When it comes to communication in the workplace, email is king. With American workers receiving an average of 126 emails per day*, email also serves as one of the most vulnerable areas of your organization’s security structure. While scans and filters can assist with blocking some suspicious communications, the likelihood of falling victim to a cyberattack is directly linked to your staff’s level of security awareness and their ability to spot hackers’ attempts.

The Dangers of Operating on Autopilot

When going through your inbox becomes an everyday task, decisions on what to open, click on, and delete are made quickly, effortlessly, and even automatically. That’s why it’s no surprise that as our brains are taking shortcuts, there has been a dramatic increase in successful phishing scams.

Just like your processes for student safety require staff to be alert and responsive in the event of a potential disaster, procedures created to keep your cyber data secure are heavily reliant upon employees to respond properly in the face of an attempted cyber attack. While an investment in defensive software and preventative tools is helpful, teaching employees to be mindful and treat every email like a potentially malicious scam is still the most effective way to stop a cyber breach and protect your district.

How to Change Problematic Behaviors

Just like other employee trainings, with cyber security education, you’re aiming to build a foundation of knowledge so staff has a solid awareness and ability to respond to certain situations appropriately. However, unlike most trainings, the process shouldn’t stop after delivering education. Cyber security training must also include ways to encourage staff to change their current absent-minded, routine approach to emailing to the “system 2” approach. Keeping up with emails can be taxing, but it’s critical that you share the importance of slowing down and maintaining a controlled and mindful state.

The Fastest, Easiest Path to Change Behaviors: Purchase Training

Investing in simulated testing with a cyber security awareness training tool can help you automate testing and capture performance data to determine your risk status and monitor progress. With so many user-friendly and effective tools available, purchasing a training tool can be fast and easy. Off-the-shelf tools also streamline training implementation and offer quick deployment, so you can address this issue and make progress within a matter of weeks.

For information on discounted training subscriptions available to SET SEG members, visit setseg.org/cyber.

*“Email Usage Statistics in 2021.” Campaign Monitor, 11 July 2019, www.campaignmonitor.com/blog/email-marketing/email-usage-statistics-in-2019/.

During the second and third quarters of 2020, the number of ransomware attacks within the education sector rose by 388%.

Many have heard that malicious cyber incidents in public schools — like staff data breaches, ransomware outbreaks, phishing attacks, and social engineering scams — drastically increased throughout the previous year, but this dramatic spike equates to a rate of more than two incidents per school day over the course of 2020, according to a report by the K-12 Cybersecurity Resource Center.

The education sector is one of the most targeted industries by ransomware attackers, forcing schools to face a challenging decision:

Invest in better security and backup precautions now, or suffer the consequences and hope to be able to afford the steep ransom and recovery costs if attacked.

Small Investment Today, or Major Unexpected Cost Tomorrow

The average total cost of recovery from a ransomware attack has more than doubled since last year, according to the global survey, The State of Ransomware 2021. It’s important to understand that the “sticker price” of paying the ransom (to obtain decryption keys) is only a small piece of the larger picture to recovering data, and there are other hidden costs and losses including:

• Business interruption losses – average downtime is 21 days
• Legal expenses – to determine what breach notification laws were triggered and how to notify victims
• Reputational damage

When faced with this situation, for any organization, but especially for public schools, paying the ransom is not the best way out. Even if your organization decides to pay it, the chances of getting all your information back are very slim. The average ransomware payment is $170,404 and 92% of organizations do not get back all their data after paying.

The Only Option for a Full Recovery: Data Backups

“Despite all our efforts, it is a hard truth that network and security controls can fail,” says David Larson, Network Engineer at Livingston ESA and contributor to “Essential Cyber Security Best Practices for K12,” published by Michigan Education Technology Leaders (METL). In the event of an attack, restoring data from backups may be the only solution.

Top 4 Steps to Achieving an Optimal Data Security Structure:

1. DESIGN a robust backup procedure — utilize the 3-2-1 rule
2. INVEST in necessary backup technologies
3. MONITOR backup procedures on a regular basis
4. TEST backup recoveries on a regular basis and simulate disaster incidents

If Precautions Fail, Contact SET SEG!

Organizations targeted by a cyberattack must act quickly to report the incident and deploy the data restoration process. Develop a cyber incident response plan, educate your staff, and be prepared to contact SET SEG.

For more resources on cyber security, visit setseg.org/cyber.

According to an FBI report conducted in December of 2020, cyberattacks and ransomware targeting schools hit record highs last year, with K-12 schools at the top of the targeted list. Schools are a prime target for hackers. Unsecured remote learning tools, weak cyber security systems, and a lack of cyber security training for staff have exposed vulnerabilities in the public school system. Unfortunately, cyber criminals have capitalized on these weaknesses and continue to attack schools with increasingly sophisticated scams.

Phishing scams — fraudulent emails claiming to be from reputable companies in order to persuade individuals to reveal personal information, or click links to grant access to private systems — have been the most common method attackers have used over the past few months to infiltrate schools.

Because you and your staff are the key to preventing a cyberattack within your organization, it’s important to question the legitimacy of every email you receive.

If you notice anything about the email that alarms you, do NOT click links, open attachments, or reply. Remember, you are the last line of defense to prevent cybercriminals from succeeding.

Spread the word!

Click here for a simple demonstration of how to spot red flags in an email. Use this resource to train your staff and students to be aware and block malicious scammers!

Sign Up for Security Awareness Training:

SET SEG members have access to an exclusive discount on the world’s largest security awareness training and simulated phishing platform. For more information, click here.

Did you know…   

Education is listed in the top five most targeted industries for a cyber attack? A cyber breach can wreak havoc on a public school system — compromising students’ private information, diminishing a community’s confidence in the school, and ultimately costing the district and the Pool membership thousands of dollars.

The arrival of the global pandemic has provided cybercriminals with the perfect cover for ramping up email attacks. According to Beazley, SET SEG’s trusted cyber security partner, since the increase in remote work, employees have been more likely to fall for social engineering scams, or email phishing techniques used to manipulate someone into providing confidential information like log-in credentials. SET SEG members have access to a team of nationwide industry experts, robust tools, and local support to help grow and strengthen cyber security within their organization.

Flip the images below to access helpful cyber support!