EDTECH: Which demographics are the most vulnerable to cyberthreats such as phishing?
PLAGGEMIER: We have data from a report we do called “Oh, Behave!” that shows that older folks are slower to click on things and more distrustful of technology. Younger folks are faster to click and are more likely to click on something they shouldn’t.
Digital natives have a comfort level and trust with technology, so while we think of our kids being tech savvy, they’re not security savvy.
EDTECH: What new phishing threats should K–12 users be aware of? How are cybercriminals stepping up their game?
PLAGGEMIER: The most difficult attacks for an end user to recognize are when a trusted partner has had their network compromised and somebody has control of their email, so you’re getting a phishing email from an address that’s not spoofed.
When the bad guys get control of an email account, they work really quickly because they don’t know how long they’re going to have that control. They set up auto-forwarding rules and they find threads they can jump in on, and those can be really hard to detect.
LEARN MORE: Avoid becoming bait for a phishing email.
There’s also spear phishing, which is when phishing is tailored to someone’s role, and whaling.
Whaling is a type of phishing where they’re targeting a highly sought-after individual: That could be somebody with administrative access or it could be somebody very senior in the organization. It could be anybody in finance who has access to money and access to data.
There are clear things that people should look for, like spoofed email addresses and links that look a little unusual, misspellings and bad graphics, but the bad guys have gotten a lot more sophisticated. They have graphic artists. They have native English speakers. There are all kinds of artificial intelligence to help them now.
EDTECH: Besides email filters, which you mentioned, what tech can help K–12 IT teams fight back against phishing threats?
PLAGGEMIER: The best-case scenario is that somebody clicks on a phishing email and your proxy blocks them from going to the website. You always have to think in terms of a layered defense. In a perfect world, there is other technology in place that blocks somebody from getting to the malicious website and blocks malware from being downloaded. You have to look at it in its entirety and have a layer of defense.
DIVE DEEPER: Try these security controls to fight phishing attacks.
Simulated phishing programs have been around for a long time. I think everybody should be running one. There are automated ones now, so you set it and forget it. You can hire managed services to run it, too. It doesn’t have to be a big drag on the IT team to run the program.
EDTECH: What should K–12 IT admins keep in mind when administering phishing spoofs and other trainings?
PLAGGEMIER: I really believe in rewards and incentivizing people to do the right thing as opposed to punishing them.
Before you send a phishing email, you need to contact the HR team or the internal communications team to make sure you’re not doing anything tone deaf for the organization. If you want your security team to have a good, healthy relationship with the rest of the organization, and you want to be embedded with the business, it’s not wise to do anything that’s going to be too controversial.
The argument on the other side is the bad guys will do it, so we should do it too. But the bad guys don’t care about having a relationship with your organization.
I can’t stress enough that the school should be prepared for this. With the number of ransomware attacks on schools across the country over the past couple of years, if you’re not doing anything, then you frankly have your head in the sand right now.