LIVE@CoSN2024: Exclusive Coverage

Cyber hygiene training for students, teachers and staff will help IT teams keep the bad actors out

Reading, writing, and cybersecurity: Practicing good cyber hygiene

Cyber hygiene training for students, teachers and staff will help IT teams keep the bad actors out

Key points:

The school bell is about to ring in another academic year, and as children pull out their lunchboxes and teachers decorate their rooms, schools continue to face an onslaught of cyberthreats while also grappling with perpetually insufficient budgets, legacy IT, and under-staffing concerns.

The increased level of connectivity in today’s schools means richer opportunities for learning and community, but it also puts at further risk the financial data, personally identifiable information (PII) and other sensitive information that educational institutions hold.

K-12 schools received a cyber maturity score of 3.55 out of 7 from the Nationwide Cybersecurity Review (NCSR) risk-based assessment, despite the fact that many school districts are trying to strengthen their cybersecurity posture. And according to 29 percent of K–12 participants in that report, a cyber incident occurred in their district in the previous year. Malware and ransomware were two of the most prevalent occurrences. According to the report, ransomware attacks pose the greatest cybersecurity risk to K–12 schools and districts in terms of overall cost and downtime.

The good news is that the federal government is taking this seriously. In early August, the Biden Administration announced a new plan focused on strengthening cybersecurity in K-12 schools. While the elements of this plan are rolled out, school IT teams and leaders can also start to take action in another area: cyber hygiene for students. It’s never too early to start teaching children basic cyber literacy.

New rules are part of the solution

The Biden Administration’s new proposal comes on the heels of a report from the Cybersecurity & Infrastructure Security Agency (CISA), Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity, which offers guidelines for schools to help bolster defenses. 

Guidelines include investing in the most impactful security measures and building toward a mature cybersecurity plan, recognizing and actively overcoming resource constraints, and focusing on collaboration and information sharing. CISA will continue to engage with federal partners, including the U.S. Department of Education, and work closely with state and local officials, school leaders, emergency management officials, nonprofits, community leaders, and the private sector to identify areas for progress and provide meaningful support that measurably reduces risk.

Other elements of the administration’s new plan include a proposed pilot program that will provide up to $200 million over three years to strengthen security in schools and libraries with the help of federal agencies, and establishing a new council to coordinate between federal, state and local leaders to help bolster cyber defenses in schools. It also calls for new resources for reporting and enlists the help of private companies to provide free and low-cost resources for school districts, including training.

It’s great to have support at this level, but it will take some time for these plans to roll out to schools. In the meantime, district leaders and IT teams can start implementing good cyber hygiene practices right away.

Fostering good cyber hygiene for teachers and students

People don’t have to be tech geniuses to practice good cyber hygiene. Teachers and even the youngest students can be taught some basic cyber hygiene practices. For instance, a very common-sense practice is to not share passwords or any kind of PII with strangers online. Teachers and students must learn what suspicious links look like and learn not to click them, or to open unexpected attachments or download anything on their computers without approval. When students are online in the classroom, teachers can ensure that they use only approved websites and applications and get approval for certain activities.

When it’s age-appropriate, children can learn how important strong passwords are and how to create them. Best practices include:

  • Create longer passwords that are personally meaningful but that don’t contain any PII. An example would be a line from an obscure song with numbers and symbols mixed in to create a password that’s at least 10 characters long. These are much harder, if not impossible, for attackers to guess.
  • Use a unique password for each account.
  • For all your online accounts, create one-of-a-kind, long and difficult passwords using a password manager.

Obviously, younger children, like those in kindergarten through third grade, aren’t going to be creating or using strong passwords. Educators at that level will need to be creative in how they help students at that age protect their work, but certainly by middle and high school, this will be a key part of learning.

Pre-teens and teenagers can learn to understand how to securely navigate social media.  For example, it’s wise to not use social media accounts to log in to certain kinds of platforms, because those platforms then have instant access to whatever PII is available in those accounts. If there’s no other way to connect to that platform, students can create dummy accounts to use only for this purpose.

Students also need to be cautious about instant messaging services due to social engineering risks. The rule about never giving out PII applies here, especially financial information. And QR codes, though convenient, can send students to a site with malicious files waiting to be downloaded.

And for teachers and staff, from the White House to the private sector, organizations are already offering cybersecurity training for K–12 school districts. Such programs provide academics and employees with the most recent information, advice, and suggestions to help them make better decisions when faced with cyberattacks and other dangers to the school. These free training programs are already being used by many districts.

Knowledge is power–and stronger security

As long as there are school IT teams working with few human and financial resources, there will be cyber adversaries trying to take advantage and break into school networks. This requires a two-pronged approach: technology and training. Because students have network access, they need to learn how to use it safely and responsibly–IT does not bear the sole responsibility for cybersecurity.

Individual cyber hygiene plays a huge role in helping to defend the network. Training for students, teachers, and staff will help IT teams keep the bad actors out and will ultimately help create a cyber-savvier generation.

4 back-to-school cybersecurity tips
Education suffers the highest rate of ransomware attacks

Sign up for our K-12 newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Want to share a great resource? Let us know at

eSchool News uses cookies to improve your experience. Visit our Privacy Policy for more information.