Cybercrime Alert: Urgent Notice for Superintendents

Cybercriminals are attacking schools at an alarming rate. Malicious actors are exposing personally identifiable information, demanding millions of dollars of ransom, and districts are losing valuable time and money before they are able to regain control of their systems.

Threats and phishing attacks continue to become more sophisticated and difficult to spot.

“It is imperative that your staff is not only aware of these heightened attacks on the education community, but know how to stop the attack, and report it appropriately,” says Amy Guilford, Chief Program Administrator of the Property/Casualty Pool. “Early detection is the key — alerting your IT team right away gives them a better chance at shutting down the threat and minimizing damage.”

The first step for every district is to consider subscribing to a training entity, like KnowBe4 — an on-demand security awareness cyber training program. SET SEG members receive a significant discount on the highly affordable subscription. It is one of the best lines of defense you can deploy to prevent a cyber event at your district.

If an incident does occur, contact your SET SEG Account Executive immediately to deploy our team of legal and forensic specialists.

PROTECT YOUR DISTRICT IMMEDIATELY

EDUCATE:

Conduct ongoing security awareness training – sign up for KnowBe4, or another security training, to help your staff spot and stop these attacks.

SEPARATE:

Establish policies – only allow district-issued computers onto district-owned networks.

MITIGATE:

Backup data offline – keep a secure offsite copy of your information or remove any online backups from the main network.

Deploy a password management tool – utilize Multi-Factor Authentication to require individuals to verify their identities prior to logging into a system.

The Key to Cyber Security? Changing Mindsets & Behaviors

When it comes to communication in the workplace, email is king. With American workers receiving an average of 126 emails per day*, email also serves as one of the most vulnerable areas of your organization’s security structure. While scans and filters can assist with blocking some suspicious communications, the likelihood of falling victim to a cyberattack is directly linked to your staff’s level of security awareness and their ability to spot hackers’ attempts.

The Dangers of Operating on Autopilot

When going through your inbox becomes an everyday task, decisions on what to open, click on, and delete are made quickly, effortlessly, and even automatically. That’s why it’s no surprise that as our brains are taking shortcuts, there has been a dramatic increase in successful phishing scams.

Just like your processes for student safety require staff to be alert and responsive in the event of a potential disaster, procedures created to keep your cyber data secure are heavily reliant upon employees to respond properly in the face of an attempted cyber attack. While an investment in defensive software and preventative tools is helpful, teaching employees to be mindful and treat every email like a potentially malicious scam is still the most effective way to stop a cyber breach and protect your district.

How to Change Problematic Behaviors

Just like other employee trainings, with cyber security education, you’re aiming to build a foundation of knowledge so staff has a solid awareness and ability to respond to certain situations appropriately. However, unlike most trainings, the process shouldn’t stop after delivering education. Cyber security training must also include ways to encourage staff to change their current absent-minded, routine approach to emailing to the “system 2” approach. Keeping up with emails can be taxing, but it’s critical that you share the importance of slowing down and maintaining a controlled and mindful state.

How to Shift Decision-Making to System 2:

  • Teach employees to be wary of ALL emails they receive
  • Test awareness regularly by sending pretend phishing emails to staff and share reports on the organization’s performance

By providing opportunities to practice their skills and reinforcing the importance of their individual role with routine performance reports, you’ll help build employees’ critical thinking muscles and eventually change their emailing behaviors.

The Fastest, Easiest Path to Change Behaviors: Purchase Training

Investing in simulated testing with a cyber security awareness training tool can help you automate testing and capture performance data to determine your risk status and monitor progress. With so many user-friendly and effective tools available, purchasing a training tool can be fast and easy. Off-the-shelf tools also streamline training implementation and offer quick deployment, so you can address this issue and make progress within a matter of weeks.

For information on discounted training subscriptions available to SET SEG members, visit setseg.org/cyber.

*“Email Usage Statistics in 2021.” Campaign Monitor, 11 July 2019, www.campaignmonitor.com/blog/email-marketing/email-usage-statistics-in-2019/.

An Investment in Backups May be the Only Way to Keep Your Data

During the second and third quarters of 2020, the number of ransomware attacks within the education sector rose by 388%.

Many have heard that malicious cyber incidents in public schools — like staff data breaches, ransomware outbreaks, phishing attacks, and social engineering scams — drastically increased throughout the previous year, but this dramatic spike equates to a rate of more than two incidents per school day over the course of 2020, according to a report by the K-12 Cybersecurity Resource Center.

