Why the responsibility of schools’ cybersecurity rests with principals

Why the responsibility of schools’ cybersecurity rests with principals

When it comes to protecting schools from cyber threats, principals have an important role to play, whether this means ensuring the right ICT safeguards are in place, or ensuring the training of staff and students in identifying these threats is up to scratch.

Nick FitzGerald, a senior research fellow at ESET, a global IT firm based in Slovakia, told The Educator that there are two different constituencies they have to consider – staff and students.

“As ‘the boss’ – regardless of whether you see that as a CEO role or not – principals are generally seen as having ultimate responsibility for their staff’s professional development and actions while at work,” he said.

“Hence, ensuring suitable cybersecurity training, raising ongoing awareness and so on, for their staff will be a large responsibility.” 

FitzGerald said that all sectors of society are increasingly being expected to be “cyber-savvy” and sufficiently prepared to avoid falling for the many social engineering and other cybersecurity threats they will typically be exposed to on an ongoing basis.

Principals will be held responsible

FitzGerald said that principals will likely be held responsible for ensuring suitable cybersecurity education outcomes for their students. 

“Few school systems have specific cybersecurity elements in their curricula yet, but surveys suggest that a significant proportion of adults, whether parents of school-aged children or not, feel that schools should be the main locus of teaching about cybersecurity issues,” he explained.

“Recent updates to Australia’s official cybersecurity strategy include several specific mentions of beefing-up formal cybersecurity education.”

Although these are specifically oriented to increasing the number of cybersecurity professionals to fill a badly-felt skills gap, FitzGerald said the strategy also speaks in several places of improving overall community cyber awareness.

“This hopefully means that cybersecurity curriculum materials will be developed and integrated in suitable education programmes across all levels of the school system,” he said.

“The New Zealand cybersecurity strategy contains more explicit direction that schools need to be included for reasons other than just increasing STEM, and specifically ICT graduates with cybersecurity expertise.”

FitzGerald said principals are likely to have another kind of cybersecurity concern too. 

“Specifically, schools are increasingly using online homework, testing and results recording systems, and principals and/or some of their senior staff are likely to be tasked with ensuring the confidentiality and integrity of these systems and the data they contain,” he said.

“Likewise, general-purpose security concerns for a school’s ICT equipment are likely to more or less directly rest with the principal.”

Who is best placed to deliver cybersecurity training?

FitzGerald said that while he deeply respects teachers who are increasingly expected to be experts in an increasing number of fields, it appears that there is a shortage of suitable expertise, experience and curriculum direction and materials for much classroom uptake of cybersecurity and awareness education. 

“Ideally this will be addressed through the usual curriculum update processes and professional development opportunities for teachers, and changes in teacher training,” he said.

To address the short-term shortfall in opportunities for schoolchildren – specifically those interested in cybersecurity training as part of a possible ICT career – FitzGerald said businesses and universities can play a part. 

“For example, in San Diego, USA the local ESET office runs an annual cyber boot camp for about 50 middle and high school students who might otherwise never get a chance to learn what a cybersecurity career can be about,” he said.

“Individually, it is a small effort, but if many companies also do this, we can have a much greater effect.”