While some of those assumptions may not be entirely incorrect, at the same time taking a complacent attitude to the threats of phishing attacks in the current digital environment is risking negligence. And it’s not just users that can be phished – it’s happening to parents too.

The financial and reputational damage to schools can be significant, and given the range of solutions available to guard against attacks, there really is no excuse for not getting a good report for your security defences. In this and a series of other similar articles on email security and phishing attacks, we’re looking more closely at the human factors involved in the attacks – and the inherent vulnerabilities this brings to schools’ cyber defences.

In this first article, we focus on the danger of complacency, and real-world scenarios in which the best laid IT policies and training can easily fail an exam!

Our school is well prepared – what risks could there be?

Although many schools now have sound policies, IT charters, formal staff training and awareness programmes, processes in place for reporting and managing security breaches (or suspected breaches), and largely and increasingly tech-savvy staff, there are still risks.

The first of these risks is the ever-increasing quality of phishing emails and the human factors that entails.

It’s always someone else that gets phished…. right?

Wrong.

An IT teacher, an extremely tech-savvy professional with over 20 years working with and in IT, came extremely close to clicking a link in what turned out to be a phishing email notification that appeared to be from SharePoint. It appeared to be so genuine that the only thing that prevented a click-through and the consequences that could have ensued was the fact that he knew that his colleague was on sick leave, and was not at work.

This begs the question, if he did not know that the supposed sender was on holiday, he could have clicked it. The school doesn’t have additional security layers on its email system, just the standard features included in Microsoft 365 (more on that in a later article).

So however clued up you think your users are, IT teams should be wary of sitting pretty and thinking that everyone has been through the training, signed up to the IT charter, and knows where to report things. That is all great practice – but a safety net is also needed. And all this is without taking parents, and the scams that can hit them into account.

Top marks – or resitting the exam?

The situation outlined happened to the tech-savvy IT manager, but it could equally have happened to any member of staff or parent of the school. The email could have been “from” a colleague that wasn’t on sick leave, and therefore the red flag wasn’t raised and someone could have clicked the link in good faith.

The quality of phishing emails are sadly getting better and better, and they could range from anyone from the headmaster with an internal memo to the accounts department to all the school’s parents with a malware-infested invoice attachment.

The question to ask is whether these scenarios or outlandish or fanciful – and you don’t need to take our word for it. A quick Google search of phishing attacks on private schools in the UK can be pretty eye-opening. If you still think it is fanciful, we challenge you to take our 2-minute test to find out how good your email security actually is – not how good you think it is. Being complacent about this could mean your school quickly finds itself at the bottom of the class!

Phishing is obviously a hot topic at the moment, so there’s plenty of further reading on MYREDFORT. Over the coming weeks in this series of articles on the theme of the human factors of phishing attacks, we’ll be examining how staff can become targets as a result of databases being breached, the risks of relying solely on Microsoft 365 security, emerging trends in phishing, and a “how-to of hackers”, so stay tuned.

For now, this article in particular outlines 4 steps to safer emails.