Cyber-attacks pose a big threat to schools and many have already been targeted. Matt Britland, director of IT and digital strategy at Alleyn’s School in London, explains the importance of ensuring staff and students can identify phishing emails
The weakest link in any system often tends to be the user; a school could have excellent security systems but still fall victim to a cyber-attack because of a mistake made by a user on the network.
It can be hard for people who work in technology to forget that phishing attacks are not on the radar of most users of technology. Teachers and students are busy – and can receive large numbers of emails. It’s very easy to fall for a phishing attack when you’re rushing through your emails and, perhaps, not paying too much attention to the way the email is written, or who it is from.
It is vital that schools educate staff and students on how to avoid phishing attacks – not just to protect the school, but also so they can protect themselves and their own important data.
What can schools do?
When it comes to teachers a good place to start is during an inset or staff meeting. Explain what phishing is and how you can spot attacks. Advise them to look out for things like badly-worded emails, links that take them to strange URLs (even if the website looks legitimate), anything that asks them to enter details they would normally not be asked to enter, or emails claiming to be about invoices they know nothing about. It is a lot to remember, but vigilance is important and, if staff are careful when looking at emails, most phishing attempts can be spotted and reported to IT support.
Regular reminders, whether via email or in staff briefings and other meetings, are vital as it is easy for staff to be less vigilant when they are so busy.
Another strategy, which will give schools an idea of how alert members of staff would be to an attack, is to send out a fake phishing email. This enables schools to track how many times the fake link in the test email has been clicked on. The purpose of this is not to cause problems for members of staff, but rather to give the school an idea of how much further training is required; this should be clearly explained to staff.
Students can also be affected by phishing scams and, although they don’t have access to the same sensitive data that teachers do, they can still give away personal details. The ideal time to cover this would be in computing lessons, as IT security should be part of the curriculum. Assemblies are also fantastic places to warn students about the danger of phishing.
Phishing attacks are a real threat to schools. As long as staff and students are made aware of the danger, are reminded regularly, and know what to look out for, you can reduce the risk of security breaches.