5 Steps to Preventing Ransomware with Cyber-Aware Staff

Strategies for increasing awareness
By: | Issue: December, 2018 | Web Seminar Digest
November 28, 2018

Preventing ransomware attacks at your district requires more than just anti-virus programs and firewalls. As hackers target schools with growing intensity, it’s time to add a layer of security awareness training to your district’s overall security strategy.

In this web seminar, the CTO of the Metro School District of Wayne Township in Indiana shared how the district is using a highly effective, five-step security awareness program, which was developed in response to four district ransomware attacks, and how to use these five steps to create more security awareness in any district.


Pete Just, CETL

Chief Technology Officer

Metropolitan School District of Wayne Township (Ind.)

Kristin Zurovitch

Director, Corporate Communications

InfoSec Institute

Pete Just: The Consortium of School Networking (CoSN) did a study last year and found that there are five cybersecurity threats that schools are having to respond to: phishing emails, DDoS attacks, data breaches, ransomware attacks and IoT vulnerabilities. These are the things that we as technology professionals have to work to secure schools against. Our focus today is on phishing emails and ransomware—two key threats for schools.

1. There’s a need to shift the culture a little bit. Teachers understand regulatory compliance things like FERPA and HIPAA, but they don’t always think that this piece of cybersecurity is their responsibility. We have to shift that idea so that they start thinking, “What can I do to keep my students’ data safe?”

We need to frame this as something that’s related to our district’s goals and mission. If we tie our district security needs to helping meet the organizational goals and mission, and then also explain the potential risk impact to those goals and mission, people will start to become a lot more engaged. We then want to set the staff up for success by having systems in place that will not expose them to any more risk than they need to be exposed to in the regular completion of their duties.

2. The second step is related to that: How do you get the board and administration team into a conversation on this? The culture shift continues by getting buy-in from everyone—even folks you might not think of right away who could be edge vulnerabilities. They need to understand how these issues might impact their goals and perhaps slow the progress on things they want to accomplish.

3. The third step is personalizing our learning paths. By doing phishing simulations and campaigns, people are self-selecting by clicking on things. When they do that, they have a real-life scenario that they actually did click into. Then we follow up with training. So the way we personalize the learning path is by allowing people to self-select into the training.

Our school leaders, principals, assistant principals and department chairs have all been taught how to model their best practices in terms of cybersecurity awareness. We use October, Cybersecurity Awareness month, to really promote awareness in ways that are even greater than during other times of the year.

4. It’s important to engage staff and empower mentors. Once you provide people with a bit of training, all of a sudden, they become the go-to people to help their peers. Those folks that have a natural affinity for it become empowered to be cybersecurity mentors.

5. You have to promote your cybersecurity awareness efforts and measure their effectiveness. Then you start this process all over again.

Kristin Zurovitch: InfoSec Institute is loaded with free tools to get you started and keep the momentum going. There are posters and infographics, planning guides and best practices to help you take that initiative and move your program forward.

InfoSec Institute also offers a complete security awareness and anti-phishing platform called SecurityIQ. We take a personalized approach for your faculty, staff and students, so you can engage them with relevant training.

Since everyone learns differently, it’s important to be able to adapt the content, so there are 300 training modules. Several are tailored to compliance regulations, such as FERPA.

Any district using SecurityIQ to train their faculty and staff is eligible for free and unlimited SecurityIQ learner seats for all their students. Students learn how to stay safe online with security videos tailored in tone, content and visuals to elementary, middle school and high school students. Modules include topics like how to stay safe on social media, how to shop online securely and career opportunities in cybersecurity.

To watch this web seminar in its entirety, please visit districtadministration.com/ws100518

Interested in edtech? Keep up with DA's Future of Education Technology Conference®.