The umbrella organisation for Catholic Education drew up an internal phishing simulation. The result demonstrated some sore points.
“In May 2020, we established that the number of phishing emails that our members received had doubled compared to the same month a year earlier,” said Peter Declerck, Staff Executive and Contact for Information Security “Unfortunately, we saw that this was reflected in the number of institutions affected: never before had so many schools fallen prey to hackers.”
“Phishing in education is sometimes underestimated,” says Declerck. He is responsible for training courses on the GDPR and cyber security at the educational institutions of approximately 600 school administrations in Flanders and notices that such topics are not always top of mind: “As happens so often, it seems as though people first need to experience it first-hand before they realise how vulnerable they are.”
“That is also the reason why we performed simulations on our colleagues. In this way, they were confronted with phishing in practice and they experienced what happens when such an attack is successful,” said Declerck. In this case, 35% of the addressees clicked a link in the simulation – more than the average of 20%. “The test actually caused some tumult, despite the fact that it was only a simulation and that, therefore, no data or systems were endangered. People immediately started to get worried and our IT department was soon overburdened with questions.
“The impact also lingered for quite some time thereafter,” said Declerck. “Our employees are now much more alert and have since then been able to recognise and report numerous different phishing attempts. Everyone now realises how easy life sometimes is for hackers.”
The treasure trove of education
When a school is hit by, say, a ransomware attack, the hackers sometimes target the Contact for Information Security (CIS). That is how Declerck encounters various types of digital risks and problems. “It is striking how similar problems often are, despite their own specific context. The largest common denominator is often a lack of time, money and resources.
“Everyone makes every possible effort to protect schools, employees and pupils as well as possible but there is a limit to what you can achieve with the restricted resources at your disposal. However, every institution is a treasure trove of information: every school manages very many people’s personal data. Such a booty makes hackers extremely happy.
“That does not concern only the possible profit to be earned by a ransom,” explains Declerck. “Someone who is able to get his hands-on pupils’ data also has a grip on those people’s lives in a vulnerable stage of their development. It opens the door to discrimination, bullying, identity fraud, etc.”
The most common digital threats are still caused by mass campaigns that tries to make as many victims as possible. Declerck: “Think of an ‘email from a headmaster’ to and administrative employee containing the request to check an invoice, although we do notice that ‘spear phishing’, targeted emails based on information that hackers find in staff data, are also on the increase. If an attempt like that is successful, it immediately leads to much greater consequences.”
That is why Declerck, and his colleagues have added an additional part to the training courses that they give. “We focus mainly on the schools’ GDPR compliance,” he says, “but cyber security does, of course, form an integral part of that; it is even literally stated like that in two articles in the GDPR. A school that loses data must report such fact appropriately to the authorised supervisor. Such a leak may be caused by hacking attacks. That is why it is important that we tackle the source of the problem.”
It is only getting worse
“Schools will really need to be alert: the current circumstances are causing digitisation to become increasingly important and that will never diminish again,” according to Declerck. “Look at the proposal by Flemish Minister for Education, Ben Weyts, for example. He wants to provide every pupil with a laptop and internet, so that everyone has the same access to quality education. This is a noble – and essential – aim. But if schools do not evolve simultaneously, there will be problems, and these will occur sooner rather than later.”
The pupils must also be included in campaigns on raising awareness,” says Declerck. “They bring their own devices to school. They unintentionally endanger systems and networks if they, too, are not aware of the dangers lying in wait for them. You nip the problems in the bud by informing them at a young age.
Finally, Declerck wants organisations that have been hit to come to the fore: “Like Maastricht University did. That was a good story of crisis communication. They clearly communicated what had happened to them and also how they handled it. They shared their experience, which enabled other institutions to better arm themselves.
“Too often, organisations still try to keep quiet about their digital accidents. This is unfortunate: by sharing information as much as possible, we can arm ourselves, develop best practices and possibly prevent much more and greater disaster. Experiencing a hack is painful but, actually, you need not be ashamed of it,” says Declerck. After all: “Everyone is vulnerable, anyone can become a victim.”
Want to know more?
For more information on phishing, recognising and dealing with it, you can download our free ebook, or contact [email protected]
The Phished platform is available for a free 14 day trial.