IT professionals will tell you about the importance of securing your network from unauthorized access. The difficulty has increased over the last ten years, with hackers adding social engineering to brute force attacks. When that network is school-based, the stakes are higher, as personal data is involved, and there’s an implicit level of trust between the school and parents.
That’s why it’s more important than ever to ensure your school’s network is secure and to educate teachers and students about hacking efforts like phishing and ransomware attacks. With proper security awareness training, your school network becomes safer and more secure.
Why School Networks are Prime Targets for Phishing Attacks
School districts are high prize ransomware targets, as they tend to be a large employer within the community and hold sensitive data. This, combined with the relative inexperience of students and staff in dealing with cyberattacks, creates an opportunity for phishing and ransomware attacks that focus on social engineering.
Smaller school networks don’t always have full-time technology staff, and even larger school systems might be understaffed in their IT departments. With sensitive data at stake, and hackers using social engineering to gain access to networks, it’s crucial for K-12 school networks to have security awareness training. The Baltimore County school system spent 7.7 million dollars after a ransomware attack in November of 2020, and a similar amount in 2019.
The 2019 Consortium of School Networking Survey on The State of Ed Tech Leadership in 2020 showed that 32% of data breaches involved phishing attacks and that a pilot program reduced employee response rates to a simulated phishing attack from 40% to 7% over a three year period.
It’s essential to make users aware of the theory of phishing, what phishers are after, and the techniques they often employ. Sending out an “all staff” email will result in mixed results, with users sometimes ignoring or skimming over the info rather than reading and understanding it. A better strategy is to give them a real-life example in a safe and controlled fashion.
Preparing For a Test
Before starting on a phishing test, it’s crucial to ensure that you have the support of your administration, both inside the IT department and the stakeholders or management of the “business” side. An excellent way to begin is to discuss the importance of network security and explain that while it’s possible to build a solid wall against hacking, a single user unknowingly handing the keys over to the bad guys can undo everything.
It’s also essential to present the phishing test as a positive measure, not a punitive one. The test involves tricking users or checking to see if they’re paying attention, and if presented incorrectly, users could take it badly.
An important aspect of a successful security awareness training event is to provide the users with initial training or awareness of the concept. In the same way that a surprise quiz on calculus on the first day of class won’t teach students much or give you a good indication of what you’ve taught them, you need to introduce them to the material first.
Starting with an educational email or short video about Phishing, what it is, and how it works is a significant first step. It ensures that the users are familiar with the subject and know what to look for and provides that first encounter with what you’re about to test them on. This plants the concept in the users’ minds, which becomes important in the later stages of educating them.
Once the initial information is sent out and a short time has passed, it’s time to test the users. By using a security awareness platform like Hook Security, it becomes easy to both prepare and carry out a phishing test and identify risks.
Educating and Training Users in Action
The users will be sent simulated phishing emails to test whether they identify and report the emails back to IT and see if they click on or fall for the phishing test. You’ll immediately see the success or failure rate of the test, as well as gain an understanding of where more education is needed.
Instant Training also gives the user immediate feedback as they make their mistake, which allows for relatable training, and also doesn’t take much time, allowing them to get back to work. In the same way that an unexpected event or near-miss while driving puts people into a more cautious headspace, users will be more aware going forward, and screen emails more carefully.
Social engineering means that IT staff need to rely on users for some aspects of K-12 school network security, so it’s important to educate them and have them on the lookout for phishing attempts. Phishing tests are a great way to educate quickly, effectively, and preventatively.