CYBER SAFETY FOR K-12 SCHOOLS AND SCHOOL DISTRICTS

Cyberbullying is bullying that takes place over digital devices such as cell phones, computers, and tablets. Cyberbullying can occur through instant messaging, text, and mobile applications (apps) or online in social media, livestreaming, forums, or online gaming communities, where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else that causes embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behavior.

Most common places where cyberbullying occurs:

• Social media, such as Facebook, Instagram, Snapchat, and TikTok
• Text messaging and messaging apps on mobile or tablet devices
• Instant messaging, direct messaging, and online chatting over the Internet
• Online forums, chat rooms, and message boards, such as Reddit
• Email
• Online gaming communities

The Internet has brought advantages such as access to information and friends anywhere in the world and at any time, but it can also contain information, images, videos, and even virtual spaces that are inappropriate or not age appropriate for students. Adolescents and children can unintentionally come into contact with inappropriate content online, such as sexually explicit material, or can stumble across adult-only online spaces, such as adult-only virtual worlds. Unsolicited, obscene materials can also be received electronically. It is important for adults in the school community to help students learn how to be good digital citizens and navigate online spaces safely to avoid coming into contact with or disseminating inappropriate content.

Sexting is the sharing and receiving of inappropriate content in the form of sexually explicit messages, photos, or videos via text messages or apps. Sexting, while commonly occurring off school grounds, may also occur on school property, with content being sent and viewed on cell phones. Of note is that possession of sexually explicit photos received by sexting may have serious legal consequences as it can be considered a type of possession of child pornography.

Sharing information online can be risky. Oversharing can occur via private channels, like instant messaging, or through public channels, such as social media posts, online chat rooms, or other public online forums.

Personal information as well as personally identifiable information (PII) may be shared online by students or other school community members. This information might include name, age, address, phone number, passwords, Social Security number, and family financial information (including credit card numbers or bank account details). PII and other student and staff information are valuable to malicious cyber actors, as this information can be used to commit identity theft, sold to other threat actors, and used to develop and carry out other cyberattacks.

Students are also at risk of online child sexual exploitation and abuse (CSEA). Sharing sexually explicit images or videos, even with individuals believed to be known and trusted, can lead to other serious online threats, including sextortion.

Oversharing may also have academic or professional consequences for a student or staff member. It is important to think carefully before posting images or language online, on social media, or in other shared messaging platforms. Employers, coaches, college admissions officers, law enforcement, and others may all be able to see what an individual shares online.

Online enticement occurs when an individual communicates online with a child with the intent to commit a sexual offense or abduction. Online enticement can happen on instant messaging, social media, online gaming platforms, or in other online spaces. Online predators may engage in grooming, by which they build the victim’s trust by developing a rapport, sympathizing with him or her, engaging with online posts, or feigning common interests.

Grooming and online enticement can lead to child sexual exploitation, sextortion, and adult sexual misconduct (ASM). The U.S. Government Accountability Office defines ASM as any sexual activity directed to a child with the purpose of developing a romantic or sexual relationship. Behaviors may range from those that are inappropriate to those that are illegal, and they may include verbal conduct, physical conduct, or electronic interactions. ASM can be perpetrated by educators but also by other school personnel, including athletic coaches, administrative staff, bus drivers, or volunteers.

Sextortion is a form of online sexual exploitation and child pornography (when minors are involved) in which offenders use Internet technology to entice, coerce, or blackmail people into sharing sexually explicit images or videos of themselves online. Offenders often manipulate victims into providing sexually explicit images or meeting the offender’s monetary or sexual demands by threatening to post the victim’s images online or to share the images with the victim’s friends and family. Victims of sextortion may share images or information with someone they believed to be a trusted individual, but in many cases, they are targeted intentionally by someone they met online who may coerce or deceive them into sharing images or information. Although sextortion occurs online and often outside of school hours, it can have resounding negative impacts on many aspects of the victims’ life, including their school life. Sextortion victims have reported experiencing depression, anxiety, hopelessness, fear, and other negative mental health impacts; have dropped out of school at higher rates; and have engaged in self-harm, including threatening, attempting, or committing suicide, at higher rates.

Sextortion can involve other types of cyber threats, including ransomware. Ransomware is a particular form of computer malware in which perpetrators encrypt users’ files, then demand the payment of a ransom for users to regain access to their data. Ransomware can include an element of extortion, in which the perpetrator threatens to publish data or images, including sexually explicit images, if the victim does not do what the perpetrator wants, such as provide nude photos.

