Governance & Risk Management , Leadership & Executive Communication , Security Awareness Programs & Computer-Based Training
Adding Cybersecurity to the Curriculum
Gary Henderson: Educate Teachers So They Can Educate Students to Protect Their DataWe need to look at how we can educate students and build awareness in them to create a future culture and society that routinely considers cybersecurity and data protection.
We look at cybersecurity largely focused on the immediate future - how we can better secure our current systems and how we can build cybersecurity awareness in our current users so that they are better able to identify risks and respond accordingly. But maybe we need to look a little further ahead.
See Also: How Active Directory Security Drives Operational Resilience
As a trained teacher with over 20 years of experience working in schools and colleges, I think we need to look at the students in our schools, colleges and universities and how we can educate them and build awareness in them to create a future culture and society that routinely considers cybersecurity and data protection.
Since I began teaching in the late 1990s, I have always been concerned with how students are prepared for the world beyond school - and in particular for the safe and secure use of technology. In the 1990s and 2000s, it was relatively simple. Access to IT and the internet in particular was often limited to IT labs in schools, colleges and universities, so it was relatively easy to filter, manage and control.
Today, conditions are different. Students increasingly have access to multiple personal devices - all with internet access, and they regularly make use of multiple social media platforms, gaming platforms and other online services.
Due to the increasing requirements of the curriculum, the time available to work with students on safe use of technology, and more particularly on cybersecurity, has decreased. At a time when we need to be better preparing students for the technological world they increasingly live in, there is less time than ever to do so.
Cyber in Schools Today
Some schools discuss cybersecurity in IT lessons, assemblies or other presentations, such as an annual online safety talk on Safer Internet Day. But we need to include sufficient content into lessons on this topic while still covering the breadth of the curricula.
I faced that challenge recently, when I taught computer science to Year 9 students. In the course of study, digital citizenship, cybersecurity and data protection were relegated to a footnote in an otherwise packed lesson program that included number systems, programming, problem-solving and spreadsheets, among other topics.
Session length is another challenge. When I make presentations to students, I am usually given only 10 minutes. And during that time, students will likely have other things on their minds, such as personal issues, coursework and homework. Only some will be paying attention, and only some of that attention will result in actual learning that the students will remember.
Modeling Behavior
Teachers model behaviors every time they access and encourage the use of online services, talk about online tools, use their school and personal devices and share data.
A more effective way to teach students is through the day-to-day actions of their teachers, who model behaviors every time they access and encourage the use of online services, talk about online tools, use their school and personal devices and share data. If they model appropriate, constructive and secure behaviors, the students will pick these up, and the same will happen if they model careless, poorly considered and insecure behaviors.
Take for example the teacher with a short password who signs up for every new service without reviewing the terms and conditions. Compare them to the teacher who uses a password manager and multifactor authentication and who takes time to discuss the terms and conditions of new services with their students. We hope students will follow the behaviors of the second teacher, not the first one.
While running a single presentation on cybersecurity with students might seem to be a solution to the problem of them not taking the issue seriously, ensuring that teachers model best practice is more likely to have an impact on students in the long term. So how can we make sure that teaching staff are aware of the risks and what represents good cybersecurity and online behavior?
Teacher Awareness
Share a little, and share it often.
Developing awareness in teachers is similar to developing awareness in students. You have to engage them and provide content that fits into their busy schedules. I try to provide bite-sized content that can easily be fitted around other task in a busy day. But bite-sized content may be overlooked or forgotten, so it must be shared frequently, to constantly reinforce and refresh the message. In other words, share a little, and share it often.
The cybersecurity awareness of teachers and school staffs is as varied as their technology and IT skills. Some will be good, and some less so. On average, when compared with other industries, I think schools lag slightly behind, perhaps because teaching is such a busy and all-encompassing job. It involves high-stakes exams, curriculum content that must be covered, ongoing assessment of learning, pedagogy, building relationships with students and much more. All that makes it easy to forget cybersecurity.
That is why a multilayered approach to awareness development is essential. We need to touch on cybersecurity regularly and through different media, including whole school sessions, small groups, emailed updates, etc.
The content for students must be "sticky" and memorable. My techniques to achieve this have included making cheesy jokes and wearing a hacker mask and speaking in a modified voice during a video presentation.
I try to vary the content - whether it's phishing or data protection, passwords or securing personal devices - and the delivery - on-demand video content, face-to-face presentations and Q&A sessions. When teacher awareness programs are dull and predictable, they are also ineffective.
It may take years of constantly repeating and reinforcing content in order to develop the all-important culture of cybersecurity, a culture in which the behaviors of staff model best practice for the students in their care.
A Cybersecurity Culture
Sometimes, an immediate problem requires an immediate fix. For example, if the school suffers an incident in which a user account is taken over, the school shares training content with all staff, focusing on avoiding such account takeovers through strong passwords, vigilance in relation to phishing emails and enabling two-factor authentication.
But to truly manage cyber risk, we need to develop a cybersecurity culture. It needs to be an ongoing process, not an event or a product that is purchased, but something we visit and revisit throughout the year, every year. This isn't easy, and it will take significant time. But we need to do it.
The most effective route to developing our students is through their teachers. Having them learn in a cybersecurity culture will ensure that they are equipped with appropriate cybersecurity behaviors when they are working in our organizations and companies.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Gary Henderson has worked in education for over 20 years, initially as a trained secondary school teacher in the U.K. before periods working in further and higher education, international schools in the Middle East and more recently in his current role as director of IT in a large U.K. independent school, where he provides technology services that enable student learning. He is passionate about the potential of technology in teaching and learning and has led various technology projects as a teacher, middle leader, senior leader and educational consultant. He has also presented at conferences in the U.K. and the Middle East. Henderson believes cybersecurity, data privacy, online safety and ethics in relation to technology use need to be more openly discussed with students in schools.