K–12 IT Teams Use Phishing Simulations to Boost Cybersecurity

The value of digital information is rising, and with it the importance of keeping that information safe. This need rings especially true in K–12 institutions that must protect the information of students, many of whom are too young to understand the value of their data. 

While cybersecurity systems are becoming more advanced and difficult to bypass, human error remains a significant vulnerability when it comes to protecting student data.

At a congressional hearing before the House Committee on Education and the Workforce, David Couch, CIO for the Kentucky Education Technology System at the Kentucky Department of Education, testified to the impact human error has on education security.

“By far the greatest vulnerability to our systems is internal staff who fall victim to phishing attempts,” Couch said during the hearing, EdScoop reports. Couch testified there has been an 85 percent increase in phishing attacks in Kentucky over the past year, and attacks will continue to rise if gone unchecked.

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

Target Security Training in Schools by Finding Where the Threats Are

While education may not seem like the most obvious target for cyberattackers, there is clearly a threat to K–12 institutes. Simulated phishing programs can help identify the holes in districts’ cyberdefenses.

According to research conducted by KnowBe4, a security awareness training company, an average of 27 percent of simulated phishing emails are successful in the education sphere, THE Journal reports. The research found that organizations with fewer than 250 employees are at the greatest risk, with 29 percent of employees considered “phishing prone,” compared to 26 percent at organizations with more than 250 employees.

In Bristol, T.N., simulations revealed significant openings for malicious cyberattacks against the district, according to EdScoop. 

“We ran a phishing test at school,” Gary Lilly, superintendent of Bristol Tennessee City Schools, tells EdScoop, “and I expected the results to be pretty good, indicating that our staff was not susceptible to phishing attempts.” Instead, nearly 20 percent of staff proved unprepared to report or act against a phishing attempt.

Simulation Programs Help Educators Prepare for Phishing Attempts

While human error can be a district’s greatest weakness against cyberattacks, a properly trained staff can also be its greatest defense.

KnowBe4 provided training to phishing-prone educators using simulation programs similar to those used by Symantec or Kapersky Lab. After three months, the number of educators likely to be fooled by phishing attempts dropped from 29 percent to 17 percent in smaller schools, and from 26 percent to 20 percent in larger schools. At the Metropolitan School District of Wayne Township, Ind., administrators adopted phishing simulation software after the district suffered four ransomware attacks, according to an InfoSec Institute press release.

For Pete Just, the district’s CTO, the secret is to approach phishing simulation and cybersecurity education the same way teachers approach education with their students.

“We teach our faculty to tailor their student learning through actionable classroom data,” Just tells InfoSec. “If we want to teach them something new, we first assess what they know, rather than making them sit through a three-hour training.” Since Just introduced the phishing simulation software to the district, the school system has been ransomware-free for 18 months.