ConVal’s updated data governance plan includes training for staff and faculty against “phishing” – a scam in which deceptive emails or websites attempt to trick people into revealing personal or confidential information
“Municipalities and organizations like schools are increasingly targets for scams such as phishing, because their organizational structure is out there, and their emails are out there, unlike in private businesses, where they can keep emails and personnel private,” said Mark Schaub, ConVal’s systems administrator.
Schaub recently presented the updated data governance plan to the ConVal School Board.
A state law passed in 2018, HB 1612, requires New Hampshire schools to have a plan to review data security for software as well as communications. The law requires adhering to best practices for minimal privacy standards around student and staff information.
The law also specifies that vendors for all software used in schools sign security agreements. New Hampshire schools participate in a consortium that negotiates these agreements with vendors.
“When you think about how many different kids of software is used in a school district – we have PowerSchool, we have Microsoft, we have specific software for our nursing students, our business students – it would be impossible for the school district to negotiate an agreement with every single vendor. How it works with the consortium is if there is a new software that no other district in the state is using, the consortium will reach out to the vendor, and if they can use the template agreement, then every district in the state can use that software with the same agreement. It gives a lot more weight for vendors who are reluctant to sign on,” Schaub said.
Schaub said restrictions on data governance were temporarily relaxed because of the COVID epidemic.
“It’s been hard to do any updates to the data governance plan so far, because it launched in 2019, then it was COVID. That was a lot of scrambling with all the schools were trying to figure out to teach online. The state lifted some of the requirements during that time while everyone was trying to figure out remote learning; they had to relax the rules to enable remote learning. Then it went back to normal,” Schaub said.
Schaub said schools in particular are becoming targets of “spearphishing,” a more-sophisticated scam in which scammers duplicate the email signatures of a person’s contacts.
“Scammers now are able to send emails to people and make it look like it came from their principal or their colleagues,” Schaub said. “You have to very careful and really look at where it came from; it can be easy to miss especially if you are looking at email on your phone.”
Schaub sees the training as “our opportunity to learn and do better.”
“I’ve heard about some districts that take a really punitive with people who make mistakes. That is not the way we approach it. We are not trying to shame anyone. We are all recognizing that we are all going to see these types of emails, and by practicing we get better at identifying them. It is just all about training,” Schaub said.
Schaub feels it is challenging that all of the burden of training lies on employers.
“It’s unfortunate there is not a better way to train everyone outside of their job. It becomes to employers job instead of the platform’s job. Most people use Gmail for their personal email, but Gmail doesn’t offer any training for people. It would be nice if there were other options out there – it would be nice if there was a more proactive approach from the email provider. There is not a whole lot of training; there is no way you can block every malicious ema il,” he said.