It’s something no teacher or administrator wants to think about, but what if one of your students is showing an interest in computer hacking? Teachers–sometimes more than parents–can tap into kids’ interests and skill sets. And with technology now a large part of how students are learning, it is just a matter of time until any educator runs into a student with an unexpected knowledge of how tech works or how to manipulate it.

How do you know if these students simply have a healthy curiosity or are interested in something darker? And how do you help an advanced student understand that they can use their skills for good by choosing a career as a cybersecurity professional rather than an underground hacker? Here’s how to handle such a nuanced situation.

1. Identify interest and skill

There are a few ways to pinpoint a student who has sufficient skills and interest to be a potential security threat.

First, look for kids with a high technical aptitude. They’ll be the whizzes in their computer class, often helping other kids (or teachers) who run into technical issues. Second, they seem to have all the devices and know how they work. Listen for them to talk about their phones, tablets, gaming systems, and more. Additionally, really pay attention to students who show a real curiosity about technology. These are the ones who talk frequently about new tech or ask a lot of questions; these kids are demonstrating a high level of interest in the topic. Combine technical aptitude, access to devices, and curiosity, and you have a student who could cross over into pushing the envelope a bit further than any of us want.

Second, keep an eye out for actions like changing a teacher’s password or accessing something on the network they’re not supposed to. Some kids might do this for attention. Others simply because they can. And others might consider it a harmless prank on a good-natured teacher. But if not recognized and addressed, changing a password could quickly turn into running bitcoin miners on school computers or hijacking a school quiz system in order to receive a particular incentive.

Third, listen to and learn the lingo. Yeah, we had to figure out what seemed like codewords when “Gucci,” “finsta,” and “lowkey” came onto the scene, and it’s no different with technically adept students. There have been many instances in which students have communicated their hacking ideas in front of adults without the adult having any idea what was going on. There’s a whole underground lexicon in the cybersecurity world that interested students are learning, and it’s important for you to know, too.

Odds are that a student who is using the following terms is a student with whom you want to have a discussion about their interest in cybersecurity and hacking:
● (WiFi) Pineapple – A wireless auditing platform that allows the conduction of penetration tests.
● (LAN) Turtle – A covert systems administration and penetration testing tool.
● Hashcat – A password cracking tool.
● Netcat – Network Cache Attack; a side-channel attack method.
● Kali Linux – An advanced penetration testing Linux distribution used for penetration testing, ethical hacking and network security assessments.
● Tor – free software that lets you operate on the internet anonymously.

When you discover any language or actions like those listed above, that’s the time to intervene. Start by having a conversation with the student about appropriate use of school devices. Remind them about the acceptable use agreement they signed at the start of the year, and what it entails. Many students didn’t read or won’t retain what that document contracted them to do or not do. It’s a good opportunity to remind them of what it means.

2. Involve parents

The next step is to call their mom and dad, but be aware there’s a right way and a wrong way to do that. It must be non-punitive to be effective. Let’s say a student hacked into the shared library computer. You don’t call the parents and say, “Tim hacked the computers and we’re concerned.” Instead, take the following approach: “Tim has shown a strong skill set with computers, and we’d like to work with you to help him develop this in a healthy way.”

Make sure the parents are aware that, if left unchecked, Tim’s interests could take him down a darker, even criminal path. But frame the conversation in such a way that his mom and dad understand they are on the same team as you and, together, you can direct him to use his passion in a healthy way.

3. Motivate and engage

Once the student’s parents are aware of what’s going on, and are on board with your plan, it’s time to dig into what motivates the student. Not all threats are created equally, and neither are all drivers behind those threats. When kids dip their toes in potentially malicious cyber activities, they’re usually doing so for one of three reasons:
● Pure curiosity (they have an insatiable appetite for figuring out how things work and genuinely love computers)
● Money (they’ve learned how to monetize their online actions and dream of the millions they think they can make as a hacker)
● Power (they’re hungry for the fame and prestige they think comes with being a skilled cyber-criminal)

If a student has accessed something on the network due to simple curiosity, you’ll handle the misdeed differently than another student who has stolen his peers’ personal information and is bragging to them about it in a grab for power. It’s important to understand the “why” behind an action because it helps you see what motivates a child and when–or if–such an action is likely to happen again.

