An important thing to consider when planning any cyber security programme is that we can all fall victim to social engineering attacks. Cybercriminals use sophisticated techniques to target school staff, and supporting everyone to spot these is essential.
Phishing simulations are one part of your whole school cyber security awareness programme and should align with its other elements. Using phishing simulations to raise awareness and contribute to training means colleagues will learn ways to spot the real thing and be more supportive of your cyber security programme. The programme must be delivered carefully and thoughtfully with training that develops understanding whilst protecting well-being.
Just because hackers use malicious techniques doesn’t mean we should.
“In the education sector, the best way to counter phishing is by fostering a culture of trust, knowledge and vigilance. Secure Schools has a commitment to ethics in the digital age."
Paul Armstrong, Senior Cultural Auditor, Secure Schools.
The overarching aim should be to build a cyber security culture that improves the school’s defences. Without the trust and support of colleagues, this will never materialise, and staff will continue to be your biggest risk.
When employees trust that the simulations will enhance awareness and not catch them off guard, the entire organisation benefits from a more robust cyber security culture.
Think training first
Training staff on how to spot a phishing attack helps create a collaborative environment and will reduce the risk of them being tricked by the real thing.
Inform staff
There are two reasons to inform staff about the programme. Firstly, letting them know to expect phishing simulation emails will also encourage vigilance against real-world phishing attempts. Secondly, some may request to opt out of the programme, allowing you to understand their concerns and protect their well-being.
Avoid over-phishing
Sending too many phishing emails will lead to apathy and resentment and decrease the programme's effectiveness.
Consider the content of the emails
There are two things to consider when designing the emails. Firstly, there should be content in the emails that would usually exist in a real-world example. This should directly align with the school's awareness training programme and reinforce recognising the warning signs of a phish. Secondly, the subject matter should be sympathetic. In June 2023, an American school district was forced to apologise after sending teachers a phishing simulation. The email claimed the recipient had been given a gift card as a thank-you for their hard work that academic year, but it turned out to be a trap. The superintendent was forced to write a letter of apology to the teachers. Read about this here. Without organisation-wide buy-in for a phishing simulation programme, the programme is unlikely to result in school staff being confident users of technology and the culture that goes hand-in-hand.
Use the results in a supportive way
Once the simulation has run, use its reporting data to support those not taking the desired action with additional training and to improve your phishing programme. Avoid 'naming and shaming' staff, which will destroy trust and engagement.
Our ethical phishing pack contains the following resources.
Secure Schools guidance paper
Example code of conduct
Example policy document
Find out how we can support your phishing programme
The Secure Schools Phishing Simulator is part of our cyber security platform for schools. Find out how it can support your school by signing up for a free trial here.
If you’re ready to speak to someone from Secure Schools, please complete our contact form or telephone us on 01638 438186.