K–12 Schools Remain Vulnerable to Email Phishing Attacks
Phishing remains the leading cause of data breaches. Bogus emails that con or coerce users into disclosing key personal data are responsible for the vast majority of successful cyberattacks across the public and private sectors.
K–12 education is not immune. More than half of K–12 CTOs say phishing scams are a significant or very significant problem, according to a recent Education Week/Consortium for School Networking survey. One thing to think about during National Cybersecurity Awareness Month: The majority of phishing attacks against K–12 schools last year were carried out over email, exposing sensitive data systems or allowing “malicious third parties” to transmit malware, according to researchers at the K–12 Cybersecurity Resource Center.
In fact, some experts say K–12 may be especially vulnerable. “School districts are often the largest employer in a community, and they have a lot of valuable data. We see mail that looks like it is from the superintendent going to the financial officer or the secretary asking for all W-2 forms or other payroll information,” CoSN CEO Keith Krueger tells EdTech.
“There is a lack of technical sophistication in many districts, and the fact that this is an end-user problem makes it more problematic. People aren’t always paying attention, or they may not have had sufficient training to understand what is at risk,” he says.
The problem is bad enough that, in 2018, the FBI put out a special warning for K–12. Law enforcement officials cautioned that bad actors could target schools for personally identifiable information; biometric data; academic progress reports; and behavioral, disciplinary and medical information, among other things.
Despite the hazards, K–12 leaders can take some basic steps to significantly reduce the risk of a successful phishing exploit.
MORE FROM EDTECH: Learn how K–12 leaders are protecting sensitive data in connected classrooms.
Take These Steps to Prevent Phishing Attacks
Go wide: In training K–12 staff to avoid suspect emails, cast the widest net possible.
“Every employee, from the school clerk to the superintendent, will handle a lot of data, whether it’s financial information or attendance records,” Krueger says.
While some schools drill back-office staff on good email hygiene and others focus on teachers and students, an ideal program will work across all levels of the organization. “There needs to be training across that entire spectrum,” Krueger said.
Make it personal: “For the end user, there is no perceived consequence to getting this wrong,” says Alex Grohmann, a director on the Information Systems Security Association’s international board. To convince employees of the urgency of phishing prevention, IT needs to make it personal.
“This is not just about the company or the institution being at risk — these practices protect them as individuals,” Grohmann says. “This is something that could happen to them personally. They can be compromised at home, and there’s no IT department to ride in and save them. When they understand they there can be personal consequences in this, they will be more likely to use good hygiene.”
Set effective limits: Email filtering tools can help prevent phishing; for example, by rejecting messages that contain suspicious links. But there’s a downside.
“You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive,” Grohmann says. “So you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort, but it may be necessary in order to set effective limits that don’t interrupt your operations.”
Assume the worst: Despite all preventive measures, there’s a good chance some phishing acts will succeed. With this in mind, it makes sense to organize systems around the principle of damage control, with role-based controls and network architecture all geared toward limiting an intruder’s access.
“Machines should be isolated in their own networks. People should have the least amount of access needed to do their jobs,” says Shane Chagpar, a solution designer and instructor with IT consultancy Kepner-Tregoe. “The person in marketing shouldn’t be able to view and edit reports from the financial side. Or, they should only be able to view certain reports. You have to be granular in how you grant access.”
Be a better organization: Phishing schemes are psychological in approach: The scammers know that people who are stressed, hurried or under pressure are more likely to respond to an urgent-sounding message. One key way to stop the clicks is to build a friendlier, less harried workplace.
“Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with Information Security Forum. “So, if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”
Make training realistic: Anti-phishing awareness doesn’t come from a PowerPoint deck — it comes from hands-on, realistic exercises.
“You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: ‘Click here to see pictures of your spouse with someone else,’” says Bruce Beam, CIO of (ISC)2, a nonprofit membership association of certified cybersecurity professionals. “If people are going to learn, the training has to be realistic. It has to be convincing.”