Then, find opportunities to keep these students involved and engaged. In some districts, kids who hack into the network are put to work on the school’s tech team. They may even get paid for their contributions. The worst thing you can do in such a scenario is to discourage their curiosity and skills; your goal should instead be to redirect them to use all of that for good.

Keeping students like this close will help you keep an eye on them, and thus mitigate risks. It also will allow you to positively reinforce the idea that yes, they can continue doing this cool thing they love (hacking, etc.), but in a safe and productive way.

4. Offer opportunities for empowerment

Most kids who have tried to mess with hacking on school grounds do find the cyber world exhilarating. In addition to getting them involved with the tech team on your school campus, talk to them about learning opportunities and the possibilities of a career in cybersecurity down the road. The National Security Agency (NSA), for example, runs prestigious (and high-paying) internship programs that can give kids with cyber skills a real advantage should they choose to pursue a related career.

There are also various camps (like the ones hosted by GenCyber) that help students positively channel their computer interests and gain more skills. They can also consider taking Advanced Placement courses in computer science, so they’ll already be ahead when they enter college. All of these opportunities are valuable and exciting, and can do a lot to set students up for success in the field.

5. Monitor closely

Finally, keep an eye on these talented and curious students. They can learn so much today through YouTube and social media channels that their cyber threat level could literally increase overnight. Make sure your teachers and other staff (like librarians, who are often in charge of shared computers) are aware of how to identify the signs of high cyber interest–and what to do next.

Most importantly, remember, even the best intentions won’t always produce the results you want. It’s like teaching a child self-defense; you hope they’ll use their skills to protect themselves and others, but it’s also possible they could use them to hurt someone. Your goal should be to empower them and shepherd them toward the good, while simultaneously monitoring their devices and actions more aggressively than the average student. Your tech team should have that visibility, too, and keep these students on their radars.

Cybersecurity is an important, thrilling, and rapidly growing field. Administrators, teachers, and parents all have a part to play in keeping our own networks safe, while identifying and nurturing the students who show a special aptitude and curiosity to explore the field further. In the end, it will benefit our students, our schools and our world.

There’s no point mincing words: School districts and administrators have had a heck of a year. Not only have you been under immense pressure from parents and state officials to reopen schools safely, but your teachers are also understandably concerned about virus transmission. What’s more, your plans keep changing and you’re being forced to adapt.

Related content: How eLearning coaches can support teachers

It’s an uphill battle, and there’s no doubt you’re doing your best. In all the chaos, you’re now responsible for taking temperatures and doing daily COVID-19 screenings, but you may not have had enough time to research screening devices and do sufficient due diligence before welcoming students back through your doors. Unfortunately, making a purchase like this can open you up to risk. Here’s why, and how to mitigate these risks moving forward.

Untested tech, unproven vendors

COVID-19 took the world by surprise, and people have taken a waterfall of reactionary measures ever since. Consumers have bought household goods out of panic, and schools have bought screening devices in much the same way – because they needed to.

You need to reopen your doors, so you need to perform health checks, as well as COVID-19 testing and tracking. It’s understandable that you may have either purchased a device for your school or been given one to install from your district without first undergoing a complete risk assessment.

But these screening devices are largely unproven. Many of them have emerged very recently from vendors that are neither widely known nor trusted. Furthermore, many of them use facial recognition so the technology can connect the dots between the temperatures they’ve taken and whose temperature it is. Do you know how, where, or if that data then gets stored? Whether you have a handheld screening device that looks like a modified cell phone or one that looks like a tablet, you need to understand the associated risks and configure the technology securely.

