As if getting up to speed with new classroom technologies and pretending to be tech-savvy like the kids isn’t enough, school staff also need to guard against the ever-increasing threat of cyberattacks. Lurking in the shadows, cyber-gremlins wait for an opportunity to strike so they can capture sensitive data and wreak havoc with school systems.
School administrators and IT staff can be super-vigilant, but the hackers are getting better and better at sneaking through security. As their malware arsenal becomes increasingly sophisticated, they are ready to exploit the tiniest undefended security gaps and try to catch out unsuspecting school staff by masquerading as trusted programs, partners or services.
Regrettably, some hackers regard teachers as ‘soft targets’ because many are unaware of the dangers. K-12 schools can often be at high risk, because they tend to rely on a broad range of apps and software and are big users of web-based learning and testing.
Making sure that every staff member is aware of potential dangers is the first step in keeping your school secure and safeguarding students’ data. Otherwise, it’s all too easy for unsuspecting teachers to be tricked into visiting a compromised website, clicking on questionable email links or opening an infected pop-up.
So, what are the most common cybersecurity threats, and how can school staff avoid them?
Eavesdropping / Man-in-the-Middle (MiTM) Attacks
What they are: It’s likely that you sometimes use a school laptop or mobile device to gain internet access via Wi-Fi networks in public places like coffee shops or airports. If so, be aware that there may be hackers eavesdropping to try and gain entry to any two-party exchange you make so they can filter and steal data.
How to avoid them: Always use a school-verified SIM card, dongle or VPN (virtual private network) to access the internet in public places.
Social Engineering Attacks
According to Verizon’s 2018 Breach Investigations report, 92 percent of malware is delivered via email, often referred to as social engineering attacks. The aim is to interact with the user and influence and manipulate their actions to gain access to systems and install harmful software. Malware uses various guises. Here are some of the most common:
1. Phishing emails
What they are: Appearing to be legitimate correspondence from a familiar source – such as personal contacts, government agencies or businesses – these emails link to destructive software which can encrypt and/or steal school files, photos, documents or data.
How to avoid them: Always check the ‘from’ address for added characters or slightly different spelling. Have a look at the logo, branding and presentation. Does it ring true? Within the body of the email beware of incorrect spelling, poor grammar, bad phrasing or clumsy wording. If in doubt, don’t open it or click on any links, and make your school’s IT department aware.
2. Baiting attacks
What they are: Typically an external device such as a memory stick or a promotional USB drive which offers something appealing when connected, but which has been pre-loaded with malicious malware which can then gain access to your school’s network.
How to avoid them: Be suspicious of any external device that requires connection to your computer. Hand it straight to your school’s IT staff so they can check it first.
3. Quid pro quo requests
What they are: Scammers make contact with the school by phone pretending to be from a known source–such as a supplier or a neighboring school. They can be very convincing and typically offer some sort of help or assistance. Be on guard immediately if this requires you to action an unusual request such as downloading software, sharing login information or allowing remote access to your computer.
How to avoid them: Never download software or allow third-party access to a school computer. Instead, transfer the call to the school’s IT staff.
4. Pretexting attacks
What they are: Similar to quid pro quo requests, fraudsters pose as an official body or an individual known to the school, but their objective is to extract sensitive information.
How to avoid them: Refer any callers asking for sensitive data to your school administrator.
5. Contact with a ‘compromised’ website
What they are: Pop-up pages and emails can contain links to bogus websites or legitimate sites that have been compromised by scammers.
How to avoid them: Double-check the domain name of the site. Hackers will typically reference a well-known brand within the domain address, but it won’t be the official website. Google the official site in a different browser and compare the URLs. Examine the contact page and the privacy, terms and conditions areas. Is there a company address listed and are all the usual legal policies displayed and legitimate? If responding to an offer for free classroom resources or software, always check with your IT staff first, and bear in mind that if it seems to be too good to be true, it probably is!