Case Study - Quick results across a broad range of cyber awareness

Catholic Education Flanders

In response to the pressure of the increasing number of phishing emails in 2020, the umbrella organisation for Catholic Education drew up an internal phishing simulation. The result showed that there were some sore points.

The Challenge

“In May 2020, we established that the number of phishing emails that our members received had doubled compared to the same month a year earlier,” said Peter Declerck, Staff Executive and Contact for Information Security “Unfortunately, we saw that this was reflected in the number of institutions affected: never before had so many schools fallen prey to hackers.”

“Phishing in education is sometimes underestimated,” says Declerck. He is responsible for training courses on the GDPR and cyber security at the educational institutions of approximately 600 school administrations in Flanders and notices that such topics are not always top of mind: “As happens so often, it seems as though people first need to experience it first-hand before they realise how vulnerable they are.”

“That does not concern only the possible profit to be earned by a ransom,” explains Declerck. “Someone who is able to get his hands-on pupils’ data also has a grip on those people’s lives in a vulnerable stage of their development. It opens the door to discrimination, bullying, identity fraud, etc.”

The Outcome

“That is also the reason why we performed simulations on our colleagues. In this way, they were confronted with phishing in practice and they experienced what happens when such an attack is successful,” said Declerck. In this case, 35% of the addressees clicked a link in the simulation - more than the average of 20%. “The test actually caused some tumult, despite the fact that it was only a simulation and that, therefore, no data or systems were endangered. People immediately started to get worried and our IT department was soon overburdened with questions.

“The impact also lingered for quite some time thereafter,” said Declerck. “Our employees are now much more alert and have since then been able to recognise and report numerous different phishing attempts. Everyone now realises how easy life sometimes is for hackers.”