This past month, I had a handful of conversations with teachers centering on technology in the classroom as well as their experiences with technology issues. I also collected survey responses which addressed the same topics. From my research, I came to some interesting conclusions that I would like to share – conclusions which I believe are universal for end-user perspectives on cybersecurity.

First (and not surprisingly) technology is an integral part of a teacher’s day, from electronic textbooks projected on the whiteboard to reading apps and educational games on iPads.  When technology blips happen, teachers are pros at adapting to tech problems.  Internet down or slow?  No problem, they’ll just re-arrange the day’s schedule a bit.  Computer won’t boot up?  That’s OK, they’ll just go to the whiteboard or pull out a hardcopy book and go “old school” (no pun intended).

But when it comes to potential security issues, teachers are less confident.  They often think they are on a secure network, and, if using a school-issued device, that they’re safe from being hacked.  The district tech department is protecting them from viruses and online scams.  So when ransomware strikes or a fellow teacher’s account is hacked, it’s quite disturbing.  In addition, teachers don’t necessarily think their personal information is at risk if their school district gets hacked.  It’s the district’s data and systems that are at risk.  Or is it?

This perspective presents major problems in launching security awareness and training, leaving many at risk. Could your employees, whether educators or not, share this same mindset?

Addressing “How does this apply to me?”

If you think that you can’t personally be affected by a data breach of your employer’s systems, think again. Everyone – whether in the workplace or at home – is susceptible to the dangers of security fraud. One way to help put this in perspective is to explain the W-2 scams that are rampant during tax season. If a fellow employee hands over your W-2 (along with everyone else’s) to a criminal unknowingly, you may be in for a nasty surprise when the time for tax filing comes. This isn’t something that a tech solution will necessarily address.

This past tax season was particularly devastating with the IRS reporting 42,148 cases of tax refund fraud. Many were targeted, including MedStar Health and even the City of Baltimore. In the latter case, city employees were informed that their salary information and personal details from the previous year had been given to cyber criminals, possibly as a result of a phishing e-mail. Though city officials were unable to pin down the exact cause, it is important to note that even in a government position you are not immune to cyber threats.

Addressing “What’s the technology department doing about this?”

Far from letting your users lose confidence in the technology department, let them know how much you ARE doing for them while making it clear that technology can’t solve one of the biggest problems in cybersecurity: Social Engineering.

Cyber criminals use social engineering techniques to infect systems or steal login credentials so that they can later sell the personal information they find for a profit.  They do this primarily by targeting the helpful or curious nature of humans, especially in the form of e-mail. Given this information, you can reiterate that (armed with the right knowledge), employees can protect themselves against social engineering attacks whether they’re at work or at home.

Addressing “My students know more about tech than I do.”

One thing that might help reach teachers is the feeling that their students know more about tech than they do.  Some teachers just feel that they are behind the ball when it comes to technology, and so it becomes a source of anxiety.  Are students adequately protected against access to bad content? Is Jimmy over there in the corner hacking into the district network on his iPad?

This can be a great way to generate conversation about security. Speak with teachers to address their concerns, clear up any misconceptions, and give them the confidence they need to understand the threats they face and how they can protect themselves.

By failing to give teachers sufficient knowledge about cyber threats and the tools they need to handle them, we are also failing our students.  There are so many aspects to securing computer usage and keeping students out of harm’s way, and the consequences of not addressing them are astounding. For example, a 14 year-old boy in Florida was convicted of a felony in 2015 after memorizing the password to his teacher’s computer, logging in under her name, and then changing the screensaver to something inappropriate. Sounds like great justification for teaching about the dangers of shoulder-surfing.

Developing security awareness and training programs is moot if we do it in a vacuum.  As we suggested in an earlier post, it’s important to ask your users what they care most about and whether they are aware of potential security issues in order to begin the security conversation.  At the end of the day, teachers are excited about what technology can help students achieve.  It’s our job in information security to help them be aware of the pitfalls and how to avoid them.