View this message online

8/14/20

This Week: Cybersecurity Awareness Training

Hi. My name is Tim Tillman and I am the Chief Information Security Officer (CISO) for the VDOE. Our team of cybersecurity analysts support the security program of the VDOE. I am excited to provide this email resource to you. Together, we can make our cybersecurity posture in Virginia's K-12 schools strong and a model to be admired. Contact me at tim.tillman@doe.virginia.gov

News

We read a lot of articles and blogs on security.  Here are a few items we found to share.

• Cybersecurity for K12 Essentials for District IT Teams
  Raising awareness is half the battle in K-12 cybersecurity. K-12 district IT teams aren’t incapable of protecting their systems. The problem is often that there isn’t enough focus on the issue of cybersecurity. Many teams don’t seem to be aware of the issue—or are simply trying to ignore it because it seems like an insurmountable challenge.
• 4 Big Cybersecurity Priorities for Schools: Training, Purchasing, Monitoring, and Budgeting
  

  A little more than a year ago, Keith Bockwoldt was promoted to Chief Information Officer for Hinsdale Township High School District 86 in Illinois. Only a few months after he started in the role, a teacher clicked on an email that purported to be from a former student. It ended up creating a malware infection that required Bockwoldt to tap into cybersecurity insurance for the first time in his 21 years working in the district.

Learning

Did you know that, according the Consortium for School Network, over 90% over cyber attacks start with phishing? Phishing is the act of sending emails that provoke users to click to install software or to reveal personal information through fake websites.

Our Virginia schools are vulnerable to many different threats including ransomware, data breaches, and phishing. We can train our users, both adults and children, to recognize threats in their inbox and take action against them.

A full 90% of attacks start from a single vector - phishing. Over the years, K-12 technology leaders have tried to block spam, employ email firewalls, release barracuda into the waters, and learn the finer points of Bayesian filtering on a Microsoft Exchange server. Although most of the bad actors and suspicious emails were blocked, there are always exceptions.

Phishing is not your only security concern, but the statistics point to it being a major concern. Cybersecurity awareness training for your various user types can help use the human filter to catch the remaining suspicious emails. Basic cybersecurity awareness training is a good way to establish a baseline for your user community and ensure that everyone understands cyber to be a shared responsibility. 

It is best practice to establish basic awareness training for each type of user in your community - technical staff, instructional administration and cabinet, school board, teaching staff, and even students. Training should occur annually for existing users and immediately following employment for new users.

Although most users can benefit from generic training, you may find that some of the users could benefit from more advanced or focused training. For instance, a school board member may need more training for dealing with email from unknown sources than a student that only receives email from vetted sources or users within their own domain. It is up to you to determine how focused you choose to make the training. Admin Cabinet members may need more information on student data privacy protections than teaching staff.  Teaching staff may need a refresher on the importance of following FERPA guidelines when disseminating student data across the school.

If your school division has already established data governance roles such data/system owners, stewards, or custodians then you can imagine that specialized training covering the security needs for those duties is critical.

There are myriad providers of cybersecurity awareness training - most aimed at corporate responsibilities and corporate users. There are few specifically designed for K-12 environments. There are packages that are purchased and some that are freely available. I have listed a few examples at the end of this section. You could also choose to create your own content with tailored videos or presentations. No matter what you choose, the important part is to get started and keep users aware of their responsibilities.

Popular topics in awareness training include:

• physical security and situational awareness
• protecting work assets when working at home
• password hygiene
• Specialized compliance training for HIPAA, FERPA, COPPA, PCI
• Phishing and Spear Phishing
• Multi-factor authentication methods
• Insider threats
• Safe browsing techniques
• Safe sharing and social media techniques
• Social engineering

Here's the takeaway:  Start your awareness campaign. Focus your training for individual user types. Grow your capacity over time. Train annually.

Select Content Providers

• Cofense - The folks at Cofense, in Leesburg, VA, offer paid services to help your community to better understand phishing attempts to thwart would-be attackers. Cofense also offers a series of free SCORM-complaint modules that can be uploaded to your favorite LMS.  If you don't have an LMS, Cofense offers an online version. The content of the free section provides the baseline knowledge that your users need. You can expand and adapt with additional in-house content if needed.
• KnowBe4 - "Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense."  KnowBe4 is a full platform suite that can train your users using various available modules in dozens of topics. KnowBe4 can simulate and train users on phishing attempts without causing havoc to computer systems. The company also has many free tools that can be used with your users without any cost to your schools.
• Inspired eLearning - Looking for free posters that you can hang in your favorite faculty lounge or office copy room? Inspired eLearning offers some freebies that are professional quality and can make a real difference. As a company, they also offer more advanced security awareness training.
• Infosec Institute - Student awareness is a specialized effort.  This company offers some basic resources for student awareness training that can be used on your website or LMS. Additionally, the company has hundreds of awareness modules than can be focused for a K-12 audience. Watch the free linked videos for targeted school audiences.
• iSpring - You can always create your own content for your unique user base. Need to convert a PowerPoint presentation to SCORM content for your LMS? Check out iSpring.

This list is not exhaustive. These are just some of the more well-known providers and services.

Community

Contribute

Do you have cyber-related news or information that you think would be helpful for all Virginia schools and technology staff?  Any specific topics to discuss? Send an email to Tim Tillman, CISO.

Share

Share this newsletter with staff and faculty. Encourage colleagues to sign up for VDOE newsletters here. 

Join

I can't recommend the Consortium for School Networking (CoSN) more highly. The advocacy, research, reports, and training that are generated from the organization are very valuable. You can join CoSN as an individual member or your school district can join. Please consider joining and gaining expert knowledge from the available resources.  CoSN is also the creator of the Certified Education Technology Leader (CETL) certification and the Trusted Learning Environment (TLE) seal. Many of your colleagues (like me!) and neighboring school divisions have already attained these credentials. Could you be next?

Consider supporting and receiving news from The K-12 Cybersecurity Resource Center.  Doug Levin, president of EdTech Strategies, LLC, owns and operates this website that helps to spread the word about K-12 cybersecurity and raise awareness of attacks and mitigation strategies. You can learn from the attacks on others.