Loyola School

The Challenge

Loyola School’s IT team consists of just one IT professional — Matt McDonnell, Director of technology at the institution. He’s been in the position for more than six years, working with the operations manager, principal and the school’s president to protect the school’s IT environment while also managing the day-to-day IT responsibilities.

In the past, Loyola had experienced email impersonation attacks by cyber crooks running gift card scams. In one scam, bad actors posed as one of the administrators, telling staff members that they were meeting with a visiting alumnus, but they hadn’t had the chance to get a needed gift. The scammers requested that the employees purchase gift cards and send them the codes. While this attack scenario is well known in the cybersecurity industry, untrained faculty and staff who are less familiar with phishing schemes may not recognize the scam. That makes it more likely for fraudsters to deceive the school’s faculty and staff, which could result in financial loss.

The advent of artificial intelligence (AI) in phishing has also become an area of concern for Matt. Before cybercriminals started leveraging AI tools like ChatGPT in their phishing efforts, Matt and the school’s 50-person staff were typically able to spot phishing attempts by spotting poor grammar and other mistakes. With the increasing sophistication of phishing emails, he felt the need to test the staff on their cyber awareness. An audit conducted by a third-party risk management firm has confirmed that faculty and staff required additional security awareness training to fend off malicious and fraudulent email attacks.

The Solution

Loyola School was already a Kaseya customer, using Spanning, a module in Kaseya’s IT Complete platform, for cloud-based backup. When their Kaseya account manager explained IT Complete also had security solutions built to address email security and security awareness training problems, Matt readily agreed to a demo.

Happy with what he learned, Matt purchased Graphus, an AI-based, automated email security solution, and BullPhish ID, a comprehensive security awareness training and phishing simulation platform. Matt chose to implement Graphus and BullPhish ID together because an integration between the two, Drop-A-Phish, rendered domain whitelisting unnecessary and ensured the training and phishing emails would be delivered to the employees reliably. This meant he could immediately get down to training staff.

Using BullPhish ID to run phishing simulations, Matt carries out security tests at random at least once every quarter — and sometimes more often — ensuring the staffers are unaware that they’re being tested.

Every few days, Matt logs into the KaseyaOne portal, where, with a single sign-on, he gains access to all Kaseya products used by Loyola School. There, he can track each staff member’s security training performance, what kind of mistakes they make, determining where they need help, who might need more specific training, and how to best train them. Simple, clear reporting makes it easy to share data about the effectiveness of training with the leadership team, if needed.

Although only the school staff is receiving the training for now, Matt sees potential in implementing security awareness training for students in the future.

Results

BullPhish ID also helps Loyola School achieve compliance needed for cyber insurance. Insurance companies have been increasingly stringent about their requirements for coverage for schools — and those requirements often include comprehensive security awareness training programs.

In terms of email security, Loyola School leverages Google Workspace and has implemented Graphus to add more layers of security and help enhance email filtering over Google’s native capabilities. Matt particularly commends Graphus’s Executive Spoofing feature.

“Using the Executive Spoofing feature, all I have to do is type in a name, or some variations of names, and Graphus will flag them as Executive Spoofing or even just outright block it, which actually has helped us avoid impersonation scams,” explains Matt.

The overtly malicious attacks get blocked by Graphus before employees could ever interact with them. The easy-to-notice Graphus’ EmployeeShield banner places on potentially suspicious emails makes it very easy for the school’s staffers to distinguish between the people with whom they’ve had contact before and those they haven’t, helping reduce the chance of a user falling for an impersonation attempt.

BullPhish ID and Graphus helped Matt, essentially a one-man team, overcome the school’s email security challenges, all through Kaseya’s unified platform.

Looking Forward

Matt continues building up his school’s cyber defenses using Kaseya’s solutions. Most recently, he added penetration testing by Vonahi to help him find and fix weak spots in the school’s defenses before cyber criminals can exploit them, ensuring Loyola School is ready for today’s and tomorrow’s threats.