Brick By Brick 

Written By Cybersecurity Engineer Brice Dickinson

Using Security Awareness Training to Build Robust Defenses

You may think they’re a kid’s toy, but one of my favorite things to do on my days off is building Legos. Ever since I was a kid I have always enjoyed playing and building with Legos and now as an adult, I get to build and display some of the most creative and unique designs that Lego has to offer. Currently, on display in my living room is my Lego Star Destroyer which is over 4 feet long and 2 feet wide made up of  4,784 pieces. While that may seem like a lot of pieces, each one of those 4,784 pieces fits together in a specific way to create the shape of the build, reinforce different parts of the build, or add details that make the design truly unique. Not one piece is less important than another. Surprisingly, Cybersecurity is just like a massive Lego build, with many different pieces coming together to make something unique. The cybersecurity Lego piece we will focus on in this article is Security Awareness Training.

Security Awareness Training is one of the best ways to increase your district’s security posture. A study done in 2021 performed by IBM showed that human error was a major contributor to 95% of all breaches. This data shows that 19 out of 20 breaches would never have happened if human error was eliminated. What this means is that when leveraged properly, our users can be our first line of defense against most potential security incidents instead of being the cause of them. Security awareness programs help train users to recognize and report potential security threats and communicate those threats through the correct communications channels to ensure a quick and complete response to those threats. These programs also train users on the proper practices and procedures for securely interacting with district technology and data. For these reasons is why the Forward Edge Cybersecurity Solution offers security awareness training for all users that is easy to understand and is made specific to the education field.

One of the most vital pieces of security awareness training is training users on Social Engineering. Social engineering is the art of manipulating people so they give up confidential information or access to something otherwise restricted. The most common type of social engineering that users will face is phishing. Phishing is when an attacker sends a fraudulent email claiming to be from a reputable and trusted source to gain information, harvest login credentials, or spread malware through malicious files. These attacks can be generic and broad in scope being sent to thousands of people or specifically crafted to target only one or two people. The Forward Edge Cybersecurity Solution utilizes Cofense PhishMe to send simulated phishing emails throughout a district’s domain to assess the district’s overall risk of a phishing attack. Reports of the simulated campaigns are also sent to the district’s Technology Director for a more detailed view of their environment’s phishing risk. The Cofense Reporter is also deployed in a district’s environment for users to report potentially malicious emails. Once reported, these emails are sent to the Forward Edge SOC Team to investigate further. If the email is found to be malicious, a SOC Team member will inform the Technology Director of the confirmed phishing email and communicate any additional actions that may be needed. This adds an extra layer of security if a user suspects an email to be malicious and helps encourage reporting suspicious emails in a way that doesn’t add any extra time or tickets to the district’s technology team.

Another key part of security awareness training is training users to use secure authentication methods whenever possible. The most common way of doing this is through implementing both MFA (Multi-Factor Authentication) and a password management solution. Multi-Factor Authentication is when 2 or more factors are used to login into a device or account. The different types of factors are generally broken down into 5 different categories, something you know, something you have, something you are, somewhere you are, and something you do. The more authentication factors used, generally, the more secure the authentication will be, however, the time and complexity increase as more authentication factors are added. Some common examples of multi-factor authentication are a password and a code being entered that is generated on another device or a password and a generated code plus a facial recognition scan and a security hard key. The Forward Edge Cybersecurity Solution utilizes SAASPASS to implement MFA and a password management solution.

MFA White Paper Hyperlink

Along with training users on social engineering and secure authentication, users must also be trained on how to properly handle data and how to be mindful of unintentional data exposure. This training includes understanding data classifications, like public data, internal use only data, and confidential or sensitive data, to have a full understanding of what data can be shared and what data cannot be shared. While this training is important for all staff members, it is especially important for administrative staff working in the enrollment, treasury, payroll, and HR departments as they handle the most sensitive staff and district data on a day-to-day basis. As part of this training, it is also critical for staff to recognize when their devices are missing important security updates and patches and know how to report that information to the technology department promptly. Reporting missing updates and patches can help avoid any accidental data leaks or exposures due to missed patches or misconfigurations.

Staff should also be trained on the dangers of transmitting district data over insecure networks, meaning public and other unprotected networks, and understand that this should be used only as a last resort method and should be heavily discouraged from being used at all. Transmitting district data over insecure networks is dangerous because if a network has no security controls in place there are a million and one ways that an attacker could leverage that network to compromise the account and or device used or intercept the traffic that contains the data. This could lead to a data leak of sensitive district information or a compromised device and or account that could further compromise the district’s network. For these reasons, it is best practice to only transmit district data over known secure networks like the district’s network or through the use of a VPN when outside of the district’s network. 

As you can see, security awareness training contains many different parts to help educate our users on how to be more secure in how they use and interact with technology. While this may seem like a monstrous task, when partnered with Forward Edge we make it as easy as possible to train and educate your district. Our cybersecurity training portal allows users to view the current month’s training topic as well as browse all of our previous training topics complete with presentations, security checklists, videos, technical articles, and even bell announcements. These resources have been designed specifically for educators and k-12 staff to create the most comprehensive k-12 security awareness training possible packaged in an easy and accessible way. Let’s work together to make our users our best defense against cybersecurity threats.