Jul 17 2019

Phishing in K–12: How to Avoid Taking the Bait

Schools can safeguard against a growing cyberthreat with layers of protection software and continuous education.

Cybersecurity is critical to making sure students are safe as they use digital tools. In school systems that provide one-to-one devices to students, phishing is a top concern among IT professionals.

“Of attack types, phishing is by far the security threat that most concerns districts,” according to a Consortium for School Networking report. Schools, with their troves of sensitive personal and financial information about staff and students, make attractive targets. The identities of young people, less likely to be monitored for suspicious activity, are especially sought after. 

Spear-phishing attacks in particular, which target specific people with messages that seem to come from an institution or someone they know, are increasing.

Attacks in 2018 targeting district officials that succeeded in redirecting payments from legitimate suppliers to criminal accounts “resulted in the theft of hundreds of thousands or even millions of dollars,” The K–12 Cybersecurity Resource Center reports.

Today, K–12 districts must be more proactive than ever to resist the rising tide of phishing attacks. For many — especially those with limited IT resources — the question is, how? 

MORE FROM EDTECH: Check out some of the technologies K–12 schools must have to stop ransomware attacks.

Construct Layers of Prevention and Protection for Users

Up-to-date patching, anti-virus, anti-malware and firewalls are the first line of defense. Most browsers have built-in protections warning users about potentially risky emails and sites. Turning on the multifactor authentication available in browsers such as Google Chrome will further protect against scams. 

Limiting the damage from successful attacks takes layered K–12 security, from data to endpoint, network to cloud. For some schools, engaging security and risk consultants to help review, test and improve security makes sense. Districts can also use cybersecurity frameworks, such as those developed by the National Institute of Standards and Technology, to assess where they are and where they need to be.

Quick detection and response require vigilance, visibility and expertise. Some districts have their own secure operations centers. Others use managed detection and response services to get round-the-clock, worldwide surveillance and analysis of attacks. 


Teach Educators and Students to Be Click-Savvy

Schools can reduce susceptibility by increasing community awareness of phishing threats and techniques. It’s not just students who are easily fooled — many administrators and faculty, as well, lack basic awareness and skills, such as checking the domain name on the browser toolbar.

Simulating phishing attacks is a cost-effective way to assess the current state of knowledge and raise awareness. KnowBe4, Wombat, and PhishingBox offer services that enable schools to customize and send simulated phishing emails to show users how to identify phishing in a safe, controlled environment.

Results from these tests can provide schools with benchmark data to justify additional cybersecurity investments and measurements to help them monitor for improvement over time.

In addition to learning to recognize and avoid phishing attempts, students, faculty and administrators should be empowered to act as a kind of human firewall.

Empowering people as important players in a school’s defense can help them overcome feelings of shame or fear of punishment that might keep them from coming forward right away if they think they’ve been phished. 

By encouraging users to be cautious and making it easy to report any kind of suspicious activity, IT can gain timely intelligence and reduce the likelihood of having to clean up a security mess later.

More Advanced Scams Call for Greater Defenses

Phishing attacks are becoming much more sophisticated, as criminal organizations with considerable resources set ever sharper hooks. 

Fortunately, there are next-generation tools using AI and machine learning that can help districts stay one step ahead of bad actors. Solutions such as the new Dell SafeGuard and Response — which combines AI-driven and cloud-native endpoint protection from CrowdStrike and expert threat intelligence and response management by SecureWorks — is a step toward providing schools with simpler, smarter and more affordable protection. 

As part of their digital literacy, students need to learn how to spot, avoid and report phishing — skills they will carry with them beyond school as good digital citizens.

Hailshadow/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.