The Superintendents Worst Fear ESC Region 1 Finance Advisory - - PowerPoint PPT Presentation

the superintendent s worst fear
SMART_READER_LITE
LIVE PREVIEW

The Superintendents Worst Fear ESC Region 1 Finance Advisory - - PowerPoint PPT Presentation

Oct 30, 2023 201 likes •760 views

The Superintendents Worst Fear ESC Region 1 Finance Advisory Council November 10 Superintendents Imagine having to notify parents or employees that their personal privacy has been violated!!!!!! Martin Yarborough BS, MEd, PhD (Tarleton

slide-1
SLIDE 1

The Superintendent’s Worst Fear

ESC Region 1 Finance Advisory Council November 10

slide-2
SLIDE 2

Superintendents

Imagine having to notify parents or

employees that their personal

privacy has been violated!!!!!!

slide-3
SLIDE 3

Martin Yarborough

  • BS, MEd, PhD (Tarleton and NIU)
  • 35 yrs in Education
  • Teacher (Granbury, Glen Rose),
  • Principal (Glen Rose),
  • CIO (Glen Rose, Granbury, Stephenville, Abilene, Fort Worth ISD)
  • 10 yrs managing Dell Ed Services
  • Owner – Martin Yarborough and Associates since 2008
  • Author – CCSESA Cybersecurity Framework for K-12 Schools in California
  • Recognized expert – Assessments, Security and Disaster/Recovery
slide-4
SLIDE 4

Objective of this Discussion

I want to provide you a recipe for, maybe not preventing but certainly mitigating, cyber attacks

  • n your district
slide-5
SLIDE 5

Cybercrime is …

…a malicious breach of a school’s security to expose sensitive and confidential data.

slide-6
SLIDE 6

Cybercrime has …

…touched organizations of every size and shape in every industry – including K-12 school districts.

slide-7
SLIDE 7

Cybercrime looks like …

…students hacking into databases to change grades. …hackers instigating a DDOS (denial of service) attack which stops electronic testing. …thieves stealing personal identification information (PII) and posting it on the internet. …staff losing a laptop or tablet with access to highly sensitive information. …ransomware being used to hold a district hostage and costing thousands of $$$.

slide-8
SLIDE 8

Equifax

  • Exposed personal data of over 143 MM Americans.
  • Cyber attack exploited a software program containing:
  • Names
  • SSN
  • DOB
  • Other personal data
  • Many executives sold their stock (loss of $4.4 BB)
  • CIO retired ???
  • CSO retired ???
  • CEO got FIRED !!!!!!
slide-9
SLIDE 9

So What …

An attack on a school’s IT system can compromise the ability to teach. If personal information is exposed, districts may be subject to penalties under FERPA including the loss of potential federal funding. Civil Lawsuits could cost millions. Districts may find they aren’t covered for damages under traditional business interruption insurance policies. District business offices may not be able to function for a period of time and fulfil timely requirements such as payroll.

slide-10
SLIDE 10

One thing is clear…

  • Many cybercrime events are preventable.
  • K-12 institutions need to have a strategy for minimizing the likelihood
  • f a breach as well as a plan to deal with the fallout after one takes

place.

slide-11
SLIDE 11

Is this for real?

slide-12
SLIDE 12
slide-13
SLIDE 13

2016 Netwrix survey

slide-14
SLIDE 14

2016 Netwrix survey

slide-15
SLIDE 15

2016 Netwrix survey

slide-16
SLIDE 16

49% of educational institutions have faced security incidents caused by human errors, and 37% have had security incidents due to malware.

2016 Netwrix survey

slide-17
SLIDE 17

2016 Netwrix survey

slide-18
SLIDE 18

Educational institutions named lack of budget (74%), lack of time (54%) and insufficient participation of senior management (44%) as the main obstacles to taking a more efficient approach towards cyber risk management.

2016 Netwrix survey

slide-19
SLIDE 19

2016 Netwrix survey

slide-20
SLIDE 20

Oh My! This is for real

slide-21
SLIDE 21

May 22, 2017 Texas Association of School Boards Inadvertently posted the names and social security numbers of Texas school employees publically

  • n the Internet.

Corpus Christi ISD Laredo ISD Edcouch-Elisa ISD La Hoya ISD Laredo ISD Los Fresnos CISD Mission CISD Monte Alto ISD Progreso ISD Rio Grande City CISD Lyford CISD McAllen ISD San Perlita ISD South Texas ISD United ISD Weslaco ISD Victoria ISD Calhoun County ISD Goliad ISD Halletsville ISD Shriner ISD Killeen ISD Ector County ISD Leander ISD Round Rock ISD Alief ISD San Benito CISD Fort Worth ISD Beaumount ISD Bridge City ISD Port Arthur ISD Kountze ISD West Orange-Cover CISD Midway ISD Temple ISD Robinson ISD Glen Rose ISD Pflugerville ISD

slide-22
SLIDE 22

2017 Argyle ISD Victim of an email phishing scheme. Employees were victimized by a W-2 scam affecting most employees as reported by EdTech Strategies.

