When the pandemic many schools and school districts were not positioned well to pivot to online learning and teleworking. The result? Schools rushed to deploy conferencing systems, increased and remote access to databases, the setup of apps and school owned devices from home.
And hackers knew this.
They also know that most technologies when setup quickly come with default settings to ensure usability for access and setup and if left untouched, those same default settings can be easily figured out and leveraged for hacking. Staff also were not trained or educated on the risks working online, increasing the risk of being victims to poor password practices and open to social engineered phishing attacks.
And hackers took advantage and attacked.
Near the beginning of 2020, security and consulting company Impact reported that the number of cyber attacks tripled, with schools being the second most targeted with ransomware. Currently, 42% of school's staff either have poor or will circumvent cybersecurity practices, such as having weak passwords or share passwords. In Canada, CIRA reports only 41% of employees receive cybersecurity awareness training. Hackers therefore have a good chance to get access to our systems.
Those hackers that are successful with schools that have high profile information and data were rumored to sell the ransomed data for over 200 million dollars on the dark web.
By the end of 2020, the U.S. Senate Committee on Homeland Security & Governmental Affairs issued an alert and a statement warning to school districts that cyberattacks on a continued rise and schools are being targeted. It became clear that in addition to setting up systems securely, it is imperative that staff and students in schools are also educated about cybersecurity risks and learn safe and secure online practices.
What can we do? Make sure your colleagues are aware of the risks. With their support, suggest a few mini presentations about best practices or mini internal phishing campaigns for fun. Something like...
"Hello Jonathan, I am your principal stuck in a meeting right now. Please immediately send Amazon Gift Cards to iamurprincipal@yourschool.edu? I need to thank a colleague before it ends."
I am sure you can come up with something more convincing and better.
Better yet, engage your security vendor and see what resources they can share. Most security vendors offer courses for their clients employees and phishing campaigns that will turn your colleagues into savvy online users.
The outcome? I bet no gift cards will be bought and the chance of being a victim to ransomware will be less.
Comments
Post a Comment