Fake Phishing Emails Underscore Need for Training
The results of the experiment were alarming. Of 572 fake phishing emails sent out:
- 474 were opened
- 272 people clicked the link in the email
- 113 people logged into the site, providing their username and password
- 45 people entered additional information such as their room numbers and school names onto a public Google sheet
It was clear our employees needed cybersecurity training. The test also revealed another urgent issue: passwords. We needed teachers to create new passwords because they likely had compromised previous ones.
The experiment also made it clear many of our employees can’t recognize the signs of a potential phishing threat. I shared information about the experiment and the results with all employees along with tips for better managing sensitive information that could compromise network security or their own personal data.
MORE ON EDTECH: Discover tips on breaking down administration silos for cybersecurity.
Determining Next Steps for Improved Cybersecurity
The experiment is driving conversations among my team and district leaders about next steps for a more proactive approach to preventing cyberattacks. We already use content filters; the Children’s Internet Protection Act, a Federal Communications Commission provision, ties E-rate discounts to criteria that includes monitoring online safety and security. But those filters only capture internet usage.
We also use spam filters and related features built into the Google Admin suite and block teachers from adding extensions or VPNs. But we need to do more. Here are some of the changes we have implemented or are discussing for future implementation.
Cloud storage: One key step is to store student data in the cloud. We started storing data in the cloud instead of on-site to remove internal servers as a potential cybersecurity risk.
Network segmentation: Putting all district schools on different VLANs is a way to boost security as well as performance.
Security software and insurance: The main goal is to ensure classes can go on, that schools can continue to operate, even after a cyberattack. My district uses Cylance on all of our PCs for extra protection and filtering. We also are exploring cybersecurity insurance — a discussion that includes district school board members and the board attorney. With ransomware attacks, cyberthieves can hold districts hostage for hundreds of thousands of dollars or more. The typical school district doesn’t have that sort of money on hand.
Professional development: It’s important for teachers to receive regular training on cybersecurity and email hygiene. In my district, we use faculty meetings as one way to directly share this information. We also are considering offering cybersecurity training for teachers in the summer. We are discussing appropriate interventions for employees who are repeatedly reckless with sensitive information.