The education sector is one of the most targeted industries by ransomware attackers, forcing schools to face a challenging decision:

Invest in better security and backup precautions now, or suffer the consequences and hope to be able to afford the steep ransom and recovery costs if attacked.

Small Investment Today, or Major Unexpected Cost Tomorrow

The average total cost of recovery from a ransomware attack has more than doubled since last year, according to the global survey, The State of Ransomware 2021. It’s important to understand that the “sticker price” of paying the ransom (to obtain decryption keys) is only a small piece of the larger picture to recovering data, and there are other hidden costs and losses including:

  • Business interruption losses – average downtime is 21 days
  • Legal expenses – to determine what breach notification laws were triggered and how to notify victims
  • Reputational damage

When faced with this situation, for any organization, but especially for public schools, paying the ransom is not the best way out. Even if your organization decides to pay it, the chances of getting all your information back are very slim. The average ransomware payment is $170,404 and 92% of organizations do not get back all their data after paying.

The Only Option for a Full Recovery: Data Backups

“Despite all our efforts, it is a hard truth that network and security controls can fail,” says David Larson, Network Engineer at Livingston ESA and contributor to “Essential Cyber Security Best Practices for K12,” published by Michigan Education Technology Leaders (METL). In the event of an attack, restoring data from backups may be the only solution.

Top 4 Steps to Achieving an Optimal Data Security Structure:

  1. DESIGN a robust backup procedure — utilize the 3-2-1 rule
  2. INVEST in necessary backup technologies
  3. MONITOR backup procedures on a regular basis
  4. TEST backup recoveries on a regular basis and simulate disaster incidents
If Precautions Fail, Contact SET SEG!

Organizations targeted by a cyberattack must act quickly to report the incident and deploy the data restoration process. Develop a cyber incident response plan, educate your staff, and be prepared to contact SET SEG.

For more resources on cyber security, visit setseg.org/cyber.

Congratulations to Our First-ever MSAFE Award Winners!

This year, we’re excited to launch the SET SEG Michigan Safety Awareness and Facilities Excellence (MSAFE) Award as a special way to recognize strong, supportive members of the Property/Casualty Pool and Workers’ Compensation Fund and reward their proactive efforts to protect their school community.

It is with great enthusiasm that we announce and congratulate the 2021 MSAFE Award winners!

2021 Regional MSAFE Award Winners:
  • DeTour Area Schools
  • Fenton Area Schools
  • Lake City Area Schools
  • Napoleon Community Schools

These exemplary SET SEG members possess outstanding safety records and take serious steps to protect and preserve the safety and security of their buildings and grounds. Each winner met specific criteria for claims experience, prompt reporting, claim resolution, and training participation that earned them this prestigious distinction among their peers, along with a commemorative trophy and $1,000 to invest in their organization!

This fall, one grand prize winner will be selected from the group and will be granted an additional $2,500 to continue to build upon safety measures in their district.

We applaud these school districts for their best-in-class safety practices and dedication to protecting their students and staff!

Would You Pass the Test? 5 Ways to Identify a Phishing Email

According to an FBI report conducted in December of 2020, cyberattacks and ransomware targeting schools hit record highs last year, with K-12 schools at the top of the targeted list. Schools are a prime target for hackers. Unsecured remote learning tools, weak cyber security systems, and a lack of cyber security training for staff have exposed vulnerabilities in the public school system. Unfortunately, cyber criminals have capitalized on these weaknesses and continue to attack schools with increasingly sophisticated scams.

Phishing scams — fraudulent emails claiming to be from reputable companies in order to persuade individuals to reveal personal information, or click links to grant access to private systems — have been the most common method attackers have used over the past few months to infiltrate schools.

Because you and your staff are the key to preventing a cyberattack within your organization, it’s important to question the legitimacy of every email you receive.

If you notice anything about the email that alarms you, do NOT click links, open attachments, or reply. Remember, you are the last line of defense to prevent cybercriminals from succeeding.

Spread the word!

Click here for a simple demonstration of how to spot red flags in an email. Use this resource to train your staff and students to be aware and block malicious scammers!

Sign Up for Security Awareness Training:

SET SEG members have access to an exclusive discount on the world’s largest security awareness training and simulated phishing platform. For more information, click here.

Security Awareness Training: SET SEG Member Discount Available

SET SEG Member Discount Available:
  • 25% discount for all SET SEG Property/Casualty Pool Members
  • 10% discount for non-profit/governmental entities (applies to public schools)
  • 20% discount for multi-year subscriptions (all 3-year subscriptions are eligible)

Old school security training doesn’t hack it anymore. Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks.

