Educate & Communicate: Your Role in School Cybersecurity
Digital scams are prevalent—from spoofing to phishing to impersonation; you likely have experienced online fraud. And while you may not fall for the mysterious foreign prince who needs you (and only you) to handle his funds for a substantial monetary reward, modern technology has made fraud harder to identify. In this blog, we explore common communication scams and give you some school cybersecurity messages you can copy/paste to share with your employees.
Oh, and by the way, if you don’t forward this blog to ten people, you’ll have bad luck for the next year. You’ve been warned.
The Role of Communicators in School Cybersecurity
As school communicators, you play a pivotal role in shaping the cyber-aware culture within your educational institutions. You are the bridge between the technical intricacies of school cybersecurity and the practical implementation of safety measures.
“IT departments are the architects of the digital fortress,” says Andrew Hagen, CEL Integrated Marketing Coordinator. “But school communicators are the guides who ensure every member of the educational community knows the way to safety through the ever-changing maze of cyber threats.”
As a former contractor for The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), Andrew is intimately familiar with the dangers of complacency in cybersecurity. “Not everybody is a technology expert, so it is crucial to develop clear and concise messages that emphasize the significance of cybersecurity,” Andrew advises. “It’s important your community knows the IT department cannot safeguard against all threats. Each employee must understand basic school cybersecurity best practices as well.”
Your role as a school communicator goes beyond conveying information; it involves fostering a mindset of vigilance and proactivity. Think of cybersecurity awareness as reputation management and crisis-prevention. If you are hit with a ransomware attack or data breach, you will be on the frontline of the crisis response. By staying ahead of emerging threats and understanding the evolving landscape of cyber threats, you are better equipped to protect your educational community.
October is Cybersecurity Awareness Month
This month, your role as a school communicator becomes even more critical. Use the heightened awareness to engage your community in meaningful discussions about school cybersecurity, organize informative workshops, and promote best practices.
“Cybersecurity Awareness Month is a powerful reminder that cybersecurity is a collective effort. It’s a time when we come together,“ said Andrew, “to enhance awareness, inspire action, and foster a culture of cyber safety within our educational communities.”
Protect Your Facebook Account
The Cybersecurity & Infrastructure Security Agency (CISA) tells us that 600,000 Facebook accounts are hacked every single day. No, that’s not a typo—that’s a DAILY rate. Be sure your organization follows Facebook best practices to protect one of your most significant channels.
- Facebook has updated its policy to emphasize the importance of having individual administrators for every Facebook page, rather than allowing accounts associated with organizations. It is now essential that each Facebook page is managed by real individual accounts to comply with their guidelines. If a generic profile manages your Facebook business page, it’s time to fix that—before you lose access to your entire page for good (yes, we’ve seen that happen!).
- Set backup administrators with full permissions to your account. That way, you have a safety net if someone loses access to their account.
- Use multi-factor authentication (MFA) methods to access important accounts. We know getting a text code or email every time you want to get into your accounts is annoying, but it’s an added layer of protection that you’ll be grateful for when the time comes.
Familiarize Yourself with Common Scams
Spoofing is a clever but malicious tactic cybercriminals employ to deceive individuals and organizations alike. It involves falsifying sender information in emails, text messages, or even caller ID displays, making them appear to originate from a trusted source.
This may take the form of your finance director asking you to send over an account number or password because they’re “busy in a meeting.” It could look like your HR department is sending out a survey link that requests personal information. It might be an email from a client with nothing but an attachment asking you to open the document urgently.
How can you protect yourself when even a text message or email address looks real? Chances are these emails will raise a red flag—if you’re being asked to do something urgently, something unusual, or share important information like social security numbers, account numbers, or passwords, always double-check with your colleagues or clients to make sure the request really came from them. Remind your team to be on the alert for email spoofing by sending out the reminder below:
Subject: Stay Alert: Watch for Email Spoofing
Spoofing scams can make it appear that emails are coming from trusted colleagues or institutions. Be cautious of any email that seems unusual or asks for sensitive information, even if it seems to be from someone you know. Always verify the sender’s identity before sharing private data or or granting access to files. Your diligence helps protect our community.