slide-23
SLIDE 23

2016 Region XI Service Center A cyber attack that paralyzed the websites of at least 2 area school districts for several days and sidelined the websites of many more in the region. Affected commerce, testing and student records.

slide-24
SLIDE 24

May 12, 2017 Mesquite ISD Food & Nutrition Services was hit by a cyber attack that crippled the POS systems and affected student nutrition accounts.

slide-25
SLIDE 25

May 14, 2017 DeWitt-Lavaca SPED Cop Encountered a ransomware attack which compromised all student SPED records. The files were encrypted rendering them inaccessible and non-functioning. Data was lost and had to be re-created.

slide-26
SLIDE 26

2017 Calallen ISD Encountered a ransomware attack which compromised all computers in the district. The attack infected most servers in the district.

slide-27
SLIDE 27

2016 Santa Rosa ISD Encountered a malware attack causing the district to go without computers and telephones while repairs were made.

slide-28
SLIDE 28

Why?

Since 2005,

  • approximately 14,750,000

educational data records have been compromised.

  • 755 educational institutions (K-12

and HiEd) cyber security breaches have been reported and made public.

slide-29
SLIDE 29

Cyber Crime costs projected to reach $2 TRILLION by 2019 …Forbes

slide-30
SLIDE 30

Cyber crime may not be prevented… 70% of the issues are human-caused 30% are caused by technology.

slide-31
SLIDE 31

But …

  • Many schools do not have the appropriate resources to develop a

Cyber security Awareness program.

  • Policies are outdated.
  • Staff are not aware of the policies.
  • Many IT departments do not have the time, resources or the

ability to develop awareness programs.

  • Security becomes important when a

breach occurs!

slide-32
SLIDE 32

How…

The ideas, customs and social behavior of a particular society that allows them to be free from danger

  • r threats.

Establishing a model for security involving risk management, security design, security implementation and verification. Defining how an

  • rganization

addresses constraints

  • n behavior to

protect the physical and information technology assets.

slide-33
SLIDE 33

Texas Schools need a common approach

slide-34
SLIDE 34

The madness has to stop!!!

slide-35
SLIDE 35
slide-36
SLIDE 36

Here it is ….

slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39
slide-40
SLIDE 40
slide-41
SLIDE 41
slide-42
SLIDE 42
slide-43
SLIDE 43
slide-44
SLIDE 44
slide-45
SLIDE 45
slide-46
SLIDE 46

Lets see how it can work implementing in 7 phases ….

slide-47
SLIDE 47

Prioritize and Scope

  • Entire district?
  • Subset of entire district?
  • Critical departments?
  • Understanding district governance.
  • Understanding how the district

calculates risk.

  • Identify stakeholders.
  • Generate the Project Plan
  • 2-3 meetings
slide-48
SLIDE 48

Prioritize and Scope Orient

  • Getting ready to ask “Where are we

now”.

  • Understand NIST framework tiers and

how they work.

  • Partial
  • Risk Informed
  • Repeatable
  • Adaptive
  • 3 workshops

Increasing Maturity

slide-49
SLIDE 49

Prioritize and Scope Orient Create a Current Profile

  • Using the NIST Framework Tiers, review

the framework enablers and assign each a Framework Tier level.

  • Several short meetings
  • Surveys
  • Survey validations
slide-50
SLIDE 50

Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment

  • Commission a Security Risk

Assessment.

  • Review results of risk assessment

and compare to perception of Current Profile.

  • Security Assessment
  • ISO 27001 Review
  • Electronic vulnerability scans
  • Penetration testing

(internal/external)

slide-51
SLIDE 51

Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Generate a Target Profile

  • Work with stakeholders to

generate a Target Profile.

  • Consider Budget, Personnel, Time
  • Mitigate findings of the Risk

Assessment

  • Facilitated meetings
  • 2 weeks
slide-52
SLIDE 52

Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Generate a Target Profile Analyze, Prioritize and Determine Gaps

  • Compare the Current (AS-IS) to

the Target (TO-BE) and identify the gaps.

  • Document the gaps into a series
  • f projects to be performed.
  • Working with a Project Mgr
  • 2-3 weeks
slide-53
SLIDE 53

Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Generate a Target Profile Analyze, Prioritize and Determine Gaps Develop and Implement Action Plans

  • Convert the identified gaps into a

series of project proposals.

  • Assign each project proposal to a

competent project manager.

  • Develop project plans, risk plans,

communication plans and quality plans for each identified gap.

  • Develop a budget for remediation.
  • Begin “fixing” your security issues.
slide-54
SLIDE 54

You may need some help to do this ….

  • Martin Yarborough & Associates
  • http://www.martinyarborough.com
  • (817)408-5725
  • info@martinyarborough.com
  • Netsync Network Solutions
  • http://netsyncnetwork.com
  • (866)974-5959
  • info@netsyncnetwork.com
slide-55
SLIDE 55