The Ever Present Phishing Peril In Education
It seems like an almost monthly occurence to read in the media of a school falling victim to a cyber security incident and whilst the causes of these do vary, phishing attacks remain a very popular attack vector.
The majority of employees now generally have an idea of what a phishing attack is (the attempt to fool a user to provide their username/password or other sensitive information to an unauthorised third party), however the increasing realism and sophistication of these ruses make it challenging for even alert users to detect. With the rise of generative AI the usual markers of a phishing scheme (poor grammar, spelling mistakes or inaccurate information) no longer exist and users are now faced with very slick, realistic looking emails with believable requests that appear to be from trusted sources.
Lateral Movement Increases The Impact Of A Breach
Whilst gaining unauthorised access to a single user’s email account may seem relatively insigificant, attackers quickly try to move laterally inside an organisation to determine what other systems can be accessed with those user credentials. Within a school context this may look like:
- Accessing the Student Management System (SMS) via the user’s credentials and retrieving personal student records, including addresses, health and pastoral care information and financial details.
- Being able to send bulk emails via the SMS appearing to come ‘from’ the teacher to both students and parents. This could be an attempt to amplify the scale of the phishing attack by targeting the school community with more fake links to click.
- Accessing the Learning Management System (LMS) and retrieving or altering student grades and academic work.
- Accessing network or cloud storage and exporting sensitive documents.
Effective Defence Mechanisms Matter
The team at Cyclone are experienced in implementing mulitple layers of defence to mitigate risks from these types of attacks. These can include:
- Providing education for staff on how to spot common attacks and running simulated phishing attacks inside your organisation.
- Enforcing Multi-Factor Authentication (MFA).
- Implementing the Principle of Least Privilege (PoLP) – employees operate as standard users and need to escalate privileges for specific actions (e.g. accessing SMS, sending bulk emails).
- Applying Conditional Access policies e.g. block or require MFA for any authentication requests originating from outside NZ (this is very effective).
Each of these build on top of the previous layer creating multiple checks and balances to try and prevent an attacker from succesfully fooling an employee and gaining access.
Preparing For The Inevitable
Adopting an approach of “when, not if” allows a school to build an effective response plan, including how to communicate with affected users and the wider school community and also who to escalate to for additional ICT support for resolution.
If you would like support in this area, please contact sales@cyclone.co.nz or call 0800 686 686
.png)
