The Cyber Blog is an initiative of Indiana's Educational Cybersecurity Task Force, a partnership between the Indiana CTO Council and the Indiana Department of Education.
Phishing: The Top Cyber ThreatPosted by Jason Bailey, Ph.D, CETL on 10/15/2019
Each October, IT professionals turn their focus to a topic that has grown in intensity with each passing year. National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to “raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.” In Indiana, we have responded to this growing need by gathering leaders of education technology, and creating a task force to scale up our efforts to safeguard school networks, protect student data, and educate our users about how to develop better online habits.
This last piece is one of the most critical in all of cybersecurity. While you may have a preconceived idea of hackers manipulating code to infiltrate your systems, it is far more likely that cyber criminals will manipulate people to gain the access they need. In fact, most breaches involve phishing and more than 75% of organizations and businesses were targeted by phishing scams in each of the past two years.
If you are less than familiar with the term, Phishing is a ”fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.” While designing a program to get someone’s password is fairly complicated, it turns out that designing an email that convinces them to just tell you... isn’t very complicated at all. In fact, Verizon reported that 30% of phishing messages get opened, and 12% of targeted users click on the malicious attachment or link.
Several studies indicate that phishing attacks are still on the increase. Phishing remains the preferred vector for cyber threat actors, and organizations cite phishing as the top cyber threat. Last year alone, the FBI’s Internet Crime Complaint Center registered more than $1.2 billion lost to email account compromise, and it is likely that these breaches are vastly underreported.
So, how can we begin to protect ourselves and our school districts against this cyber menace? Two of the most popular responses are: education and assessment. Since our staff are the targets of these repeated attempts, we must increase their awareness of the threat, and increase their ability to recognize it when they see it. Many districts have already undertaken an awareness campaign using district communication as well as online training modules to teach employees how to pick up on the warning signs of a phishy email. In conjunction with this training, districts have been conducting their own phishing campaigns to find out which employees are most likely to take the bait, and doing extra remediation with those most at-risk. Schools who have sent a baseline phishing email ahead of awareness training have seen a substantial improvement in those click-rate numbers through the course of a campaign. If you are an IT leader in an Indiana public school, you can take advantage of an initiative we’ve just launched at the IDOE which can lend you this capacity at no cost to your district.
Steps you can take to be more secure today:
- Regularly update security software on your computer, and run updates on your cell phone
- Frequently back up your critical files to an external drive or cloud storage
- Educate yourself (and your staff) on scam tip-offs like generic greetings, bogus email accounts, and pressure tactics designed to make you click on the bait
- Scrutinize URL’s to make sure they will lead to a legitimate top-level domain
- If in doubt, don’t click, and hover over links to reveal the real URL
- Report any suspicious emails to your district’s IT department
How to Recognize and Avoid Phishing Scams (Federal Trade Commission)
National Cybersecurity Awareness Month 2019 (NICCS)
Jason Bailey is the Senior Specialist of Workforce and Digital Learning for the Indiana Department of Education. He serves on the CTO council board, and is a liaison to the Educational Cybersecurity Task Force.