How Christian schools are tackling cyber security

Many of the nation’s 30,000 independent private schools could be susceptible to cyberattacks, according to a recent article in EdTech Magazine.

The threats are widespread, but private schools are especially vulnerable for two reasons: (1) They handle sensitive financial information for donors, families and alumni, unlike public schools, and (2) they may operate on a tight budget with minimal staff and resources dedicated to IT.

“Independent schools retain student records, but they also stay in touch with alumni for community building and donor relations,” says Ashley Cross, senior director of education and content at the Association of Technology Leaders in Independent Schools (ATLIS). “So, they have to think about the lifetime records of constituents, which is a very different challenge than for public schools.” A breach of information can harm a school’s reputation with alumni and with the community. 

To stay vigilant, some schools conduct annual security audits where an outside company attempts to hack into their system to expose vulnerabilities. Omar Valerio, CIO of Westminster Christian School in Florida, and his team of four IT personnel conduct their own monthly drills to prevent attacks. They also monitor their network constantly. 

“No one is immune to attacks, so you have to be proactive,” Valerio says. “When something triggers an alert, we are on it immediately. It doesn’t matter the time of day or day of the week. We are on it 24/7/365.” 

Prevention also helps reduce incidents.  

Westminster provides each of its 1,280 students with a tablet, and uses a service to ensure that patches and software updates are automatically installed. Staff are trained to recognize “phishing” emails that impersonate a real business or entity. Valerio even uses a program called KnowBe4 to test staff with fake phishing emails. “Now, if emails don’t look right, teachers know to send them to IT immediately,” he says. 

Some schools, such as Montclair Kimberley Academy in New Jersey, have turned to a cloud-based approach, hosting most of their core applications on cloud-based servers. This “outsources” some of the security responsibility to the cloud vendors, which have their own security measures in place.  

Still, vigilance is needed: Montclair’s IT department approves any request to join an app and monitors whether sensitive data such as an address book is being shared with that app to prevent data breaches. 

Google’s Education Workspace is another popular cloud service with schools but offers its own challenges. Workspace evolves quickly and rolls out new features, some of which could expose data if not managed correctly. Montclair, which has 1,050 students spread across three campuses, hires a third party to assess potential security risks every two years. 

Smaller schools with fewer resources and staff can still make a cyber security plan, says Cross, of ATLIS. Recommendations include crafting a multiyear security roadmap, deploying multifactor authentication, endpoint security, firewalls, encryption and data backup, as well as investing in cyber liability insurance. Some schools may hire an IT leader to provide strategic direction, then outsource IT needs such as cybersecurity through a managed service provider. 

If finances are an issue, there are government programs such as E-rate that can fund technology, as well as soliciting funds from alumni, grants and donors.