This is the second of a two-part blog. For Blog #1, click the link The Dark Side of AI: How Generative AI Fuels Social Engineering

Promoting social engineering awareness doesn’t have to be miserable. By adopting a few key strategies, you can effectively communicate your message and keep your staff engaged and informed.

1. Use Humor and Personal Touches:

One practical approach is to use humor and personal touches in your communications. Avoid using jargon and ensure that your messages are easily understood by all staff members, regardless of their technical expertise. Craft your messages like stories, incorporating elements that are relatable and entertaining. This helps to avoid static, robotic messages and makes the content more engaging and memorable for your staff. For instance, here is one email I sent to staff who received a phishing email.

The latest phishing attempt is impersonating ___________using a Gmail account. Don’t respond. It’s a common tactic used by nefarious ne’er-do-wells to try to get you to buy an online gift card or give up your network credentials. If you did respond and purchased a gift card for the fake _____or gave away your network credentials,  please let me know. Close up on laptop

2. Use Clear and Simple Language:
When explaining technical concepts, use clear and simple language. Avoid jargon and ensure that your messages are easily understood by all staff members, regardless of their technical expertise.

3. Reward Vigilance:
Ensure staff know where to find help and resources if they suspect a phishing attempt. Provide a clear process for reporting suspicious emails and ensure readily available support. Encourage a positive culture by rewarding staff who report phishing attempts. Give prizes to random staff members who have successfully identified and reported phishing emails. This approach fosters a proactive environment instead of punishing employees who make mistakes.

4. Education and Training:
Regular education and training are essential in building awareness, but it doesn’t have to be boring. Three of our teachers created a humorous video about phishing attempts in the style of the TV show “The Office” to engage and educate our staff. Sharing stories and case studies of real-world attacks, combined with creative approaches like a humorous video, helps staff understand the serious consequences of these threats.

Adopting some of these strategies can create an engaging and effective communication plan that raises social engineering awareness among your staff. The key to your success lies in the human touch. If staff feel supported, informed, and, most of all, appreciated for their efforts, your cybersecurity measures will significantly be strengthened.

Resources and Tips
The MITRE ATT&CK framework is a great resource for a list of threats to not just social engineering but also a catalog of cyber threats. This framework, located at https://attack.mitre.org, is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

The Cybersecurity and Infrastructure Security Agency (CISA) offers a comprehensive Phishing Infographic Phishing Infographic (cisa.gov) that can be a powerful tool for educating staff. This infographic visually highlights key aspects of phishing attacks, including how they work, common tactics used by attackers, and steps to recognize and avoid falling victim to these scams.

In addition to the phishing infographic, CISA provides a blog on Avoiding Social Engineering and Phishing Attacks. This blog covers various forms of social engineering, including phishing, vishing, and smishing, offering practical advice on how to spot and prevent these attacks.

By implementing these strategies, K-12 technology directors can effectively arm their staff against the dangers of social engineering, cultivating a culture of awareness and vigilance. AI is ever-evolving and becoming smarter, and while nothing is foolproof, a proactive approach helps create an informed community that serves as the first line of defense.

AUTHOR: Doug Couture, CETL, Director of Technology Systems and Programs, South Windsor Public Schools (CT)

Published: September 4th, 2024

Blog #2: (To be posted) Tips for K-12 Technology Directors: Communication Strategies for Social Engineering Awareness

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.

cc by nc