Learning
Did you know that, according the Consortium for School Network, over 90% over cyber attacks start with phishing? Phishing is the act of sending emails that provoke users to click to install software or to reveal personal information through fake websites.
Our Virginia schools are vulnerable to many different threats including ransomware, data breaches, and phishing. We can train our users, both adults and children, to recognize threats in their inbox and take action against them.
A full 90% of attacks start from a single vector - phishing. Over the years, K-12 technology leaders have tried to block spam, employ email firewalls, release barracuda into the waters, and learn the finer points of Bayesian filtering on a Microsoft Exchange server. Although most of the bad actors and suspicious emails were blocked, there are always exceptions.
Phishing is not your only security concern, but the statistics point to it being a major concern. Cybersecurity awareness training for your various user types can help use the human filter to catch the remaining suspicious emails. Basic cybersecurity awareness training is a good way to establish a baseline for your user community and ensure that everyone understands cyber to be a shared responsibility.
It is best practice to establish basic awareness training for each type of user in your community - technical staff, instructional administration and cabinet, school board, teaching staff, and even students. Training should occur annually for existing users and immediately following employment for new users.
Although most users can benefit from generic training, you may find that some of the users could benefit from more advanced or focused training. For instance, a school board member may need more training for dealing with email from unknown sources than a student that only receives email from vetted sources or users within their own domain. It is up to you to determine how focused you choose to make the training. Admin Cabinet members may need more information on student data privacy protections than teaching staff. Teaching staff may need a refresher on the importance of following FERPA guidelines when disseminating student data across the school.
If your school division has already established data governance roles such data/system owners, stewards, or custodians then you can imagine that specialized training covering the security needs for those duties is critical.
There are myriad providers of cybersecurity awareness training - most aimed at corporate responsibilities and corporate users. There are few specifically designed for K-12 environments. There are packages that are purchased and some that are freely available. I have listed a few examples at the end of this section. You could also choose to create your own content with tailored videos or presentations. No matter what you choose, the important part is to get started and keep users aware of their responsibilities.
Popular topics in awareness training include:
- physical security and situational awareness
- protecting work assets when working at home
- password hygiene
- Specialized compliance training for HIPAA, FERPA, COPPA, PCI
- Phishing and Spear Phishing
- Multi-factor authentication methods
- Insider threats
- Safe browsing techniques
- Safe sharing and social media techniques
- Social engineering
Here's the takeaway: Start your awareness campaign. Focus your training for individual user types. Grow your capacity over time. Train annually.
Select Content Providers
-
Cofense - The folks at Cofense, in Leesburg, VA, offer paid services to help your community to better understand phishing attempts to thwart would-be attackers. Cofense also offers a series of free SCORM-complaint modules that can be uploaded to your favorite LMS. If you don't have an LMS, Cofense offers an online version. The content of the free section provides the baseline knowledge that your users need. You can expand and adapt with additional in-house content if needed.
-
KnowBe4 - "Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense." KnowBe4 is a full platform suite that can train your users using various available modules in dozens of topics. KnowBe4 can simulate and train users on phishing attempts without causing havoc to computer systems. The company also has many free tools that can be used with your users without any cost to your schools.
-
Inspired eLearning - Looking for free posters that you can hang in your favorite faculty lounge or office copy room? Inspired eLearning offers some freebies that are professional quality and can make a real difference. As a company, they also offer more advanced security awareness training.
-
Infosec Institute - Student awareness is a specialized effort. This company offers some basic resources for student awareness training that can be used on your website or LMS. Additionally, the company has hundreds of awareness modules than can be focused for a K-12 audience. Watch the free linked videos for targeted school audiences.
-
iSpring - You can always create your own content for your unique user base. Need to convert a PowerPoint presentation to SCORM content for your LMS? Check out iSpring.
This list is not exhaustive. These are just some of the more well-known providers and services.
|