You’re now handling health data

You’ve always had to manage and protect student data, but as soon as you pull the trigger on a temperature scanner, you’re dealing with sensitive health information. Some people dismiss temperature data as “just a temperature,” but the reality is that this is health data – and it needs to be treated differently than general student records. When you’re handling health data, the complexity and sensitivity is increased significantly.

A lot of COVID-19 testing and tracking devices have a server component to them, so the device sends data to a centralized server system where it’s captured and used for reporting. If someone scans hot, a notification may go out. That notification is then sharing health data. Additionally, many technologies are working to help record contact tracing. This, of course, is another layer of sensitive data, this time about the comings and goings of individuals.

So, consider where the personal information captured by these devices goes. Is it being used by the vendor for purposes aside from COVID-19 testing and tracking? Odds are good that it is (or eventually will be). Also, is it part of your network? If so, there’s a possibility that a cybercriminal could access the network – and all the data. There has been an increase in attacks on COVID-19 testing centers, vaccine development facilities, etc. so it’s not a stretch to imagine this type of data being a target within your own walls.

Assess risk & make plans

If your data, school, or district does get compromised and your screening technology is taken offline, what’s your backup plan? Do you have one? If not, take the time to think through all possible outcomes and what your next moves will be. Whether it’s because of cybercriminals or simply because the technology fails (as all tech does eventually), having contingency processes in place will increase your speed of response and level of security.

For example, if your device fails, will you use a handheld thermometer and record students’ names and temperatures manually? If so, how will you keep that information secure? Or, will you close the building and send kids home? Whatever scenario keeps your students, staff and data safest needs to be properly mapped out in the event it needs to be followed.

If you haven’t yet purchased and implemented a COVID-19 testing and tracking device, first perform a proper risk assessment on both the technology itself and the vendor. Make sure you understand how the device works, what data it’s capturing, where it’s being stored and how that data will be used today or in the future. Then, take steps to deploy it securely. It should be isolated to its own network or segmented to a virtual LAN. You don’t want any unproven, untested technology on your main network or your risks increase dramatically.

If you’ve already purchased and even begun using such a device, retroactively execute a risk assessment – as soon as possible. Then go through the same steps above. You may need to undo and redo its initial configuration in order to make sure it’s secure and on its own network, but it’s worth the time and energy. After all, you don’t get second chances with protecting sensitive student health data.

If a student from your school had someone knock on their front door, ask for personal information and offer to give them a treat in exchange for that information, what would happen? It depends on the child, but what you know for certain is that your district or school has been teaching stranger danger since that child was in kindergarten, so the odds are good that the interaction would raise a red flag for the student.

Why is it, then, that students are posting videos and photos on TikTok, Instagram, and Snapchat without any concern that their school name or home address is displayed prominently in the background?

Related content: 10 cybersecurity must-dos

The reason is simple: we – parents and educators alike – aren’t adequately teaching our kids cyber life skills designed to protect them online.

Life skills are relative – and ever-evolving

Simply put, life skills have always been relative to the time of society. When sabre toothed tigers roamed the earth in 10,000 BC, humans were taught to watch them because their lives, literally, depended on it. When automobiles became more commonplace in the early 1900’s, we had to teach children to look both ways before crossing the street.

Historically, when there have been major changes to the daily norm, we have adjusted our life skills to accommodate those changes – except over the past 20 years. Despite what is arguably the most significant change society has ever undergone – the advent of the internet – we’ve done very little to adjust to the massive technological changes over the past two decades or to properly prepare our children for how the innovation can and will impact their lives. Technology is wonderful in the ways that it’s wonderful. But, without education and guidance, it moves very quickly into truly dangerous territory.

Cyberbullying education isn’t enough

While schools are putting devices in the hands of students as early as kindergarten, and many families are doing so at an even earlier age, we generally are not giving kids the instruction or guidance on how to manage their health and wellbeing, time or security online.

