to remember than passwords, so you can avoid using the same password on every website.

5. Use a password manager

Imagine you have a highly secured vault that contains the passwords to all your accounts. Because the vault is so highly secured, you only need to know the password of the vault itself. This makes choosing unique, strong passwords for all your different online accounts much more effortless. And it doesn’t stop there, you no longer need to invent strong, unique passwords, the vault will do for you. Plus, it warns you when you have passwords that are too simple or may have been breached… wouldn’t that be easy?

Good news: such vaults exist! They are online password managers. Well-known password managers are 1Password, Dashlane, and Bitwarden. Most password managers are not free, but consider what a possible data breach would cost you… not to mention the extra ease of use. Most password managers have browser extensions that allow you to log in to all your accounts quickly.

6. Enable Two-Factor Authentication (2FA)

Suppose your house is secured with two locks. A burglar who manages to steal one key still won’t be able to open your door. Similarly, you can add an extra layer of security beyond your password to most online accounts. This is the principle of two-factor authentication (2FA).

No matter how strong your password is, it can always be hacked. But if you have an extra element of security in place, hackers won’t have access to your personal data, even if they know your password.

Forms of 2FA are:

• A code that you receive by SMS;
• Authenticator apps such as Google Authenticator, Microsoft Authenticator, Authy, Duo, and more;
• A small physical device, such as the Yubikey;
• Your fingerprint (if you have a device that can read it);

At first, activating 2FA might feel like an extra step, but you quickly get used to it and ensure that your accounts are exceptionally well secured.

7. Conduct regular cyberattack drills

Schools regularly conduct fire drills. Why not set up a cyberattack drill? For example, the IT admin could disable the online accounts of several dozen teachers and students to see how they react. Spoiler: usually, a very small number of the “victims” have the reflex to contact the IT admin quickly.

Like a fire drill, analyze what went well and what could have been better without blaming anyone. The goal is to learn from this, to increase awareness about online threats in your school, and to be prepared for a real hack.

8. Conduct phishing simulations

Phishing is a type of cyber attack in which attackers use deceptive emails, messages, or websites to trick individuals into divulging sensitive information, such as passwords or financial details.

Phishing emails can be hard to distinguish from legitimate emails since they simulate the layout of emails from banks, government agencies, or service providers. Furthermore, they often use email addresses that seem legitimate at first glance.

Just like the concept of the cyberattack drill mentioned above, it may be interesting to occasionally send a fake phishing message to teachers or students and keep track of how many people click on the link in the email. Again, the intention is not to blame the “victims”, but to increase awareness.

9. Promote safe online behavior among students

Nowadays, the school plays a crucial role in imparting essential lessons on cyber hygiene to protect students from potential online threats. Incorporating comprehensive programs that instill the importance of responsible digital citizenship is key.

In an era dominated by social media, it’s imperative to educate students on the potential risks associated with social media. Emphasize the significance of privacy settings, the importance of sharing information judiciously, and the potential consequences of online interactions. Consider organizing workshops or inviting experts to discuss cyberbullying, online harassment, and the long-term impact of digital footprints.

Implementing these measures not only enhances students’ digital literacy, but also contributes to a safer online environment within educational institutions. Schools that prioritize these initiatives not only protect their students, but also foster a culture of responsible digital citizenship, equipping the next generation with the skills needed to navigate the online world securely.

10. Back-up data regularly

Instituting a robust backup strategy is akin to creating a digital safety net, shielding schools from data loss due to cyberthreats or unforeseen events. Administrators should schedule routine backups of critical files, ensuring that valuable educational resources and sensitive information are safeguarded.

Implementing automated backup solutions can streamline this process, reducing the risk of human error. Additionally, cloud-based backup services offer a secure and accessible storage option. By prioritizing regular data backups, schools fortify their resilience against potential cyber incidents.

11. Select online tools with care

As a teacher, you’re probably not a privacy expert yourself, but it’s still important to know if the educational tools you use are handling your and your students’ data correctly. We recommend discussing this with your school administration if you have any doubts. Every tool has a privacy policy. If you can’t find it on their website, make sure to reach out to their helpdesk. Also, ask for clarifications if some things aren’t clear to you.

If you’re teaching within the European Union, ensure that all the online tools you use with your students are GDPR compliant. This means, among other things, that personal data is stored on servers within the EU, that no more data is collected than necessary, and that the data is only processed for the purpose it was intended for.

12. Establish Incident Response Plans

School administrators should collaborate with IT professionals to develop a comprehensive incident response plan that outlines steps to be taken in the event of a security breach. This plan should encompass detection, containment, eradication, recovery, and lessons learned. Regular drills and simulations will ensure that staff is well-versed in executing the plan effectively.

By prioritizing incident response preparedness, schools not only enhance their resilience, but also send a strong message about their commitment to the digital safety of students and staff. Incorporating these plans into the overall cybersecurity strategy establishes a proactive defense against potential threats.

13. Use our ready-made lesson ideas to create awareness about cybersecurity in schools

We’ve created 15+ ready-made cybersecurity lesson ideas, you’ll find them in this blog post. You can use these, for example, when you organise a project week about digital citizenship or online safety. Or you can simply implement them in your computer science lessons, or in any other courses because online security is a cross-curricular topic.

Wrap up

I realize that cybersecurity in schools may not be a sexy topic, but I hope that I have been able to demonstrate its importance in this blog post. I am also convinced that with small interventions you can greatly improve online security in your school, without having to compromise much on ease of use. Rather, it is a mindset switch that is necessary to make cybersecurity part of your school culture.

I like to compare cybersecurity in schools to how we handle our banking information: we find it perfectly normal to choose a secure PIN, use Multi-Factor Authentication, and be vigilant about the websites we use for online purchases. When we doubt possible fraud, we report to our bank and ask them to block our credit card. As a teacher, you should have the same attitude toward data security because you don’t want your data and your students’ data to end up in the hands of people who shouldn’t have access to it, with potentially harmful consequences such as bullying or identity fraud. Nor do you want others to access your personal data, such as exam questions and grade books.

For ready-made lesson ideas on cybersecurity allowing you to incorporate the topic of online security into your lessons, check this blog post.

What dit you learn from this blog post? Do you have some other cybersecurity tips for teachers? Let us know via X (Twitter) @ibookwidgets or in our Facebook group. Or discuss this topic with me on LinkedIn.