Here’s why public schools (and most workplaces) need security awareness and training for their staff. There are four major threats faced by school districts that include an employee component.

Employee W-2 Theft

The attack vector is e-mail. An employee in HR/payroll is sent an e-mail request for employee W-2s from someone impersonating the superintendent. The employee then unknowingly sends them to the scammer.

Impact to the district: Notifying employees of the breach in compliance with state data breach notification laws and purchasing of credit monitoring for the employees.

Impact to employees: Risk of identity theft and tax refund fraud.

Wire Transfer Fraud

The attack vector is e-mail. An employee in the business office/purchasing receives an e-mail wire transfer request purporting to be the superintendent. The employee unknowingly wires money to a “vendor” but in actuality sends money to a scammer.

Impact to the district: Financial loss in the amount not recoverable by the bank.

Disclosure of Employee/Student Private Information

There isn’t an attack vector here unless an employee was tricked via a phishing e-mail. Most disclosures of private information are a result of the oops! vector, also known as a mistake, such as when responding to a public records request and including sensitive information.

Potential impact to the district: With several laws and regulations protecting personally identifiable information and student information, the potential impact of improper disclosure includes data breach notifications to affected individuals, the purchase of credit monitoring for those individuals, and potential funding issues if there was a violation of FERPA.

Ransomware/Malware

The attack vectors include e-mail attachments, e-mail links to malicious files, and malicious website notifications enticing users to download software. Note that an initial malware infection can lead to additional attacks (EX. contact-harvesting malware may then send the collected data over to a phishing scheme).

Potential impact to the district: Impact severity ranges from wiping and restoring one employee’s computer to impacting the entire school district, requiring partial or full shutdown while recovery efforts are underway.

Malware, like ransomware, can be prevented with tech solutions like antivirus, restrictions on temporary directory execution, in addition to employee awareness. Ransomware effects can be mitigated with virtual machines and backups.

Share examples of the four threats with your tech and leadership teams.

With three of four threats involving e-mail, it’s important to get information out to your staff about phishing. Make it a priority!  To prevent accidental information disclosure, consider creating and distributing a data classification guide to your organization’s information officer, anyone who responds to FOIA requests, or anyone who deals with student information reporting or employee information like HR.