While there have been proactive pockets of parents and educators who were ahead of the curve and informed themselves about both the plusses and minuses of technology, no one could have anticipated the universal adoption of smart phones or the addictive power of social platforms targeted at kids.

One area we have seen schools target heavily with regard to technology is cyberbullying. And while this vicious type of interaction between kids needs to stop, it really is something that schools are already familiar with and have programs in place to handle it.

What’s even more important is to educate kids about how to protect themselves online, how to identify red flags and when to ask for help when the broader, global online community (yes, including their classmates) is held in the palm of their hands.

Cybersecurity life skills to teach

As consumers ourselves, we know that privacy is important. I contend, however, that privacy is an end game and that there are other cyber life skills we need to teach more urgently that will help get us to privacy.

Let’s take a look at five areas that we can really dig into with students that will make a difference in terms of how they conduct – and protect – themselves online.

Cybersecurity Life Skill #1: Digital is real: The physiological responses humans experience when they are in danger – increased heartbeat or breathing, etc. – don’t translate well to the online world. We have to teach kids how to identify risk without those cues and understand that the digital world is the real world. There is no separation between what they say and do on TikTok and what they say and do in their living room.

Cybersecurity Life Skill #2: Healthy skepticism: It sounds dramatic, but it’s not: children today are subjected to military and nation-state grade psychological warfare. From the ads they are served to the click-bait headlines that flash across their Pinterest boards, students are being fed propaganda, and it’s our job to teach them now to stop, think critically, and question why they are seeing what they are seeing. One simple tactic that can be adjusted, depending on the age of the child, is to imagine how they would react if the situation they face online were happening in the physical world.

Cybersecurity Life Skill #3: Trust but verify: Just like we teach students to cite sources in a bibliography, we need to educate them that everything online needs to be verified. Is what you’re seeing on your social platform confirmed in a trusted media outlet? An aside–political propaganda is not just for adults. Nation-state influence is also targeted at children who have influence over part of their parents’ voting decisions, in addition to being a long-game for when those students can vote.

Cybersecurity Life Skill #4: Digital ethics and information warfare: “Don’t look at your neighbor’s paper” is the first time we teach students about ethics. We have to translate this to the digital realm and help them be aware of sensitive content so they don’t mistakenly take photos that have mom and dad’s mortgage statement in the background or that capture an older sibling in a swimsuit as he or she walks by. Additionally, students must learn to be selective about who they share personal information with. Online, a “bad guy” doesn’t always look like a bad guy – it can look surprisingly like a harmless “fellow student.”

Cybersecurity Life Skill #5: When to tell: Kids have to know when to ask for help from an adult they trust. Kindergarteners should tell a parent if they are ever invited to a chat room. A middle- or high-schooler needs to get help when conversation turns to sexual advances or requests for inappropriate photos. The guidance changes year to year, but recognizing something has gone too far and asking for help is ageless.

Cyber security life skills are every bit as important as learning to read, write, or add. They should be taught as soon as a student is given a device to use, and they need to be reinforced every year. We can scale the lessons according to age and grade level, but the principle is the same: today, we live our lives online and have to take precautions to protect ourselves in the digital world.

Instructors know how to reach their students, so teaching these lessons will vary school to school according to their student population. The most important thing is to prioritize cyber life skills and make them part of the ongoing curriculum.

Cybersecurity has always been a high priority for K-12 administrators and staff, but with the rapid push to remote learning brought on by COVID-19, school leadership has had to consider how to educate through the lens of cybersecurity.

While school years are closing up for the 2019 – 2020 year, it’s still unknown what our learning environments will look like for the 2020 – 2021 school year. Let’s look at 10 things that K-12 schools must focus on – whether the next school year takes place in person on via remote learning.

