Interview: How Security Awareness Training Protects Schools from Cyberattacks
When it comes to strengthening the cyber defenses of a K12 school or university, the size of software budgets and IT teams only goes so far.
That’s because the responsibilities for preventing cyber attacks are far broader.
“It’s not just IT or InfoSec’s job to make sure we’re secure,” says John Just, Chief Learning Officer at KnowBe4. “It’s everyone’s job.”
KnowBe4 is a security awareness training platform that helps organizations train team members to understand and recognize cyber threats. The platform tackles the ongoing problem of social engineering through a comprehensive library of content and tools like simulated phishing emails.
According to Just, KnowBe4 is sort of like the Netflix of securing awareness training, with a vast and growing array of training programs and interactive content aimed at teaching individuals, teams, and organizations how to identify and respond to a variety of cyber threats.
KnowBe4 offers both paid and free tools to help organizations—including schools— combat a variety of issues around cybersecurity, especially one of the biggest threats: human error.
When it comes to schools, getting leadership, faculty, staff, and even students into the process of detecting threats can go a long way towards stronger defenses.
We spoke with Just (pictured below) about what hackers are really after when they attack schools, advice to IT departments working at these organizations, and why schools may want to team up with students to defend themselves.
Coro: How does KnowBe4 work with schools and universities?
John Just: “So cyber criminals; they’re like water, right? I see a crack, I’m going to make my way through that crack. And we’re seeing huge attacks on education. Here’s a scoop for you. We are launching a new student edition that is coming out. And it’s going to be training specifically for students for an extremely low price. And this is because we are the biggest player in education right now.
“We have universities and college systems around the globe. And we also have a lot of K12 organizations. So we have a cyber security kit for younger kids. We just built a roadblocks game this past year to raise awareness. And so we have kids going on, playing the roadblocks game. We have a password zapper game that makes it fun and interesting. We have children’s activity kits…
“We just launched an AI module for students. So for young students, it’s completely free. It’s open source. It’s available now.
“When we get up into the older students, and they’re starting to get a debit card and they have passwords to things, that’s where the student edition comes into play. A number of large university systems are working with us and we want to protect their faculty, staff, and students. And the faculty and staff need to be educated. And we gear a lot of our training for those specific areas… We want to make sure we’re catering to the education market and making sure that they’re well protected because as you point out it’s, we’ve seen a huge uptick on our end in attacks toward education.”
Coro: What sorts of information are cyber criminals looking for when they target a school or university? Because it’s not just strictly related to school administration stuff, right? What are they going after?
John Just: “(At universities), they’ll go after federal student aid of students. They’ll compromise an account of a student and actually change what student aid is going to them to actually their bank account.
“So we’ve heard horror stories, unfortunately, that a student gets $20,000 for their scholarship. It gets deposited into their financial aid account. And then rather than going to the school, it actually goes to a cyber criminal’s bank account. So you’ve got that.
“Ransomware is rampant, especially in K12 schools. And you have the student information system that has social security numbers, identities, grades, which is protected in the states here by FERPA—which is a federal law that says if I’m a school district, this information cannot be disclosed unless I have the correct permissions from the parent.
“I could be liable for a huge FERPA violation if my student information center system has been ransomed. And cyber criminals are threatening me unless I pay $200,000 worth of Bitcoin, and they’re going to release it all to the web: everybody’s grades and personal information. So within K12, I would say it’s ransomware (that’s the biggest threat.)
“Within higher ed, there’s that (student aid) scam that I mentioned, which is getting into your account and compromising it. That might be a phish. It might just be simply, I’m using old credentials. I don’t have MSA enabled. So I’m just trying a bunch of brute forcing with a bunch of credentials. And I get in.
“There’s also employment scams. So people are often looking for a great part-time job online and all you have to do is sign up. But by the way, we need a $500 gift card that we’re going to double, by the way. But you need to send it here. So low level scams like employment scams are something we’re seeing a lot of as well.”
Coro: In terms of implementing stronger cybersecurity protection, what are some of the common themes you’ve seen in schools and universities? What are some of the challenges that they’re facing in implementing stronger protections?
John Just: “Yeah with K12 schools, obviously taking off prem, on prem data center things that can be (targeted by) ransomware and moving those to more cloud protection with multi-factor authentication.
“Cloud-based systems that are easily recoverable and backed up and a better hardening of protection. And like we said at the beginning about our job: see something, say something. If you can get as many people involved in that as possible.
“Often with these attacks, what we’re seeing is you’ve got several teachers that are already compromised, right? It’s already there in their email accounts. And then (attackers are) able to social engineer from the inside. So very complex, multi- layer attacks.
“And I say very complex, but really not that complex when you think about it; it’s low-hanging fruit and (the attackers) are able to then move around internally and convince people to give them access to things or get access to things that they really shouldn’t.
“So raising that awareness and building that culture of seeing something and saying something. Being educated about what the red flags are and being part of that alert system to be able to tell people if they’re seeing something that’s unorthodox. It’ll add to big physical presences right within colleges and universities.
“So the old USB attack that’s been around forever and some of these more tried and true that, you know now within the organizations like businesses. Are not going to, you’re not going to just walk in and plug in a USB into something and that’s not going to work anymore, right? But I could walk into a school library right now and I could bring a USB key with me.
“And I can install malware and I can get that spreading throughout the network. So there’s that physical component that I have to be aware of as well. And again, see something, say something and be part of that human firewall.
