Cybersecurity is at the forefront of IT issues to be addressed over the next year. Nearly every list of major IT or educational technology issues for 2023 includes the need to further harden educational systems and infrastructure.
More than 20 educational organizations–including AASA, the American Association of School Administrators (the primary superintendents’ association)–have asked the Federal Communications Commission (FCC) to expand E-rate to cover advanced firewall technology to support protection from denial of service (DOS), improve virtual private network (VLN) access, and similar upgrades. The FCC is currently soliciting public input on the potential change here until February 13, 2023.
It is easy to understand the need for increased cybersecurity safeguards. In the first half of 2022, at least 34 major cyberattacks were made against schools. Cybercrime cost more than $6.9 billion in 2021. The evening news commonly reports on cyberattacks against pipelines, government systems, and other vital services. Due diligence in considering ways to harden cyber targets and protect student and institutional data is essential and to not do so in today’s environment would probably be willfully negligent. However, there is a need for balancing security with usability.
IT leaders need to ensure that usability is still the primary consideration in building IT systems. IT systems are of little value if they are not able to be used effectively by end users. Considerations of what level of additional steps end users are willing to take is essential. This is particularly important as many organizations still have a high number of remote workers. Make sure the warnings provided to end users are significant as well. Too many warnings can numb end users into assuming the IT department is crying wolf and they may stop paying attention to warnings.
For instance, if a user is given a warning that the vast majority of links in the email system are dangerous, how long will it take until the user starts to ignore those warnings. This is particularly true when even links sent by the organization are flagged as unsafe. Most systems allow enough granularity to ensure that commonly used systems, trade newsletters or professional journals, etc. are not flagged. This would be a good first step in building effective trust between the end users and the IT staff.
Another common concern is to ensure that security strictures put into place do not so restrict users that the systems are not fully functional. Testing needs to occur with outside systems and partner organizations. It is particularly common for struggles between organizations that utilize the Google Suite verse those that use a Microsoft Suite. This is often a common struggle for K-12 educators, who are mostly Google users, when they want to interact with higher education institutions or other government agencies, many of which are Microsoft environments. IT staff need to make sure that interagency collaboration is encouraged and supported by the installed technology base. Most of us have had a situation where a Zoom, Teams, or Google call was complicated or failed due to one or both institutions involved having too tight of security.
When the security, as well intended as it may be, gets to the point of being burdensome to the end users, they will get creative. Their creativity will often create an even more insecure situation than the burdensome security measures were trying to address. For instance, when security measures create too many hurdles, users might find other users with more direct access and then just get them to send the sensitive data in a less secure email format, or even use a personal email to avoid the institutional system all together.
Similar rules against forwarding emails are well intended, but when staff or students have multiple emails, insisting that they do not forward them to their primary account is a set up for missed information. When multiple emails exist in the same system, as is common in higher education for staff who are also students, those emails should be merged. One student I was aware of missed his final comprehensive exam for his master’s degree because the notice was only sent to his student email and not to his staff address, which he used exclusively.
There is no doubt that cybersecurity is essential for all organizations in our modern world. However, security cannot be valued more than usability. The sad fact is that the only entirely secure computer system is one that have been unplugged and shut off. Cyberattacks will continue, and it will be important to ensure that every organization has strong backup and recovery plans in place. However, end user usability is just as important as security.
Related:Exposing the realities and myths of K-12 cybersecurityRansomware attackers head back to school
Author Recent Posts Dr. Steve Baule is a faculty member at Winona State University (WSU), where he teaches in the Leadership Education Department. Prior to joining WSU, Baule spent 28 years in K-12 school systems in Illinois, Indiana, and Iowa, and two years teaching in the University of Wisconsin System. For the 13 years prior to moving to the university level, Baule served as a public -school superintendent. He has written 10 books on a variety of educational and historical topics and has served on the editorial boards for two journals. Baule earned an advanced diversity and equity certificate while in the UW system. He holds a doctorate in instructional technology from Northern Illinois University and a doctorate in educational leadership and policy studies from Loyola University Chicago. Baule’s scholarly interests focus on online student engagement, educational technology– particularly the impact of 1:1 implementations, social-emotional learning, and the history of education. Baule led several efforts to improve student emotional health and reduce discipline issues prior to moving into higher education. He also writes on aspects of early American history.Baule has held memberships in the American Association of School Administrators, the American Library Association, the American Association of School Librarians, the Association for Supervision and Curriculum Development, the Consortium for School Networking, the International Association of School Librarians, the National Association of Secondary School Principals, the National Staff Development Council, and many of their state affiliates. He has served as a consultant in the areas of educational technology, facilities design, library program development, team building, and communications. Latest posts by Steven M. Baule, Ed.D., Ph.D. (see all)