What is KnowBe4?

Employees are the weakest link — hackers know this and are exploiting it every day. KnowBe4 helps you effectively and easily educate your staff on common hacker tactics so you can create a “Human Firewall” to manage the continuing problem of cyber attacks.

KnowBe4 is the world’s largest security awareness training and simulated phishing platform, proven effective in helping organizations manage the ongoing problem of social engineering and reducing vulnerabilities to ransomware, malware, and other data breaches.

How does it work?

KnowBe4 is a user-friendly and intuitive platform built to scale for busy IT pros that have multiple fires to put out. Customers of all sizes can get the KnowBe4 platform deployed into production extremely fast without the need for consulting or on-site assistance. The service includes:

  • Unlimited training campaigns
  • Kevin Mitnick Security Awareness Training
  • Unlimited phishing security tests
    • Over 5000 Phishing Email Templates, with the ability to customize
    • Phishing Reply Tracking
  • Ongoing security tips email blasts
  • Admin management console to track employee training/testing performance
  • Outlook or Office 365 Phish Alert Button add-in/Gmail extension
How can I sign up for this service or learn more information?

For information related to subscription levels, pricing, and additional training modules and resources, click here or contact Lauren Melendez at (727) 315-0376, or at laurenm@knowbe4.com.

Storing Hand Sanitizer – A Flammable Liquid

Since hand sanitizer has become a necessity and classroom staple, it’s more important than ever to practice safe storage practices for flammable and combustible liquids. Not only can they readily ignite and burn intensely, they can spread quickly and easily overcome the protection of a sprinkler system. Flammable liquid storage cabinets meet specific design and […]

Flip the Script on Cyber Attacks

Did you know…   

Education is listed in the top five most targeted industries for a cyber attack? A cyber breach can wreak havoc on a public school system — compromising students’ private information, diminishing a community’s confidence in the school, and ultimately costing the district and the Pool membership thousands of dollars.

The arrival of the global pandemic has provided cybercriminals with the perfect cover for ramping up email attacks. According to Beazley, SET SEG’s trusted cyber security partner, since the increase in remote work, employees have been more likely to fall for social engineering scams, or email phishing techniques used to manipulate someone into providing confidential information like log-in credentials. SET SEG members have access to a team of nationwide industry experts, robust tools, and local support to help grow and strengthen cyber security within their organization.

Flip the images below to access helpful cyber support!

Customized Member Resource Center

Though they’re the largest at-risk group, your employees also provide the most powerful first line of defense to protect against cyber hackers and misuses of sensitive information. Access the SET SEG COVID-19 Resource Center for:

  • Best practices to address new risks and exposures as a result of COVID-19.
  • Security checklists, handouts, videos and more that address IT equipment and cyber security in a remote work environment.

MEMBER DISCOUNT!

KnowBe4: Security Awareness Training

Phishing continues to be one of the greatest risks for organizations and one where employees pose the greatest vulnerability. SET SEG provides members discounted access to KnowBe4, the world’s largest integrated platform for security awareness training. This training combines a library of information with simulated phishing attacks to teach employees to make smarter security decisions every day.

To access your discount or learn more information, click here.

Breach Response Team

A cyber breach isn’t always a disaster, but mishandling it is. To ensure an immediate and proficient response to a cyber attack, SET SEG members have access to our partner, Beazley, a global company that utilizes its own in-house breach response team to resolve any cyber incidents with a member district.

For additional resources and a list of cyber security best practices, visit our COVID-19 Resource Center.

 

MISecure.org

SET SEG is proud to serve on a task force organized by Michigan Education Technology Leaders (METL), a workgroup of Michigan Association of Intermediate School Administrators (MAISA), to develop a guide to help Michigan K-12 school districts identify and improve their cybersecurity practices.

MISecure.org lists a variety of resources, from essential cybersecurity practices for K-12 to assessments and guides to implement in your organization. To learn more about this tool created for Michigan schools by Michigan technology experts, visit misecure.org/resources.

SET SEG Cyber Coverage

SET SEG’s cyber coverage is designed to respond to various forms of attack on personal data, and organization-wide IT infrastructure. Expenses arising from compromised Personally Identifiable Information (PII) and ransomware/extortion attack costs are covered, subject to policy conditions and limits.

If you believe a breach has occurred or your systems have been compromised, please notify SET SEG immediately. Legal and computer forensic reviews will be conducted to determine the extent of the damage and appropriate next steps.