You know the real IRS won’t ask you to pay your bill with Apple iTunes gift cards. But today’s scams are becoming increasingly more savvy—and sometimes, the first part of a scam is just testing the waters. If you open a phishing email and click on a link or the attachment, the scammer knows you’re a better target for follow-up scams.
Phishing scams involve cybercriminals sending deceptive emails or messages that appear to be from legitimate sources, like banks, delivery companies, social media platforms, or colleagues, but are designed to trick recipients into revealing sensitive information such as passwords, credit card numbers, or personal data.
Help your organization practice good school cybersecurity practices with a reminder to stay aware, such as the email below:
Subject: Protecting Against Phishing Scams
In today’s digital age, let’s remain vigilant against phishing scams. These scams can sneak into our inboxes, posing as legitimate emails. To protect our organization and personal information, always double-check the sender’s email address and be cautious when clicking links or sharing personal data. If an email asks for important information such as passwords, payment information, or other sensitive data, consider a phone call to confirm the request verbally. When in doubt, please report suspicious emails to our IT department immediately.
Copy & Paste Information
Ugh! Facebook changed the algorithm again, and your friends aren’t seeing your posts. But if you paste a specific message, all your friends will start seeing your posts again. And if you paste this message, Facebook can’t claim ownership of your photos. And please share this message to help an adopted veteran find their birth family.
These copy-and-paste hoaxes are standard fare across Facebook, and even your most savvy friends may be caught up sharing a post like this. So why do scammers do it?
Some scammers are doing “like and share farming”—meaning they post content that will get the most interaction on social media. It may be a photo of an ill child or someone searching for their birth parent, and many times, these photos are from real people, and their image has been stolen for use across social media. Another common like-farming tactic is a question that generates a lot of responses (I bet you can’t think of a girl’s name that ends in the letter ‘E’!”).
These hoaxes are designed to identify people who may be more susceptible to scams. If you regularly engage with these like-farming accounts or copy-paste false information on your account, you’re likely to click links in emails or fall for other types of scams.
Protect yourself from these hoaxes by pausing before sharing anything about someone you don’t know. Consider sending the following email reminder to your staff:
Subject: Protecting Against Hoaxes and Social Media Scams
In today’s digital age, we’re all connected through social media, so it’s important to stay informed and vigilant against potential hoaxes and scams. Deceptive practices by hackers can compromise your online security and harm others inadvertently. Here’s a quick reminder to help you protect yourself and those in your online community:
Beware of Copy-and-Paste Hoaxes:
You may have encountered posts that urge you to copy and paste a specific message for various reasons, like improving your Facebook visibility or helping someone in need. These messages may appear well-intentioned, but they are often “like and share farming.” Sharing these messages won’t have any real impact on your online experience, but may flag you as an easy target. Be cautious and think twice before reposting them.
The Dangers of Like and Share Farming:
“Like and share farming” scammers post content designed to generate high levels of interaction on social media, such as heartwarming stories or intriguing questions. While these posts may seem harmless, they can be used to identify individuals who are more susceptible to scams. Another common like-farming tactic is a “quiz” or question that generates a lot of responses (I bet you can’t think of a girl’s name that ends in the letter ‘E’!”). Engaging with these accounts may put you at risk of falling victim to other types of scams. Be mindful of what you interact with on social media.
Stay Cautious and Verify Information:
When you encounter posts or requests from unfamiliar individuals, take a pause and assess their legitimacy. Exercise caution before sharing personal information (favorite foods, colors, or travels) or engaging in actions requested by unknown sources. When in doubt, refrain from sharing or responding. Always prioritize your online safety and the safety of your online connections.
Your Account Has Gone Against Community Standards
Scammers use fear and urgency to manipulate recipients into taking actions they wouldn’t typically take, such as clicking on malicious links, downloading malware, or sharing personal information.
You received a notification on your Facebook account that says you violated copyright or went against community standards. If you don’t click a link to appeal, your account will be suspended! What do you do?
- Panic and click the link to submit an appeal. You can’t have your account shut down!
- Forward the scam to your colleagues—undoubtedly, one of them will know how to handle it.
- Ignore the problem. If it’s real, you’ll find out when your account is suspended. But it’s probably not real. Probably.
- Go to your Facebook Security and Login Settings and visit the ‘See recent emails from Facebook’ section. If it’s a real message, you’ll find it there.
