1. MFA and Identity Management Block Consent Phishing Attempts
Schools should definitely set up MFA for network login, requiring users to provide IDs, passwords and a third identifier, such as a badge or a biometric marker, to access the network.
In the cloud (whether Google Cloud, Microsoft Azure or Amazon Web Services) where consent phishing occurs, schools should use an identity and access management solution. An IAM solution should notify IT staff whenever it detects unusual web, app or email activity and can block login attempts.
2. Take Control of Third-Party App Permissions and Approvals
Unfortunately, even when MFA and identity management tools are in place, some users can still accidentally grant malicious cloud apps access to convincing cyber phishers.
According to Push Security, “the only way to completely shut down consent phishing attacks is to prevent users from granting access to third-party apps altogether.”
However, because this would reduce productivity, K–12 schools should let IT admins approve all new app requests from end users and preapprove widely used apps from trusted publishers.
3. Security Training Can Help Schools Reduce Consent Phishing Attacks
Researchers who conducted the October 2020 IBM Education Ransomware Study of 1,000 educators and 200 administrators concluded that educators were “still unaware of critical information relevant to protecting their schools.”
At a minimum, K–12 IT experts should conduct annual training for teachers, students and administrators on consent phishing and other cyberthreats.
4. Schools Can Shore Up Cybersecurity with Annual External Audits
School IT leaders should hire outside cyber experts to perform annual audits. The auditors will test for security policies, best practices, documentation and compliance in central and remote IT systems and devices. They will assess the security of software, firewalls, third-party vendors, apps and the IT app approval process.
5. Schools Should Notify Legitimate Parties of Phishing Attempts
Finally, whenever a user reports a suspicious email that looks like it is coming from a legitimate party, IT teams should notify that party. IT can also consider hardening security around school email systems with software that checks for spam and blocks access to known malicious websites and apps.