1. MFA and Identity Management Block Consent Phishing Attempts
Schools absolutely must configure MFA for network login, requiring users to provide logins, passwords, and a third identifier, such as a badge or biometric tag, to gain access to the network.
In the cloud (be it Google Cloud, Microsoft Azure, or Amazon Web Services) where consent phishing occurs, schools should use an identity and access management solution. An IAM solution should notify IT staff whenever it detects unusual web, app, or email activity and can block login attempts.
2. Take control of third-party app permissions and approvals
Unfortunately, even when MFA and identity management tools are in place, some users can still accidentally grant access to malicious cloud applications to convincing cyber phishers.
According to Push Security, “the only way to completely stop consent phishing attacks is to completely prevent users from granting access to third-party apps.”
However, since this would reduce productivity, K-12 schools should let IT administrators approve all new end-user app requests and pre-approve widely used apps from trusted publishers.
DISCOVER: Here are 5 tips for protecting cloud apps and K–12 networks.
3. Security training can help schools reduce consent phishing attacks
Researchers who conducted the October 2020 IBM Education Ransomware study of 1,000 educators and 200 administrators concluded that educators were “still unaware of critical information relevant to protecting their schools.”
At a minimum, K-12 IT experts should conduct annual training for teachers, students, and administrators on consent phishing and other cyber threats.
4. Schools can strengthen cybersecurity with annual external audits
School IT managers should hire external cyber experts to perform annual audits. Auditors will test security policies, best practices, documentation and compliance in central and remote IT systems and devices. They will assess the security of software, firewalls, third-party vendors, applications, and the IT application approval process.
LEARN MORE: School districts are turning to outside experts to bolster their security posture.
5. Schools Should Notify Legitimate Parties of Phishing Scams
Finally, whenever a user reports a suspicious email that appears to come from a legitimate party, IT teams should notify that party. The IT department may also consider bolstering security around school email systems with software that checks for spam and blocks access to known malicious websites and apps.