We used to believe that schools were immune to the cyberattacks that plagued the rest of the world because our missions was honorable and our resources were seen as less valuable. I think we can all agree those days are behind us. Schools worldwide are equally as vulnerable to online attacks and being targeted just as much as other industries.

In my work, cybersecurity has become one of the largest areas of concern and risk for schools worldwide. Schools are reliant on technology for academics and operations yet tend to be under prepared for cybersecurity. This often manifests in under informed staffs, insufficient funding, inadequate security, and lack of imperative amongst school leadership.

That is until an incident occurs. Once a school experiences a cyberattack they are often quick to action. Security is tightened, time is freed up for IT staff to address the crisis, consultants are hired, equipment is purchased, reports are written, and training is given. The money, time, and stress allocated is often far more than if the school had a more robust plan in place.

So, why don’t school focus on preventative cybersecurity? This is because schools view cybersecurity like flossing. A daily flossing routine will ensure healthy teeth and gums, which sound very important from a logical perspective, but doesn’t offer much observable impact in the near term. Many people take healthy teeth for granted and don’t want to be bothered maintaining them without an immediate benefit or consequence. However, when that first cavity springs up, those same people feel quite strongly that they should have been flossing the whole time.

And just like flossing, cybersecurity can be tedious. A good cybersecurity program will include penetration testing of the physical and logical security of the network, backup and recovery systems, data protection procedures, policies for access and security, regularly informed leadership, and, most importantly, training for all users. Since the benefits to teaching and learning of cybersecurity are so indirect, it can become quite difficult to maintain interest and compliance in cybersecurity from users at the school.

Non-compliance from users is actually the largest issue in the cybersecurity challenge for schools. Research has shown that users, typically employees or students with network access, provide the largest security hole for schools. This comes in the form of unsafe devices, weak passwords, and lack of knowledge about what should and should not be clicked. Cybersecurity experts will tell you that their best efforts are only as good as a mobile phone in the hands of their most dangerous employee.

As an example, I worked with a school that had two significant cybersecurity issues in the span of one week. The first came when a teacher left his computer open in a classroom. The teacher had not changed his password from the default password given him and a student accessed an exams repository. The second came when an office employee with access to vital parts of the network clicked on a link that downloaded ransomware that locked out the entire file system.

These incidents are illustrations that people are at the heart of cybersecurity.

Of course, we can view this from deficit approach by saying that people are not taking up their flossing responsibilities to follow strong cybersecurity practices. That is true and should be viewed as the primary area of focus for cybersecurity enhancement. Teachers, staff, students, and parents should learn about best practices for protecting their devices and their data. They should be taught how to spot phishing, use strong passwords, and how to avoid viruses and malware. They should know what can happen when a breech occurs.

And it is this last piece where we can flip the script from a lack of interest or negativity to one of affective impact and personal responsibility. Again, we must focus on the people aspect of cybersecurity.

To begin, let’s think about what happens when a cyberattack occurs. Hackers and crackers gain access to a school’s network, devices, and data. They can cause damage or steal information for their own purposes. On the surface this sounds bad, but not catastrophic. Yet it can be catastrophic for people in the school.

Let’s reframe this to impact on a student. What happens if her device and the school network are damaged at a time when she need access to learning materials to study for an IB exam? What happens if a student needs to contact a counsellor about a bullying issue, but the communications system has been hacked? What happens if a student’s data, including personally identifiable information and medical history, are used by crackers for extortion purposes?

Cyberattacks don’t simply affect systems; they affect the most important people in our school communities. By framing our cybersecurity in the light of protecting children the way we would from child abuse or other maleficence, users will take on their responsibilities more seriously. They will view changing passwords and closing computers the same way parents look at putting away knifes in the kitchen.

The best approach to closing “the people gap” and improving best practices is to begin with the people that will be protected and then moving on to the hows, whens, and wheres of cybersafety. This will develop a culture of cybersecurity amongst all stakeholders that goes beyond compliance to stewardship and responsibility for others.

Now, getting them also to floss, well that’s a different challenge.