Schools and school districts are encouraged to develop an RUP, also known as an Acceptable Use Policy, before students are allowed to access the Internet at school via a school device or the student’s personal device. An RUP is an agreement written in simple and accessible language among parents or guardians, students, and school personnel that outlines the terms of responsible use and consequences for misuse. Families are usually expected to acknowledge that their child(ren) will follow basic guidelines, and students agree to the standards laid out in the policy. RUPs can cover issues such as expectations for online behavior, what resources can be accessed, academic integrity when using technology, and how the school will use student data and information.

One of the first ways to prevent students from accessing inappropriate content—either deliberately or accidentally—is for schools and school districts to use filtering and blocking software, which allows users access to only preapproved websites. Teachers and staff can help determine what sites should be blocked. Regular audits can also be conducted to ensure that appropriate online educational material can still be accessed and to determine if blocked sites should remain blocked.

Schools and school districts are also encouraged to teach students what it means to be a responsible digital citizen as part of a broader strategy of promoting a positive school climate. A digital citizenship curriculum can include topics such as privacy and security, relationships and communication, cyberbullying and digital drama, digital footprints and reputation, self-image and identity, information literacy, and creative credit and copyright. Lessons should be age appropriate, discussions can change depending on the latest digital trends, and topics can include issues like the importance of making only constructive comments online. NetSmartz® is one example of an online safety program with age-appropriate videos and activities to teach children how to be safer online.

Teachers, staff, families, and other adults in the school community can also be educated on online safety. Below are three partner websites that provide resources and information on a variety of threats to students online, including cyber safety threats:

• The National Center for Missing and Exploited Children® (NCMEC) provides resources for parents and guardians, educators, and law enforcement with the goal of educating, engaging, and empowering children to recognize potential Internet threats, talk to adults about risks, prevent themselves from being exploited, and report victimization to adults.
• Protecting Kids Online (Federal Trade Commission) provides information on a variety of cyber safety and cybersecurity topics to help parents and families to talk with their students about engaging safely online.
• Know2Protect (U.S. Department of Homeland Security) is a public awareness activity that provides information and resources to help children, families, and other trusted adults to prevent online CSEA.

The planning team will likely comprise a core planning team, school personnel, community partners, and a school district representative. To address cyber threats, the planning team can seek the additional input of individuals such as IT staff; local, state, and federal law enforcement; and emergency management, among others. When identifying actions to address cyber threats to students, the planning team can also look to others who play a role in supporting students’ emotional needs, such as a counselor, a bullying coordinator, and other mental/behavioral health professionals.

Here, the planning team identifies threats, such as cyber threats, and hazards to the whole school community using a variety of data sources; evaluates those risks and vulnerabilities; and prioritizes them for inclusion in the EOP. One assessment that can be especially useful when identifying online threats to the whole school community is a Culture and Climate Assessment. This tool evaluates student, teacher, and staff connectedness to the school and potential behavior problems.

As students can use online platforms, such as social media, to pose or make actual threats to students, teachers, staff, and/or the locality ranging from bullying to targeted violence, another assessment schools should consider implementing is a behavioral threat assessment. The primary purpose of a threat assessment is to prevent targeted violence in schools by students, where a school is deliberately selected as the location for the attack and is not simply a random site of opportunity. Recent technological advances and online threats have created additional considerations for behavioral threat assessments.

After assessing the level of risk posed by threats and hazards, the planning team should work to determine goals and objectives to achieve the best outcome for before, during, and after an incident. Then the team should develop courses of action that describe the who, what, when, and how to meet those objectives.

For example, the planning team can address cyberbullying in the EOP by identifying goals and objectives for before, during, and after an incident. The team can then identify courses of action to help prevent incidents from occurring, provide ongoing protection to the student body, mitigate cyberbullying’s effects, respond to incidents, and help students recover from an event.

Now, the planning team develops a draft EOP and circulates it to obtain feedback from those responsible for implementing the document. They should follow this by editing the EOP based on those comments and obtain approval from the appropriate leadership. As the Cyber Annex will address both cyber safety and cybersecurity, this part of the document will include goals, objectives, and courses of action for keeping both students and the school’s IT systems and networks safe.

Here, the planning team maintains the EOP via regular reviews and revises it when needed. As new cyber threats are constantly emerging, planning teams may decide to review the Cyber Annex more frequently. Further, individuals with roles outlined in the EOP are trained in their responsibilities, and exercises are also conducted to test the school’s or school district’s ability to respond to a threat or hazard.