“In terms of I guess one of the challenges you’re seeing, is it an awareness thing? Is it a budget thing? Is it all of the above? Is it just not having big IT teams? I think all that plays a role. I think all that plays a role.
“And I’ll be honest and a little controversial here. There’s a bit of ‘it’s not my job’ from some faculty members. And I’ve seen op-ed pieces and stuff: don’t do (simulated) phishing emails to people (for training purposes). It’s rude.
“It’s not rude. You’re missing the whole point of what it’s for: it’s an educational exercise. And it’s funny: I’m a doctorate holder myself, and I’m an educator. I’ve been an adjunct faculty member for a long time. And I see this sort of, ‘oh, just because I clicked on this doesn’t mean I should do training and I know better.’ And it’s an arrogance. And it’s being exploited.
“We need to be a little bit more humble in areas that are not our expertise and we need to take best practices and apply those best practices to build that muscle memory.
“We are hearing about the tip of the iceberg. And it’s embarrassing when I make a personal mistake and I give my credentials for my bank or access to my bank to a cyber criminal.
“So I’m less likely to share that. But it’s in people’s best interestS to share those stories because we need to make people aware that this happens way more frequently and it can happen to them. And if we’re training them for your organization, they can also use those same skills personally and not fall victim to cybercrime.
“Because this is not slowing down. We’re seeing this increase. Massively increase.”
Coro: Anecdotally, what you mentioned with the idea of ‘this isn’t my job.’ I’m wondering what percentage of staff and admin, versus the students ,would be saying something like that, because as we know, the students all have digital devices and can all be targets as well.
John Just: “So students is an interesting one. I don’t have a lot of data there, but we do have data because we have a Security Culture Survey. And a lot of the questions in the security culture survey were around responsibility: my personal responsibility versus IT’s responsibility.
“What I can tell you is after training, after sustained training, you see an increase where people start to be educated and understand that they are an important part of this. So it starts very low. I would say less than 10-percent of people.
“In an organization like an education organization, they go, that’s InfoSec’s job. They’re supposed to protect me. And then after some education, you can get that to a level of 60-70-percent of the organization going, ‘Oh, I understand that I have a role to play.’ And it can be beneficial for me as well to learn some of these skills personally. Now it’s cracking that 70-percent.
“It’s that other 30-percent; getting them to understand that can take a sustained effort, a lot of communication, and strong leadership. It’s going to take deans, principals, organizations stepping forward themselves as leaders and going, ‘This is critical to our success. We can’t lose all the records of our students. We can’t have our students losing their financial aid. You professors, you deans, you, all of you, you have to take some personal responsibility and I’m going to take responsibility as a leader for that as well.’
“So when we see people stepping forward from leadership, that’s where we can see people cracking into that top 30 percent that doesn’t really want to move in terms of saying this is not my problem.”
Coro: What advice would you give to IT directors who are working at a school like a K12 or a university today in terms of improving their protection?
John Just: “Educate yourselves. Educate your staff. It’s an ongoing problem. It’s an issue. We talked about AI at the beginning of this. I use our AI portal as a tool to do research myself. Your adversaries are learning constantly. And so you need to be learning constantly.
“This is a persistent problem that’s not going to have an easy solution. And I think some of the mindset out there is we’re going to patch this. We’re going to patch the social engineering. But just like patching, there’s a new patch that comes out all the time as vulnerabilities. And we have to think of it as ongoing patching. It’s not going to be finished.”
“And so if you have that would be number one. Have that mindset that this is a persistent ongoing problem that I need to have a persistent ongoing solution for. And we sometimes get wrapped up in, ‘Okay, the sales people are telling me if I buy this one firewall, if I buy this magic device, if I buy this, if I buy that.’ You’re not going to buy your way out of this problem.
“So even though you don’t have the budget, which is a problem in education. The good news is you’re on a level playing field with the people who do have the money. So you have to, I mentioned, you have to get leadership involved. You have to get them to buy in. Sometimes you have to do a separate training program for the executive leaders.
“We assume sometimes we have a bias as cyber security professionals that they know or they remember the ransomware incident. We just had the phishing close calls. We had to put out five or six other fires in the meantime. Yeah, so they might not remember so we have to retell those stories and go this could happen again.
“What do you get them to buy in to? What do you think we should do from an awareness perspective? What’s your advice from a communication perspective?
“Because getting that leadership buy-in, getting the leaders within the organization to realize it’s a problem, and getting behind the awareness program, and getting behind staffing correctly to address social engineering threats is going to go a long way.
“We’re going to need to spend as much money as we can. We need to have a person dedicated to security awareness and culture within an organization. In a small school, that might not be a fulltime person, but at least it is someone that I can give a stipend to that’s going to be focusing on that and thinking about that.
“At a larger institution, I might need a team that’s focusing on this. If I’ve got a team that’s doing basic security for the firewall. I should have a team for the biggest attack factor, which is social engineering. And so making sure we’re aligning what we’re defending to where: what is most likely going to be where the attacks are going to be coming from?
“Our efforts are where we’re spending our time should all be aligned on that data driven defense, not what I think people are coming to me with, but my analysis of where I see real attacks getting through close calls happening.”
Coro: Last thing, anything that we missed or anything you want to add?
John Just: “(In terms of students,) I would say we talked about recruiting up in the C-suite, but we also need to recruit some of them.
“They have some bright minds. We have some great white hat groups that can do some teaming within your organization. So that would be the other thing I would say is co-op some of those young, bright minds and get them moving in a positive direction where they’re helping the organization and are able to do some white hat stuff too.”
