When it Comes to Cyber Threats, Educators Need Education Too

By Aby David Weinberg
image January 04, 2022 image 4 MIN READ

With the school year now back in full swing, we’re already hearing about severe cyberattacks targeted specifically at educational institutions. For instance, the recent cyberattack on the Riverhead Central School District is believed to have been “specifically targeted” at the district, according to Superintendent Augustine Tornatore. Thanks to unsafe devices, distracted security staff, and COVID-inspired phishing schemes, cyberattacks have hit schools and colleges harder than any other industry during the pandemic. From Aug. 14 to Sept. 12, 2021, educational organizations were the target of over 5.8 million malware attacks or 63% of all such attacks.

Whether it’s privileged accounts or business email compromise (BEC), teachers are responsible for more than just their students. Coworkers send attachments of reports to each other, log-in to multiple platforms to input grades, notes, and attendance, and receive emails from parents. Even the most advanced cybersecurity technologies can not block more than 99% of phishing attacks, which still means thousands of malicious emails get through to faculty and students’ inboxes every single day – and one reckless click puts the school at risk of a serious data breach.

This issue is getting worse, and it calls for more effective awareness training solutions. Phishing is the number one attack, targeting educators. As cybersecurity and tech professionals, it’s easier for us to spot these malicious messages. We cannot expect the same level of awareness from educators, who already have so much on their plate, without providing them with the tools, resources, and training they need to improve their cyber-vigilance. 

How to Train Teachers

When it Comes to Cyber Threats, Educators Need Education Too Often, traditional security awareness training (SAT) includes automated training sessions that need to be completed by a certain date. These often take up to an hour to complete and are performed quarterly, twice, or once a year – and they don’t really help educators. 

In terms of phishing or business email compromise attacks, IT decision-makers regard training as a better way to deal with cyber threats, compared to technology solutions – regardless of the size of particular staff or workforce, according to Osterman Research.

When it comes to training, phishing simulations are a better way to train against cyber security threats because they allow educators to experience “the real thing,” and if done frequently enough, recognizing and reporting those threats becomes second nature. 

But how much training is “just enough”? Our findings show that monthly training, at a minimum, is required to ensure consistency and keep cyber security awareness top of mind without overwhelming the general population. Higher intensity is recommended for employees at higher risk (such as new employees and ‘serial clickers’). A crucial function of any effective SAT – regardless of the frequency of messages –  is to teach educators what to look out for. Here are a few examples: 

It doesn’t stop with educators

It doesn’t stop with educators While educators and school administration are top targets, students are also high on the hackers’ lists. Financial season, when students wait to hear back on loans and payment status is a prime time for phishing scams, packaged as emails from the bank or from university officials.

Sadly, when it comes to both educators and students, a variety of factors –  being tired, distracted, responding impulsively – can easily lead from one small mistake to a big one. If effective training solutions are a part of the everyday routine, this can greatly decrease the potential nightmares among staff.

Therefore, everyone, from students to educators and administrators, needs to be trained to spot potential cyber-attacks – specifically phishing attacks, which account for most data breaches. 

Currently, even though users are receiving marginally more security training over time, most users still do not receive adequate training to protect their organizations. Nearly one-third of users receive training no more than once each year, or even less often. Another 29 percent receive security awareness training only two to three times per year.

Training should be continuous, data-driven, and adaptive to trainee performance. Furthermore, it has to be localized and specific. Content localization, proven to increase engagement by up to 30%,  also makes the learning more memorable, impactful, and relevant. 

Educators should be able to focus on their students, and not constantly worry about data breaches. But to effectively achieve their goals, educational institutions also need to secure and retain control over their sensitive information and resources. The only way to unite these imperatives is to implement a training program that makes cybersecurity vigilance second nature, encouraging employees to incorporate anti-phishing techniques into their regular, habitual processes.  An effective training program that relies on a proven methodology can greatly change behavior and prevent another school from making the wrong headlines. Most importantly, it will safeguard information and resources that were designed to enrich students and not scammers.

Ready to learn more about autonomous awareness training for educators? Request a demo with one of our experts to find out if CybeReady is the best fit for your institution.