It’s something IT leaders generally know — you can buy all kinds of hardware and software to try to ward off cyberattacks, but one of the most important cybersecurity vulnerabilities to address involves people, not technology.
That human element is particularly important for K–12 districts, which are popular targets for cyber incidents because of the heaps of sensitive information they collect. Some school districts are forced to pay ransoms to retrieve data. Some attacks shutter districts for days.
Against that backdrop, my team and I noticed an increase in phishing emails to our faculty and staff as well as a bump in the number of teachers requesting tech support because of malware on their devices. That prompted us to launch an anti-phishing campaign last year during the fall semester. We needed to address the “people” part of our cybersecurity concerns.
We set up a Gmail account to send a fake phishing email to district teachers. The email address included red flags teachers should have recognized: The district’s name is misspelled, and the domain is a generic Gmail account instead of the district address. The body of the email included red flags such as spelling errors. The email footer included links and a logo from MailChimp, which is a well-known company but not a district-approved vendor.
The email also included a link to a survey requiring a Google login. That link connected to a Google splash page designed to look like a real Google login page but with obvious differences. It required entering a username and password on the same screen, but Google requires entering a username and password on separate screens.
Fake Phishing Emails Underscore Need for Training
The results of the experiment were alarming. Of 572 fake phishing emails sent out:
- 474 were opened
- 272 people clicked the link in the email
- 113 people logged into the site, providing their username and password
- 45 people entered additional information such as their room numbers and school names onto a public Google sheet
It was clear our employees needed cybersecurity training. The test also revealed another urgent issue: passwords. We needed teachers to create new passwords because they likely had compromised previous ones.
The experiment also made it clear many of our employees can’t recognize the signs of a potential phishing threat. I shared information about the experiment and the results with all employees along with tips for better managing sensitive information that could compromise network security or their own personal data.
MORE ON EDTECH: Discover tips on breaking down administration silos for cybersecurity.
Determining Next Steps for Improved Cybersecurity
The experiment is driving conversations among my team and district leaders about next steps for a more proactive approach to preventing cyberattacks. We already use content filters; the Children’s Internet Protection Act, a Federal Communications Commission provision, ties E-rate discounts to criteria that includes monitoring online safety and security. But those filters only capture internet usage.
We also use spam filters and related features built into the Google Admin suite and block teachers from adding extensions or VPNs. But we need to do more. Here are some of the changes we have implemented or are discussing for future implementation.
Cloud storage: One key step is to store student data in the cloud. We started storing data in the cloud instead of on-site to remove internal servers as a potential cybersecurity risk.
Network segmentation: Putting all district schools on different VLANs is a way to boost security as well as performance.
Security software and insurance: The main goal is to ensure classes can go on, that schools can continue to operate, even after a cyberattack. My district uses Cylance on all of our PCs for extra protection and filtering. We also are exploring cybersecurity insurance — a discussion that includes district school board members and the board attorney. With ransomware attacks, cyberthieves can hold districts hostage for hundreds of thousands of dollars or more. The typical school district doesn’t have that sort of money on hand.
Professional development: It’s important for teachers to receive regular training on cybersecurity and email hygiene. In my district, we use faculty meetings as one way to directly share this information. We also are considering offering cybersecurity training for teachers in the summer. We are discussing appropriate interventions for employees who are repeatedly reckless with sensitive information.
The need for continuous learning applies to IT teams, too. Events such as the Future of Education Technology Conference as well as the conferences of the Consortium of School Networking (CoSN) and the International Society for Technology in Education (ISTE) offer IT leaders timely and expert information on the latest cybersecurity trends, risks and solutions. Other professional organizations are also valuable resources for IT leaders. It was at a regional meeting of technology directors that I heard about an email phishing experiment that inspired my team’s approach.
Multifactor authentication: My team is pushing for this, particularly for teachers and administrators, and the experiment underscores the need. With multifactor authentication, district employees must provide multiple credentials to be granted access to systems.
Routine device upgrades: As Microsoft has ended support for Windows 7, we’re migrating devices to newer operating systems. In my district, we are conducting a technology audit to determine how many devices in our fleet need to be upgraded to Windows 10.
Even with all of these changes, it’s important to understand that reinforcing email hygiene and preventing cyberattacks are not one-off efforts. Cyberthieves are constantly finding new loopholes and weaknesses to exploit, so a good defense involves regularly assessing vulnerabilities and taking a proactive approach. Cybersecurity is a constant process in IT.