With the widespread usage of technology in K12 schools, the threats are also on the rise. As with any innovation, technology is also a double-edged sword that is misused by malicious systems and people to gain unauthorized access and privileges. Most of these technology threats are spread through networks connected to the internet. There are more and more advanced types of threats being revealed each day and the CIOs are finding it very difficult to catch up to the momentum of the threats in different forms.
The schools are more vulnerable to cyberattacks like phishing attacks because the faculties are not trained to handle cybersecurity process effectively. There have been 712 publicly disclosed cybersecurity-related incidents involving U.S. public schools since 2016. Recently The Ava School District in the USA is struck by a ransomware attack. The teachers noticed the printers in the district printing mysterious ransom notes demanding money to get the stolen information back. Similarly, California’s San Bernardino City Unified School District (SBCUSD) has discovered that cybercriminals recently used ransomware to lock access to district files. These are not random or rare incidents. There will be more unreported and unrecognized phishing attacks in K12 schools all across the globe. Even though there are many cybersecurity threat types, we will focus on the most common and easily deployable threat of phishing.
What is Phishing Attack?
Phishing is a homophone of fishing. Even though both the words have different meanings even while sounding similar, phishing can be visualized as technological fishing where bait is used to lure the vulnerable targets in sharing sensitive information such as usernames, passwords, and credit card details. The attacker uses emails or instant messaging services like WhatsApp, SMS, etc. to disguise oneself as a trustworthy entity. Then the user is directed towards a duplicate webpage that is similar in look and feel to the original webpage. Most of the novice targets won’t be able to recognize the duplicate from the original and will give away the sensitive information in the forms present on the website.
Common Types of Phishing Attacks
1. Bulk Phishing
Here the attacker sends malicious communication to a bulk of people globally or to a specific organization or to specific geography. This way the attacker ensures some people will fall for the attack as the attacker is sending it to thousands of people at the same time.
2. Spear Phishing
This phishing attack is aimed at specific individuals or a company. The attacker spends more time in researching about the target to present the bait in a credible way. This increases the probability of success of the phishing attack.
Whaling is a spear-phishing attack but targeted only at the senior management of an organization like CEO, CFO or CIO.
4. Clone Phishing
In this, a previously delivered credible email with its content is taken and converted to malicious form and resent as an update to the earlier communication. This is done by hacking either the sender or recipient of the email before sending the phishing mail.
There are many other forms of phishing attacks categorized according to the type of medium(email, voice, text), the volume of impact, etc.
How K12 Schools can protect from Phishing Attacks?
K12 schools are very vulnerable to phishing attacks as school’s manages a lot of sensitive data and all the faculty will not be computer savvy enough to detect and defect a phishing attack. We propose the following tips to be followed to improve the resistance to phishing attacks in schools.
Tips for Users (Faculty)
- Always check the URL(website address) even if you clicked the link from a trustable source or person. Do not get fooled by the design of the webpage. The attacker might have created a similar-looking page.
- When you receive an email and the content feels to be suspicious, always contact the sender if you know the sender. Verify the authenticity before clicking on links or downloading the documents.
- Do not share personal data on the web in social media sites. The attacker might collect the information from these places to present trustworthy content for an attack.
- Use two-factor authentication wherever possible. In two factor authentication, you provide the OTP received through your phone number along with the usual username and password.
Tips for Admins (IT head)
- Promote usage of antivirus and other possible tools to detect phishing attacks. If budget is a problem, try free and opensource tools.
- Train the faculty through phishing simulations. Collect information on recent phishing attacks to K12 schools and simulate the scenario in front of the faculty audience.
- Frequently analyze incoming and outgoing web traffic to understand usual patterns and notice any strange patterns.
- Do a penetration testing to understand the weak spots and vulnerable users. Then correct the weak spots and educate the vulnerable users.
- Make it a practice to reward the users who successfully detect a phishing attack and then share the information with everyone.
Tips for School Owners
As a school owner, you have more responsibility in improving the cybersecurity of the school and training the faculty to navigate through unknown phishing attacks in the future.
- Hire an IT head for the school. If not a CIO, it is good to have a dedicated IT head for the school to take care of cybersecurity efforts.
- Educate the faculty, students, and parents on cybersecurity and how to detect phishing attacks. It is a good practice to conduct frequent seminars on the topic and invite experts in the industry. Most probably some of the parents of the school will be cybersecurity experts and will happily volunteer to train the faculty.
- Install only original and licenses operating systems and applications for usage of faculty. And always keep the OS, software and anti-virus applications up to date. If budget is a problem, choose opensource tools.
- It will be a good idea to have a defense strategy to handle future attacks. A defense strategy will contain what to do in case a phishing attack happens and sensitive information is leaked. If the faculty is trained on this, it will prevent the usual chaos after a phishing or ransomware attack.
- And finally, if you have many thousands of students and a lot of digitization effort happening in the school, go for a full-time cybersecurity expert like CISO (Chief Information Security Officer)
There are many other models of cybersecurity threats other than phishing. It is a good practice to read more about them and be prepared with a defense strategy in place.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?