San Francisco-based Clever on Thursday released its Cybersecure 2023 report, based on October 2022 surveys of an excess of 800 administrators and more than 3,000 teachers in the U.S. The respondents had differing views on a wide number of issues but the two sides are in agreement that schools need better training, technology and staffing to shore up cybersecurity efforts, according to Clever’s Thursday news release.
Dan Carroll co-founded Clever over a decade ago and serves as the company’s chief product officer. He said that ever since launching Clever, the one thing IT administrators say keeps them up at night is privacy and security. But in recent years, with an increase in ransomware and hackers — the recent Los Angeles Unified School District breach is a prime example of that — the concern for security is spreading beyond IT leaders, he said. That recognition, coupled with a report by the company last year showing that 90 percent of teachers continue to use digital tools post-pandemic in their classroom, led to the company conducting the survey.
“The fact that this is becoming really a whole ecosystemwide issue — you know, something that superintendents now would say is the thing that keeps them up at night — that led us to think to really dive in and get a broad perspective across the ecosystem and understand how people are thinking about these kinds of issues today,” Carroll told Government Technology.
The survey revealed that teachers and administrators don’t share the same sentiment on the likelihood of a cyber attack happening on their respective school grounds. Less than half the teachers surveyed said that a breach would be likely at their school while two-thirds of administrators felt it would be likely. Twenty-five percent of administrator respondents said their district had already been victim to some form of a hack, phishing scam, data breach or other cyber incident in the year leading up to the survey, it said.
When it comes to security, teachers and administrators equally (34 percent) felt that devices could be the greatest opportunity for hackers to come in and breach a system. But when the question shifted to the human risk of security, there was a lot of finger-pointing, Carroll said.
“When you ask teachers, 'Where's the biggest human risk?' they thought it was students, but if you asked administrators, they thought it was teachers,” Carroll said. “I think that's just a kind of a great example of, you know — we all see different people and kind of observe some unsafe password practices or unsafe tech practices.”
Two-thirds of teachers felt students are the source of human vulnerabilities regarding cybersecurity, whereas 19 percent of administrators felt that way, according to the report. Subsequently, 66 percent of administrators felt teachers are the vulnerable point, while 27 percent of teachers looked at themselves in the mirror as the problem. Hardly any concern was bestowed upon administrative staff.
Similar trends were revealed regarding human vulnerability about data privacy. But Carroll said the concern goes beyond any singular group.
"Administrators, teachers and students have all been kind of a vector that have been responsible for breaches in different places,” he said. “And that just points to having the need for a really truly comprehensive training and education program.”
Despite the concerns of a breach, 63 percent of administrators and more than half of teachers surveyed said they agree or strongly agree that their district has the resources to appropriately prepare for or handle digital security challenges, the report said. Having the resources is one part, putting them to good use is another.
“I don't think there's any one silver bullet. It's really three things that districts need,” Carroll said. “The first is they need great training because every single person who touches a computer in the district, every single person with a login, is a potential vector where an attacker could come in; second is we need to make sure that we have up-to-date operating systems and devices, great firewalls, security systems (and) identity management; and then finally, we do need more staff.
“We need to make sure we have an infrastructure that is up to date and modern and secure, and the staff to maintain it to apply the updates and apply the security updates and to implement all the tools correctly,” he said.
About a quarter of the teachers polled said they hadn’t received any training on privacy or security. Twelve percent of administrators said they hadn’t been trained either. When asked what would be helpful to improve digital security in their district, 34 percent of teachers said a dedicated staff and 31 percent said more or better training. Administrators mostly felt training would help (39 percent) with better tech solutions the next best option (24 percent), followed by a dedicated staff (19 percent). More or better technology was acknowledged by 18 percent of educator respondents as something that will improve security, it said.
To improve, districts likely will need to increase spending. About 77 percent of administrators said their spending will increase in the next few years, and 12 percent said it will do so significantly. More than half of administrators said that federal stimulus funding will help that effort, it said. Carroll advises to have rigorous training for everyone in the district, get up-to-date tools and hire skilled personnel who can create an automated system with multiple layers of defense.
That said, Carroll cautions that the cybersecurity-data privacy issue is a cat-and-mouse game that can’t be won with one solution. It’s a constant effort to be undertaken by teachers, administrators and staff that goes beyond procuring tools, implementing training and adding IT staffers.
“This is a continual investment. This is something that schools and districts need to invest in on an annual or on a recurring basis,” he said. “It's a cost of doing business anytime you have computers that are connected to the Internet these days.”