Just glance at your inbox and odds are you’ll find at least one variety of phishing scam or email hack. Whether it’s spear phishing, spoofing, account takeovers through embedded malware, or that time-honored plea from a Nigerian prince, there’s no doubt that our schools’ email systems are under near-constant attack.
One careless click of a link can turn a teacher’s account into a spam factory, landing your email system on a blacklist and cutting off communication with the rest of the world. Providing employee tax information to a phisher posing as your superintendent, for example, can result in the identity theft of hundreds of employees.
The sad truth is that phishing and spamming scams are now part of life in this digital age. But through more engaging education, more authentic practice, and more creative protection practices, schools have a much better chance of mitigating the impact.
NEVER STOP EDUCATING
Studies indicate that annual, one-off email security awareness training is not effective. Here are some more effective ways an IT department can educate school staff to reduce the risk of cyber attacks:
■ Send periodic email reminders about common phishing strategies. This can reduce the number of users who fall victim to email-based threats. Don’t be overly specific in these messages, or your staff might become disinterested or believe you’re only concerned about a particular scam and miss the general concepts of email safety.
■ Connect with users on a personal level. Let staff know that learning to recognize phishing scams protects them not just at work but also can help them avoid personal email scams that come in many forms—from online banking to social media and even online dating sites.
■ Mistakes happen. Make sure your teachers feel comfortable approaching you about mistakes and asking for help. To avoid detection, an infected email account usually will not initiate the release of thousands of spam emails until the weekend or late at night. Quickly changing a user’s password is often all that is needed to avoid infecting your entire network. Let your staff know that prompt reporting of any phishing concerns is crucial.
■ Back up data regularly. In the age of the cloud, the fear of wiping a computer in order to stop a virus should no longer deter a teacher from reporting a breach. Remind teachers just how easy it is to back up and restore devices.
■ Reevaluate staff policies. Multiple mistakes by individual staff members can be considered grounds for corrective action. Consider revising employee technology use policies and include resources that support cyber security best practices in staff handbooks. Proactively involve unions to affirm that effective and reliable communication is a core function of schools.
PRACTICE MAKES PERFECT
All of the training, resources, warnings, and exhortations to vigilance can still come up short when users come face-to-face with a well-crafted phishing email. Because of this, many districts are choosing to implement phishing simulations. The theory is that if people are exposed to a few instances of simulated hacks and are met with fairly immediate educational feedback, then the likelihood of falling for the real thing will be diminished.
Phishing simulations are common in government and business sectors, but less so in public education—and they’re not usually embraced warmly by employees. An IT department can help school staff see the benefit of phishing simulations. Let users know that these periodic tests can help all staff become more savvy about spotting phishing scams so that less convenient security practices, such as two-factor authentication or overly restrictive password policies, can be avoided. Phishing simulations can also discreetly identify specific employees who need additional email safety training, rather than requiring all teachers to sit through training sessions.
Teachers resent group punishment, but they typically welcome collective rewards. Rather than shame those who fail, celebrate those who succeed. Consider canceling a routine staff meeting following a highly successful phishing simulation, or at the very least cater that meeting with everyone’s favorite pizza or donuts. Some schools enter the names of those who didn’t take the phishing bait into a drawing for gift cards or preferential parking spaces. No one needs to know whose names are in the prize hat, or whose names are on the list for personalized support. These are small prices to pay when contrasted with the lost time and energy and breakdown of communication that result from an email breach.
SECURE THE PERIMETER
Certainly, education and practice are critical in the fight against phishing, but there are technology-based approaches to consider in this seemingly endless assault on our lines of communication. Consider these approaches to stanch the flow of ill-intentioned email:
■ Familiarize yourself with anti-spoofing authentication methods found in all major email solutions such as DomainKeys Identified Mail (DKIM) or Sender Policy Framework (SPF). Explore attachment sandboxing to remove the really nasty malware codes that can infect multiple systems quickly.
■ Trying to block the ever-changing names and email addresses of phishers is an endless game of Whack-a-Mole, but you might be surprised just how unoriginal many phishers are, relying on oft-repeated and awkward verbiage. Phrase blocking via your email filter is a very effective way of stopping phishers before they ever get through the gates.
■ Encourage the use of alternate forms of communication. Very few people in schools should be sending hundreds of external emails. Use services like Remind or School Messenger to keep your blacklist ratings low. It only takes a handful of spam complaints for a local ISP to throttle delivery or block your communications entirely.
■ Proactively monitor blacklists and review your sender reputation. Removal from block lists can be a time-consuming and often manual process. Don’t wait until all outbound communication has ceased before clearing or establishing your school’s good name.
IT TAKES A VILLAGE
A failure of basic email safety impacts everyone—teachers, students, families and the community. Keeping communication flowing is a shared responsibility. As IT works to limit the threats that make it into our inboxes, teachers need to be engaged in authentic cyber-security learning experiences so they know exactly what to do when facing a suspicious email. There’s no silver bullet in the fight against email hacking, but a concerted and multi-pronged effort involving all stakeholders can keep the phishing wolves at bay.
Andrew Wallace is the director of technology for South Portland (ME) schools and is the president of the Maine Educational Technology Directors Association. Connect with him @andrewtwallace
Five Things to Look for in 2019 on Student Data Privacy
117 state bills and 22 laws written in 2018; 43 states have passed foundational student data privacy legislation
Here’s what to look for in 2019: All eyes on the feds—There’s increasing interest in federal privacy legislation from both sides of the aisle in Congress.
Children first—Look for discussions about providing students between the ages of 13 and 16 with more control over their personal information.
Hands off—The best way to protect privacy and eliminate data breaches is to not collect the data in the first place.
States in action—Discussions from 2018 will turn into action in 2019. Watch Illinois, Minnesota, and Pennsylvania.
A new sheriff in town—Both the FTC and the Education Department need to ramp up their enforcement of existing privacy laws. SOURCE: EdSurge, https://tinyurl.com/y7yg5ff6
Education Ranked Worst at Cybersecurity out of 17 Major Industries
SecurityScorecard has ranked education the worst in cybersecurity. The analysis, published in December, reveals incredible risk to student data as hackers become more adept at accessing student and school data.
Areas of cybersecurity weakness:
• Application security
• Endpoint security
• Patching cadence
• Network security
• Insufficient staffing
• Phishing scams, which account for 41% of cybersecurity incidents.
SOURCE: EdScoop, https://tinyurl.com/ycyx5g3s
Resources & Definitions
Resources: Security awareness training and detection software https://www.knowbe4.com
Phishing simulators https://resources.infosecinstitute.com/top-9-freephishing-simulators
List of email scams maintained by the Federal Trade Commission https://www.consumer.ftc.gov/features/scam-alerts
Definitions (adapted from https://www.techopedia.com & https://techterms.com)
Social Engineering: The non-technical cracking of information security. It applies deception for the sole purpose of gathering information, fraud or system access. It is an umbrella term that includes phishing.
Phishing: The fraudulent act of acquiring private and sensitive information, such as account usernames and passwords. Using social engineering techniques and computer programming expertise, phishers lure email recipients into believing that a spoofed website is legitimate and genuine.
Account Hijacking: A process through which an email or computer account is stolen by a hacker. It’s a type of identity theft in which the hacker uses the stolen account information to carry out malicious or unauthorized activity.
