With the school year now back in full swing, we’re already hearing about severe cyberattacks targeted specifically at educational institutions, such as the ones that hobbled three Louisiana school systems, and those that delayed the start of classes by four days in an Alabama district. In fact, a recent study of 17 industries ranked the education sector last in terms of cybersecurity preparedness.
Whether it’s privileged accounts or business email compromise (BEC), teachers are responsible for more than just their students. Coworkers send attachments of reports to each other, log-in to multiple platforms to input grades, notes and attendance and receive emails from parents. Even the most advanced cybersecurity technologies can not block more than 99% of phishing attacks, which still means thousands of malicious emails get through to faculty and students’ inboxes every single day – and one reckless click puts the school at risk of a serious data breach.
Since the beginning of this school year, employees at Portland Public Schools have been breached, as well as over 4,000 student email accounts at Arizona State University. In the first case, a fraudster contacted Portland Public Schools pretending to be a contractor from one of the institution’s construction companies, asking them to send payment to an account. Of course, the request was illegitimate, and the account illicit. Nevertheless, the employees approved the payments, sending $2.9 million into the ether.
This issue is getting worse, and it calls for more effective awareness training solutions. Phishing is the number one attack, targeting educators. As cybersecurity and tech professionals, it’s easier for us to spot these malicious messages. We cannot expect the same level of awareness from educators, who already have so much on their plate, without providing them with the tools, resources, and training they need to improve their cyber-vigilance.
How to Train Teachers
Often, traditional security awareness training (SAT) includes automated training sessions that need to be completed by a certain date. These often take up to an hour to complete and are performed quarterly, twice or once a year – and they don’t really help educators.
In terms of phishing or business email compromise attacks, IT decision-makers regard training as a better way to deal with cyber threats, compared to technology solutions – regardless of the size of particular staff or workforce, according to Osterman Research.
When it comes to training, phishing simulations are a better way to train against cyber security threats because they allow educators to experience “the real thing,” and if done frequently enough, recognizing and reporting those threats becomes second nature.
But how much training is “just enough”? Our findings show that monthly training, at a minimum, is required to ensure consistency and keep cyber security awareness top of mind without overwhelming the general population. Higher intensity is recommended for employees at higher risk (such as new employees and ‘serial clickers’). A crucial function of any effective SAT – regardless of frequency of messages – is to teach educators what to look out for. Here are a few examples:
- Email Origin – This no different than any other profession. Bad links and attachments lead to a world of trouble for the school/district. Look at the actual email address if a message looks strange. You can usually sniff out a potential attack by doing just this one step.
- Links/Attachments – I just touched on this, but it’s important to take a second to take a step back and understand if Mrs. Stone is sending an attachment that you’ve been expecting.
- Privileged Accounts – There are so many opportunities for teachers to write logins down on paper because teachers are accustomed to doing most things on paper. We should be teaching educators how to properly store their privileged accounts.
- Phishing Scams – While this could overlap into a few of the categories listed, threats can also be done with phony emails from coworkers. Spoof emails from scammers impersonating the IRS, Amazon, and others will pop up and can easily be mistaken for an order for school supplies, or a note regarding a student situation. The simplest thing every educator can do, in each of these situations, is to step back and figure out if these emails were expected in the first place.
It doesn’t stop with educators
While educators and school administration are top targets, students are also high on the hackers’ lists. Financial season, when students wait to hear back on loans and payment status is a prime time for phishing scams, packaged as emails from the bank or from university officials.
Sadly, when it comes to both educators and students, a variety of factors – being tired, distracted, responding impulsively – can easily lead from one small mistake to a big one. If effective training solutions are a part of the everyday routine, this can greatly decrease the potential nightmares among staff.
Therefore, everyone, from students to educators and administrators, needs to be trained to spot potential cyber attacks – specifically phishing attacks, which account for most data breaches.
Currently, even though users are receiving marginally more security training over time, most users still do not receive adequate training to protect their organizations. Nearly one-third of users receive training no more than once each year, or even less often. Another 29 percent receive security awareness training only two to three times per year.
Training should be continuous, data-driven and adaptive to trainee performance. Furthermore, it has to be localized and specific. Content localization, proven to increase engagement by up to 30%, also makes the learning more memorable, impactful, and relevant.
Educators should be able to focus on their students, and not constantly worry about data breaches. But to effectively achieve their goals, educational institutions also need to secure and retain control over their sensitive information and resources. The only way to unite these imperatives is to implement a training program that makes cybersecurity vigilance second nature, encouraging employees to incorporate anti-phishing techniques into their regular, habitual processes. An effective training program that relies on a proven methodology can greatly change behavior and prevent another school from making the wrong headlines. Most importantly, it will safeguard information and resources that were designed to enrich students and not scammers.
Learn more about autonomous awareness training for educators here.
Ready to learn more on the only autonomous training platform for enterprises? Request a demo with one of our experts to find out if CybeReady is the best fit for your organization.