Nobody is safe from a scam.  Especially a Phishing scam.  These pesky emails that trick users into disclosing sensitive information and/or putting your network security at risk remain a leading cause of data breaches. This problem is still a major concern in K-12 Education environments.

According to a survey conducted by Education Week/Consortium for School Networking, over 50% of K-12 CTO’s say phishing is a significant problem for them in their institution. Phishing attacks in the K-12 environment seem to overwhelmingly take place through email. The emails either expose sensitive information or allow for the transmission of malware.

Phishing emails are large threat to educational institutions because in many instances staff and faculty are not properly trained to spot these malicious threats. “There is a lack of technical sophistication in many districts, and the fact that this is an end-user problem makes it more problematic.  People aren’t always paying attention, or they may not have had sufficient training to understand what is at risk,” says Keith Krueger, CEO of CoSN.

Phishing has become such a problem in K-12 Schools, that in 2018 the FBI released a special warning stating that “bad actors” can target schools for personally identifiable information including academic progress reports, behavioral and medical information, biometric data, and more.

Can anything be done to combat Phishing in educational institutions? Yes. Below are 6 steps you can take to help in preventing Phishing attacks in your K-12 institution:

1.) Don’t limit who receives Phishing Awareness Training

When training staff and faculty about the risks related to Phishing scams and how it can be prevented, do not limit it to just teachers and administrators.  Make sure everyone receives instruction from teachers, to school clerks, to even the students. Anyone who has access to an email account or computer in the institution should receive training on the threats that Phishing emails pose, as well as best practices to avoid becoming a victim.

2.) Make it personal

Preventative training against cybersecurity threats poses no real threat to an end user, as nothing has actually happened yet.  To get staff, faculty and students to understand the real threat of a Phishing scam, your IT staff should try to make the training personal by relating it to a personal story, or by giving examples of real life problems these scams can cause.  By giving them a relatable example of the damage that can occur, and tying it to the fact this that can happen to them, your end-users are more likely to practice good email habits.

3.) Be realistic about the limits you set on filtering tools

As an IT Director in a K-12 institution, it is likely that you have an Email Filtering program in place.  Filtering programs can help prevent Phishing emails from getting through, but it is important to also realize how strict you should set the limits of these tools. 

Alex Grohmann, a director on the Information Systems Security Association’s international board says, “You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive. So you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort, but it may be necessary in order to set effective limits that don’t interrupt your operations.”

4.) Always assume the worst

You can seemingly be doing everything right – you can have an email filter in place, you can train every last person in your institution and there is still a chance that a Phishing email can get through. Even worse, there is a chance it can succeed. 

Never assume just because you’ve taken all the right steps to prevent Phishing that it won’t happen. Understanding this will about you to organize systems around the idea of “damage control” – that can be set up to limit an intruder’s access should they get through.

5.) Maintain a Good Organizational Culture

By creating an enjoyable environment for all, students, faculty and staff will become less stressed and rushed as a result.  One widely used technique hackers use in Phishing scams is that they prey on one’s sense of stress.

“Pressure and stresses lead to people clicking on emails. If you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails,” according to Daniel Norman, Research Analyst at Information Security Forum.

6.) Make learning hands-on

To make end-users actually retain everything they’re learning, you have to make it realistic for them. 

Bruce Beam, CIO of (ISC)2 says, “You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: ‘Click here to see pictures of your spouse with someone else. If people are going to learn, the training has to be realistic. It has to be convincing.”

By presenting real world examples, and ways to actually show how to deal with them, the training becomes realistic and the likelihood it is remembered improves drastically.

Story via EdTech Magazine