Scammers rely on your fear and sense of urgency. To avoid fear, familiarize yourself with official communication channels and double-check the legitimacy of any message. In this example, option A is what the scammers are relying on. If they can scare you, you’re more likely to make a mistake in your haste to solve the problem.
Option B sounds good, and it’s always OK to crowdsource an opinion on whether something seems legitimate. Still, as technology advances, these scams will only improve. Avoid forwarding a suspicious email and increasing the possibility someone in your organization will click the link. Right now, these scams have obvious red flags like typos, using the wrong font, or using a skewed or old version of the Facebook logo. But through AI, these scam messages will look more and more accurate, meaning the only way you can double-check legitimacy is through official channels.
And while you can ignore some scams, sometimes you want to do your due diligence and double-check there isn’t a problem. We recommend option D: knowing authentic communication sources. (This applies to your bank and UPS deliveries too.)
Cybersecurity Best Practices
In cybersecurity, knowledge is power, and collaboration is vital. Here are some simple cybersecurity best practices you can encourage in your organization:
Encourage the creation of robust and unique passwords for all accounts. For the more forgetful members of your organization, a password manager (such as Bitwarden, LastPass, etc.) may be an appropriate solution.
Emphasize the importance of Multi-Factor Authentication (MFA) for added security. And those security questions you have to answer? It’s better to come up with a fake answer that you’ll remember. What’s your hometown? Gotham City. Your first car? The batmobile, naturally. By using consistent (fake!) answers to security questions, scammers can’t use easy-to-access personal information to break into your digital accounts.
Provide guidance on identifying and promptly reporting suspicious emails or messages. Share common phishing tactics and warning signs. Don’t ignore younger generations in your messaging either—a survey by Deloitte found that tech-savvy younger generations are more likely to fall for online scams.
Work with your technology department to ensure software updates are readily available to all staff, including automatically pushing out updates as needed. Stress the need for regular updates to patch vulnerabilities and protect against cyber threats.
Preparing for Cyber Attacks: Having a Plan in Place
In addition to promoting school cybersecurity best practices, it’s essential to be prepared for the possibility of a cyber-attack. Just as school communicators collaborate with all departments to ensure effective crisis management, you will likely be called upon if your district falls victim to a ransomware attack or a hacking incident affecting your social media networks. Therefore, it’s crucial to collaborate closely with your school’s IT department to develop a comprehensive cybersecurity incident response plan.
This plan should include:
Identification and Detection: Establish procedures for quickly identifying and detecting cyber threats or breaches—train staff to recognize unusual activities or signs of a potential attack.
Response: Define roles and responsibilities for responding to a cyber incident. Create a chain of command and procedures for reporting and escalating incidents.
Containment and Mitigation: Outline steps to contain the incident and mitigate its impact. This may involve isolating affected systems, removing malware, and patching vulnerabilities.
Communication: Develop a communication plan that specifies how and when to inform relevant parties, such as staff, students, parents, and law enforcement agencies. Remember to follow legal and regulatory requirements for data breach notifications. Tip: make sure you communicate with internal staff before external stakeholders—a good rule of thumb is always to provide talking points to internal stakeholders before the information is known to your greater community.
Recovery: Detail the process for recovering from a cyber incident, including restoring systems, data, and services. Ensure that backups are regularly maintained and can be reliably restored.
Post-Incident Analysis: After resolving the incident, conduct a thorough post-incident analysis to identify weaknesses in your cybersecurity defenses and response procedures. Use the lessons learned to improve your school cybersecurity posture.
Having a well-defined incident response plan can significantly reduce the impact of a cyber attack and help your educational institution recover more quickly. Importantly, this plan must be in place long before you need it. When a cybersecurity breach occurs, the speed at which you communicate is vital. Schools are a prime target for cyber attacks, and it’s probably not a matter of if—but when.
Crafting a Safer School Cybersecurity Environment
Fostering a culture of cyber safety within your organization cannot be overstated. Your ability to communicate, educate, and empower students, staff, and parents in cybersecurity is pivotal in creating a safer digital environment. Let Cybersecurity Awareness Month be a reminder that cybersecurity is a shared responsibility, and your role as a school communicator is vital in ensuring a safer, more secure digital future for all.
Published on: October 4, 2023