Gary Henderson explores how School business leaders can play a pivotal role in educating staff to protect themselves and their schools by fostering a strong cybersecurity culture and implementing effective training strategies
Educating Staff to Avoid Cyber Attacks
In today’s digital age, schools are increasingly reliant on technology for administration, teaching, and communication. This reliance, however, comes with the risk of cyber-attacks that can compromise sensitive data and disrupt the operation of schools. One look at the news shows schools, hospitals, council offices or companies all suffering from cyber incidents. While robust technological safeguards are essential, they are not enough. The human element remains the most vulnerable link in the security chain. Therefore, it is crucial for School business leaders to educate staff about the importance of cybersecurity and the measures they can take to protect themselves and the school’s data.
Understanding the Risks
A key first step in educating staff is developing an awareness of the risks which exist, and I note these risks are not limited to the school but are also relevant to individuals’ personal lives, whether they be students, staff, parents or members of the wider school community. The fact that cyber security awareness goes beyond the walls of the school and can impact staff’s personal lives can be a useful tool in encouraging engagement with any awareness training.
Now cyber-attacks can take many forms, including phishing, malware, ransomware, and data breaches. Phishing attacks, where malicious actors deceive individuals into providing sensitive information, are particularly common however criminals are constantly developing their attacks and the approaches they use, so awareness training therefore needs also to constantly evolve. It can therefore be useful to use news reports of recent attacks on other organisations, including on schools, or to use examples from your own school where phishing emails have been received. There is also valuable guidance and resources tailored for schools from organisations such as the National Cyber Security Centre (NCSC) which could be used. It is all about making it real for staff, so they understand this is a real and ongoing risk that all need to be aware of.
A cybersecurity Culture
The ultimate aim of cyber security awareness training is to develop a culture of cybersecurity. Cyber secure and safe working practices need to be “the way we do things around here”. SBLs and other school leaders should lead by example, demonstrating best practices and emphasizing the importance of vigilance where vigilance is key. Cybersecurity needs to become something which is discussed at all levels of the school. It is about all staff being vigilant to the unusual or the out of the ordinary, about being more cautious and less trusting of emails in particular.
Practical Training and Awareness
So, what are the practical things which should be included in awareness training?
Recognising Phishing Attempts: Teach staff how to identify phishing emails. Look for signs such as incorrect email addresses, generic greetings, spelling and grammar mistakes, and suspicious links or attachments. Encourage staff to hover over links to see the actual URL before clicking.
Strong Password Practices: Emphasise the importance of strong, unique passwords for different accounts. The NCSC’s “three random words” guidance is useful here plus it is also advisable to encourage the use of password managers to store and generate secure passwords.
Multi-Factor Authentication (MFA): Encourage the use of MFA wherever possible. This adds an extra layer of security by requiring a second form of verification, such as a text message code or authentication app, in addition to the password.
Reporting Suspicious Activity: Establish a clear protocol for reporting suspicious emails or activities. Ensure that staff know whom to contact and understand that prompt reporting can prevent potential breaches.
Regular Software Updates: Stress the importance of keeping all software and devices up to date. Updates often include patches for security vulnerabilities that could be exploited by attackers.
Delivering awareness training
If you are creating a culture of cybersecurity, then the relevant training needs to be shared throughout the year rather than just once a year on an inset. This means that ideally there should be regular updates such as in briefings or bulletins, in newsletters, in meetings as well as the usual annual training. It is about making sure that cybersecurity is part of the regular discourse of the school a bit like safeguarding.
In an era where cyber threats are increasingly sophisticated and prevalent, educating school staff about cybersecurity is not optional but essential. School Business Leaders play a pivotal role in this education process. By fostering a culture of cybersecurity, providing practical training, and engaging the entire school community, SBLs can significantly reduce the risk of cyber-attacks and ensure a safe digital environment for both staff and students.
Remember, the strength of your school’s cybersecurity is only as strong as its weakest link. Through continuous education and awareness, we can turn each staff member into an active part of a school’s defence.
Be the first to comment