Blogs

Special Contribution from Weaver

Data breaches can cause financial loss, safety issues, negative publicity, lost productivity and compromised personal and district data. In 2017, the Ponemon Institute studied related costs (https://www.ponemon.org/library/2017-cost-of-data-breach-study-united-states) and found that 24% of breaches resulted from employee errors.

Training every employee can help reduce cyber risks —but what are the specific topics or techniques to include? Beyond creating a culture of awareness, you must educate employees on detecting the latest techniques and emphasize the importance of reporting suspicious incidents.

The Evolution of Cyber Attacks

As attack techniques become public, hackers change their approach. Districts’ training programs have to change to keep up. Recent attacks look more sophisticated; many are individually tailored to obtain sensitive information and access internal systems. For example, attackers use social engineering (for example, calling the receptionist to ask for names and titles) to offer partially correct information and persuade the target to share real information. By creating a false sense of connection to an individual or the district, an attacker can circumvent technical security controls. For example, an email to a principal’s secretary might claim that the superintendent has asked for credit card numbers or purchases of gift cards.

Protecting Your District

The United States Computer Emergency Readiness Team (US-CERT) provided detailed advice on how to avoid becoming a victim of social engineering (https://www.us-cert.gov/ncas/tips/ST04-014):

• Maintain vigilance and skepticism about inbound communications (phone calls, visits and emails)
• Verify identities and don’t hesitate to call IT security or get a second opinion
• Only share internal information with confirmed and authorized individuals
• Tag external emails to denote when addresses should be double-checked
• Be suspicious of emailed attachments, links or forms
• Use alternative channels to verify information

From an organizational perspective, when is the last time you revisited your cyber security training programs? What types of techniques and topics are addressed in those trainings? What are the metrics you use to monitor the effectiveness of your protections? How do you communicate the latest cyber threats?

Your district’s IT administrators should carefully select topics to include in the training program. Important areas to cover include detecting spoofed/falsified senders, overly urgent messages, and external communications that include attachments, links or form fields.

Your central administrators are likely to be prime targets for cyber-attacks. They can set an example and raise urgency by sharing their experiences with teachers and staff. They can ask employees, “Have you ever received an email — purportedly from an administrator — requesting information, soliciting financial transactions or asking for organizational details?”

The simple act of the superintendent telling employees that he/she will never request financial or sensitive information through email can be an effective way to help avoid future breaches. Every employee must take responsibility for protecting the district, and creating awareness outside the IT department may be critical to preventing a future breach.