I’ll never forget the first cybersecurity attack I endured as a high school principal. It happened years ago, after I had to assign consequences to a tech-savvy student who regularly would hack into our school Wi-Fi network to access websites and social media platforms that, at the time, were blocked from student access during the school day.

I remember the student being upset because he was trying to meet a critical deadline for his international business, and his two other partners (one in Finland, one in Russia) needed his help to finish a project for their company.

The three ran a company that rented and sold server space to gamers around the world. Mind you, my student had just recently celebrated his 15th birthday.

Coincidentally, the day following the in-school suspension I assigned the student, my school district was placed under a distributed denial-of-service (DDOS) attack from unknown sources on the web.

For those who have never experienced such an attack, I can describe it in this way. Imagine one day that all of the computers in your school were no longer able to connect to your school’s network, which includes internet access. Your network was receiving a flood of useless data from unknown sources that choked its ability to do anything else but drown in this data, rendering your network useless.

Your IT professionals could do nothing, and your internet provider was equally as helpless. This DDOS attack lasted for days, and my school was at the mercy of our attackers, just waiting for them to stop and move on to something else.

I was never able to connect my student to this attack, but ironically, the DDOS didn’t stop until I pleaded with the student that if he had anything to do with it, I needed him to put a stop to it. The DDOS attack stopped within six hours of that conversation.

In the days and weeks following the attack, I tried to figure out what I could do as a school principal to prevent these types of actions from reoccurring. Back then, options were limited, but years later, we have learned a lot about cybersecurity and what can be done to protect against it.

A recent Education Week special report looked at big threats and best practices in K-12 cybersecurity. The report was a series of articles, webinars, and videos on the topic.

In this March 2019 Education Week article, reporter Benjamin Herold wrote about the barrage of DDOS attacked that North Dakota schools faced earlier this year. Bismarck schools were highlighted for their efforts to keep their security patches up to date and their decision to keep a full-time staff member dedicated to network security.

Across the country, just 25 percent of school districts have such a position, and that figures drops to just 8% in rural areas. Rural North Dakota has responded by forming a robust state-level network to manage many of the day-to-day network operations that rural districts simply don’t have the staffing to handle. Herold wrote, "The state department of information technology manages a statewide broadband network known as STAGEnet. Each day, more than a quarter-million users across 400 separate public entities — including the state’s 227 K-12 school districts — use the network. Much of the work of monitoring and filtering incoming traffic is handled at the state level, taking some of the burden off under-resourced schools."

Education Week reporter Sean Cavanagh shed light on the cybersecurity threats that schools most often face in this article. Cavanagh interviewed Melissa Tebbenkamp, chief technical officer for Raytown Quality Schools, which serves roughly 9,000 students just outside Kansas City.

Tebbenkamp reports that some of the biggest cyber threats come about from unsuspecting staff members who open phishing emails disguised as something benign. Tebbenkamp stated, “It’s about protecting where you have control — which is your house — first. We do have a growing concern about outside malicious attacks directly targeting us. But the biggest and most frequent [vulnerabilities are posed by] our staff.”

When asked what schools could do to decrease cyberattack threats, Tebbenkamp said this: "You obviously have to have the gates closed. You need to have your firewalls in place, and meet those best practices. Your virus protection. The majority of schools do that pretty well. The next piece, once you take care of the basics, is user training. Making sure your staff know what a phishing e-mail looks like, what those scams look like, how to respond or not respond. Where it’s important to share student information, and where it’s not. That end-user training is going to protect you. That will protect you against the lost USB drive with personal information on it. That training can’t be once a year. You have to keep it front of mind."

Cybersecurity is an ever-changing field, and I have found the best things schools can do to protect themselves are to stay educated about threats that could impact their operations and ensure staffing and resources are dedicated to addressing (and warding off) those threats when they come up.