Yolo County Office of Education

Cybersecurity

Information and tips to protect yourself at work and at home

Biden Administration Announces Cybersecurity Initiative for K-12 Schools (edweek.org)

Along with the Government Coordinating Council, the federal Cybersecurity and Infrastructure Security Agency is providing tailored assessments and cybersecurity training and exercises for K-12 schools this school year. The Federal Bureau of Investigation and the National Guard Bureau are also releasing updated resource guides so state governments and education officials know how to report cybersecurity incidents and can leverage the federal government’s cyber defense capabilities.

Some education technology companies are making commitments to provide free or low-cost cybersecurity training resources to school districts:

PowerSchool, a K-12 software provider, will provide free and subsidized “security-as-a-service” courses, training, and resources to all U.S. schools.
D2L, a learning platform company, will provide some free resources for cybersecurity training.
Cloudflare will offer free cybersecurity solutions to smaller public school districts (those with 2,500 students or less).
Amazon Web Services will provide $20 million for a K-12 cyber grant program, free security training for K-12 IT staff, and free cyber incident response assistance.
Google released an updated guidebook for schools to ensure the security of their Google hardware and software applications.

The U.S. Department of Education and CISA also released on Aug. 7 the K-12 Digital Infrastructure Brief: Defensible & Resilient, which provides recommendations and best practices for identifying, protecting, detecting, responding, and recovering from cyber threats or attacks. The Education Department also released two other briefs that provide best practices for ensuring schools’ digital infrastructure is “future-proof” and “interoperable.”

Easy Ways to Stay Safe Online

Week 1: Password Security

Password Security & Password Managers

Today you need a password for just about anything. Creating strong and unique passwords is one of the easiest ways to ensure that your accounts and information are safe from potential cyber-attacks.

Some important tips to keep your password strong and unique:

The longer the password the better. CISA recommends 16 characters made up of letters, numbers, and symbols
- Some sites may not allow 16 characters, make is as long as the site allows.
Make them unique.
- Use number-letter substitution or even symbol-letter substitution. Substitute a number or symbol for a letter in a word such as Yolo into Y0!0
- Create a phrase of words with creative spelling
- Use a random string of mixed letters, numbers, and symbols
Don’t write it down in a notebook or on a sticky note. Anyone can find that and use it to log in
Use a Password Manager
- Password Managers are quick and easy resources to use to create and store passwords and other information.

Password managers are an effective way to store your passwords, so you don’t have to remember all the unique passwords you created. It saves you time from rummaging through all the papers you have with passwords on them, having to try to remember all your passwords, or even having to reset your passwords because you forgot them. Password managers are easy to use and work on any device.

Is it safe?

Yes, password managers use an encryption so that it doesn’t even “know” your password. All you have to do is remember a single password to log into the password manager. It is also recommended to turn on Multifactor Authentication for your password manager.

Why should you use it?

To save all your passwords and other information on an organized platform.
It can generate strong, unique passwords so you don’t have to.
Easy to use.
Enhanced Security.
It can help protect you against phishing attempts.

Week 2: MFA

Multifactor Authentication

In today’s technological world, security is of the utmost importance. One way to ensure your safety online is by enabling Multifactor Authentication (MFA). MFA is a second step verification to validate your identity when logging into an account online. This extra security helps keep out someone that is not you.

Studies show that users are 99% less likely to get hacked when they have MFA enabled on their account. How? MFA asks for more information by usually sending a code or verifying your identity on another application. This is enabled by you the user or your company, and the verification method is set up by you the user.

This extra verification makes it hard for a cyber attacker to get into your account because they don’t have your phone that is receiving the code or verification notification.

Week 3: Phishing

Recognizing & Reporting Phishing Attempts

What is phishing?

Phishing is an attempt to get personal information or infect your device. Cyberattacks use multiple methods, such as text, email, or a phone call, to “bait” users into clicking on a link or downloading a file they sent you. These attempts may seem real because they design the messages to look like they come from a trusted person or organization. Be diligent with all messages and emails you receive.

How to recognize phishing?

Common signs of a phishing attempt may look like:

An urgent or emotional message request immediate action
Requests for personal and financial information
URLs are shortened and look untrustworthy
- Always make sure the URL starts with “https” to make sure its legit
- Such as https://www.ycoe.org
Email address or link is incorrectly spelled
- i.e., amazan.com should be amazon.com
It’s a message or email you weren’t expecting

Report and Delete

It is extremely important to not click on anything that looks suspicious. If you think an email may be from someone you know but it looks suspicious, contact that person directly via another means or call them. If you think an email is from a real company, but it looks suspicious, call that company from a phone number listed on their website. Not the one in the email. Looking up the company as well may be a way of determining if it is real or phishing.

Report all phishing attempts. Marking an email as spam and deleting a phishing scam may be the best approach. Your YCOE email has an icon that allows you to report any email you believe is a phishing scam. Once you click on the icon it will remove the email from your inbox and send a notification to the IT Department of the phishing attempt.

It is also best practice to not reply, forward or unsubscribe to any phishing message. Just report and delete.

If a message looks suspicious, it’s probably phishing.

Week 4: Software Updates

Keeping Software Updated

Many updates are created to fix security risks. Keeping your software and device updated keeps you safer.

Why?

Updates include “patches” to security vulnerability. Patches are software and operating system (OS) updates that address security vulnerabilites that the vendor has become aware of. Software updates fix bugs, improve performance, and add other feature enhancements for the user experience. Updates contain a variety of features for security updates and user facing enhancements.

How?

Watch for notifications
Install updates ASAP
Turn on automatic updates
- This is the easiest way to keep your devices up to date and safe

Tips

When downloading software, ensure that it comes from a verified source such as the vendor the software is from. Download the software or software update from the vendor website not an email link or advertisement. Download apps from your device’s official app store. Make it a habit to update devices, software, and applications. Update software and applications on trusted networks. Avoid updating software while connected to an untrusted (public) network.