Thinking Beyond the Firewalls to Improve Cybersecurity in K–12

Keeping K–12 school networks safe requires the right set of technology tools. However, it takes a lot more than tools to achieve a gold-standard level of cybersecurity. In light of the vulnerabilities that K–12 schools face today, seasoned technology leaders at an ISTELive 2024 session in Denver said that to keep student data safe, their counterparts across the country will need to think beyond the firewalls.

Panelists at the CDW-hosted session shared three nontechnology tools that can make school networks more secure.

Unfortunately, some schools ignore cybersecurity until they have a breach, and then they immediately start purchasing technologies galore. This is exactly the wrong move to make, panelists said. Instead, they recommended IT leaders first get a baseline understanding of their school’s cybersecurity risks. 

“An assessment is probably the most impactful thing that we can do,” shared Frankie Jackson, a retired school IT leader and a senior cybersecurity adviser.

Jackson said schools seeking guidance can start with the National Institute of Standards and Technology’s Cybersecurity Framework 2.0 or the Cybersecurity Rubric, which is geared toward K–12 schools. She noted that several organizations use these tools to assess a school’s cybersecurity maturity level.

“Seek best practices and find benchmarks,” she said. If your district is falling below recommended standards, she advised, these tools give schools a starting point for improvement and a better understanding of their risks.

While schools can use these frameworks to do their own internal assessments, panelists said regularly getting an outside perspective on a district’s security baseline can also be a powerful tool in communicating with administrators about the seriousness of their security vulnerabilities.

“Unfortunately, sometimes technology recommendations that come from the outside, saying the same exact thing that you’ve been saying to your administrators, hold more value,” said Tom Ashley, a CDW education strategist and former technology leader. “So, make sure you’re networking appropriately and finding a trusted partner to implement any changes.”

“Most IT leaders think having all these security tools in place, such as firewalls and your endpoint protection, means their job is done,” said Kevin Ghantous, CEO at ed tech nonprofit Learn21. “But the reality is that your biggest vulnerability is the people in your building.” 

He pointed to a recent Verizon report that found 68% of cyber breaches globally are caused not by technology vulnerabilities but by human action.

“It’s important to make sure that you’re educating your teachers, principals and even students about cybersecurity best practices,” Ghantous continued. “They need to understand that their actions can help open up the doors to bad actors who can impact your on-premises and even your cloud infrastructure.”

Ashley explained that means technology leaders will need to become strong communicators. “Communication is one of the most important things that an IT leader can do in education,” he said. “It goes a long way to improving the cybersecurity culture at school.”

He also encouraged IT leaders to refrain from using a lot of technical jargon when discussing cybersecurity with a lay audience. Instead, he recommended that IT leaders get to know their audience “and check for comprehension when speaking with them.”

School technology departments are notorious for being siloed. However, in a world where digital transformation is constant, panelists said remaining siloed only harms cybersecurity efforts in the long run.

“We just can't afford to remain siloed,” said David Jarboe, director of instructional technology at Harrison School District 2 in Colorado. “We know technology is accelerating for good and for bad. We need to protect our students.”

Jarboe added that some IT team members might at times feel disconnected from the community they serve because they are not in classrooms on a daily basis.

“However, I encourage you to get out and visit your classrooms and see how kids are interacting with technology,” he said. “This is what I mean when I think about going beyond the firewalls, as it reminds us that our students need us.”

Carolyn Glaser, general manager of IT services at Thames Valley District School Board in Canada, agreed.

“It takes a community,” she said. “We all have to come together. The more we can do as a community will help to drive that pendulum on cybersecurity, and that goes a long way.”