According to Melissa Tebbenkamp, CTO of Raytown Quality Schools, the biggest cybersecurity risk a school system faces is “your staff and students.” And the most recent State of K-12 Cybersecurity Year in Review by the K-12 Cybersecurity Resource Center seems to agree with Tebbenkamp.
According to the data, nearly half of all cyber incidents involve unauthorized disclosure or breach – this includes:
- K-12 staff
- Unauthorized student access
- External threat actors
In 60 percent of these breaches, student data was involved, putting students at risk of identity theft, phishing attacks, and more for years to come.
Another third of events involved traditional phishing and ransomware attacks, which nearly always requires the interaction of the user sitting at an endpoint. According to Tebbenkamp, it’s the staff that should be the greatest concern, citing, “our biggest risk is ourselves.” While much of the risk comes from unauthorized access or disclosure by students and vendors, Tebbenkamp says teachers are not vigilant when it comes to their interaction with email or the web. “It’s more about the [sic] clicking on that phishing e-mail and allowing access, or clicking on something that has malware attached to it.”
School Districts need to elevate the culture of security within their faculty and staff. While teachers have enough on their plates, utilizing Security Awareness Training to teach them to scrutinize from addresses in emails, to not open attachments without first knowing why they have receive them, and to always lock of logout of their endpoint would likely address a material portion of the risk Tebbenkamp associated to staff.
With the biggest risk squarely put on the users of a K-12 network, it’s reasonable to take steps to mitigate the risk of incident – even if it means putting some of the burden on staff and students.