Related content: To improve cybersecurity, start at the endpoints

1. Perform A Risk Assessment
You’re already doing risk assessments for severe weather, fire, or other types of crises and emergencies. Do the same for your technology resources. This will give you the visibility you need to identify areas of concern. Don’t be surprised if your assessment finds that you have more systems than you realized. For instance, many administrators are surprised to learn that computers are controlling other systems such as door locks or cameras.

2. Create and Maintain an Accurate Technology Inventory
The vast majority of districts don’t have an accurate inventory of their technology assets and contracts because they aren’t considering their hardware and software resources in addition to the third-party services with whom they’re contracted. Districts have to have a holistic view of all of these assets if they are to properly secure their schools and students.

3. Limit Unauthorized Access to Systems and Networks
Just like only certain teachers have access to certain student data, we need to make sure only authorized people are taking authorized actions on your technology systems. Also, remember – curious students might try to access systems they aren’t authorized to access. We want to encourage curiosity, but prevent it from turning criminal.

4. Continuous Security Awareness Training
Regular security awareness training – weekly updates, phishing testing, quarterly assessments – targeted toward students, teachers, staff, and administration is critical to keeping your systems and your people safe. By having an ongoing security awareness program, you create a “security-first” culture that reduces your risk of being attacked by a cybercriminal. Encourage your students, teachers, and administrators to apply what they learn both at home and at school. And remember that people are tired and stressed right now- they likely aren’t making mistakes maliciously so create a non-punitive program that teaches people where they have had a mis-step, rather than punishing them for it.

5. Maintain Secure Configurations for Systems and Networks
Systems patching is the top technical activity you can do to limit your cyber risk. A full 60 percent of breaches in 2019 were linked to vulnerabilities where a patch was available, but not applied. Patching and maintenance of systems should happen at least every week. Different systems release fixes at different times, so your district needs to create a schedule to consistently patch everything from hardware to operating systems to software.

6. Focus on Data Classification
Data classification, which has to do with data privacy and a clear definition of who has access to what, needs to be a focal point of your security program. By making sure you have a clear data classification process, you can limit who has access to what data and better protect your school and student data. This applies to third party vendor access, too – those systems your school uses such as PowerSchool, Kahoot!, Remind, and others.

7. Plan How to Respond to Cyber/ Information Security Events
Cyber events are inevitable, so you need to have a plan in place for how to handle them before they happen. Save time and effort by taking your crisis plans for weather events or fires and modifying them to address information security issues. Keep in mind that most districts don’t have the on-staff expertise to do incident response or sophisticated cybersecurity. When you’re creating your plan, identify partners that you might need to work with to identify and respond to an issue.

8. Perform Cyber and Information Security Assessments
Security assessments test your cyber and information security systems to ensure they are working. Just like you test new door locks, you have to test your information security programs. This is another area that having a third-party partner can be very helpful. Yes, your IT team can and should test your systems regularly. But having a partner run a stringent annual assessment is another layer of insurance that your systems are working.

9. Monitor Systems and Networks for Suspicious Activity
Monitoring is all about visibility – it tells us what’s actually happening on the network. Much like how schools usually outsource monitoring of their fire panel, network monitoring is an outsourced activity, so there is a cost involved. But, by monitoring and “seeing” what’s going on, you can respond faster at a reduced cost. Monitoring your network activity has to be a 24/7 activity; if you’re not watching the network at 2 a.m., it doesn’t count.

10. Use Multi-Factor Authentication Whenever Possible
How many of us have our Google email set up to require an extra PIN if we access it from a new computer? Hopefully most of us. This same level of security we use for our personal email is something we have to apply to our school systems, too. It’s called multi-factor authentication and it puts more ‘steps’ between the outside world and our sensitive data.

COVID-19 forced us into remote learning, which escalated our focus on our cybersecurity programs. While there is a lot to consider and do, it’s important not to be intimidated. Because schools already have plans and procedures in place for other emergency situations, prioritizing cybersecurity and cyber risk is something districts already know – just applied differently.