With Google reporting that it detected on average 46,000 new phishing websites (Transparency Report) each week in 2020(!), I thought I would stay with the subject of cyber security this month and share some more resources I think are helpful for busy schools/trusts.
What is phishing?
Phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website.
Phishing can be conducted via a text message, social media, or by phone, but the term ‘phishing’ is mainly used to describe attacks that arrive by email. Phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.
Phishing emails can hit an organisation of any size and type. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your school/trust, where the aim could be something much more specific, like the theft of sensitive data.
In a targeted phishing attack, the attacker may use information about your staff or school/trust to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.
So, what can schools/trusts do?
The UK’s National Cyber Security Centre (NCSC) recommends that phishing is best tackled by implementing good technical defences combined with reasonable levels of user awareness, education and training.
If you want to read further, see this blog post ‘I’m gonna stop you little phishie……’ which offers a great explanation as to why members of staff can’t be expected to solve the phishing problem all by themselves.
Follow the NCSC’s 10 Steps to Cyber Security
This guidance breaks down the task of defending networks, systems and information into essential components (steps) with advice on how to achieve the best possible security in each of the areas.
There is a useful infographic summarising the 10 Steps:
Utilise the NCSC’s free cyber security training for staff
See my October post for more details.
Share these summaries with staff
I really like these 2 infographics from the NCSC and CPNI (Centre for the Protection of National Infrastructure) which provide a succinct visual summary for staff on dealing with suspicious emails and spear phishing.
Support your governors/trustees to ask questions
The NCSC and the DfE have produced 8 questions for governors/trustees to help improve a school’s understanding of its cyber security risks.
They could be used by governing boards to start a conversation about cyber security between themselves and school/trust leaders. They are not intended as a checklist!
Did you know?
You can report any suspicious emails/potential phishing attacks to the National Cyber Security Centre (NCSC) via this link?
The NCSC takes action on every message it receives and will analyse the suspicious email and any websites it links to.
This reporting service was introduced in April 2020. As of 31 October 2020 the number of reports the NCSC has received stands at over 3,613,000 with the removal of 18,071 scams and 39,313 URLs.
If you need to report a fraud or cyber crime attack, you should contact: Action Fraud
Support from SchoolsDPO
The NCSC’s 10 Steps to Cyber Security are one part of my GDPR action plan that I use with the schools I am supporting. If you would like to know more, please get in touch for an informal chat. My contact details are at the bottom of the page or you can use this contact form.