Welcome to NEOnets Cyber Security Executive Briefing If you havent - PowerPoint PPT Presentation

Welcome to NEOnet’s Cyber Security Executive Briefing

If you haven’t yet been hacked, you will be. In fact, you already may have been hacked, but don’t know it yet.” Stu Davis, Chief Information Officer, Ohio Department of Administrative Services

But before we begin …. What is NEOnet? • A public entity – established via Ohio Revised Code authorizing the creation of public data sites throughout Ohio. • A collaborative of public entities – some things are done better together than separately • Provides effective, cost‐efficient services , coupled with superior client support . – Accounting, Payroll, Student Administration, Electronic Grade Books, Library Automation, Professional Development, Internet Access, Technical/Network Support, Telephony, State reporting to the ODE, and more. • To a variety of organizations – public school districts, community schools, educational service centers, nonpublic schools, governmental entities, higher ed, other ITC, and others.

What today IS – and ISN’T • Today IS : – High‐level overview of essential executive‐level topics related to cyber security – Opportunity to hear from and interact with subject area experts • Today ISN’T : – A deep dive into any of the topics – If there is interest, NEOnet will follow‐up with more in‐depth sessions

What we need to know for today • Cyber security is a matter of organization‐wide risk that includes, but is much broader than, IT management. • Control and alignment of the functions required to manage organization‐wide risk reside at the Executive‐level !

Executive Level Responsibilities • Risk Assessment – Understand cybersecurity risk to organization – National Institute for Standards and Technology – (NIST) ‐ www.nist.gov/cyberframework • Risk Management Strategy • Policies – Data Security – Data Goverence • Procedures – Computer Security Incident Handling – Access to assets • Staffing – Cybersecurity roles and responsibilities – Senior Information Security Officer • Training – Cybersecurity Awareness education • Budgeting – How much are we going to spend to mitigate risk? • Insurance – Cyber Liability Insurance • Legal – Federal and State – FERPA, PPRA, COPPA, HIPAA

NIST Cybersecurity Framework

NIST Cybersecurity Framework

Items to consider • Senior Information Security Officer • Security Training Records • Security Awareness Training policy and procedures • Risk Assessment – AIG Application • Document system backup and recovery process • Maintain inventory of information systems assets • Computer Security Incident Handling

Computer Security Incident Handling Guide FAQ – What is an incident? – What is an incident response team? – To whom should incidents be reported? – What should someone do who discovers that a system has been attacked? • Reviewing and adapting this guide for your organization will be helpful for dealing with cyber‐ related events that may occur.

Legal Landscape: Federal Law  Family Educational Rights and Privacy Act (FERPA)  Protection of Pupil Rights Amendment (PPRA)  Children Online Privacy Protection Act of 1998 (COPPA)  Health Insurance Portability & Accountability Act (HIPAA)

Legal Landscape: Ohio Law  Confidentiality of student records (O.R.C. 3319.321)  Security (O.R.C. 1347.05(G))  School districts must “take reasonable precautions to protect personal information” maintained in school district information systems from “unauthorized modification, destruction, use, or disclosure.”  Appoint 1 person responsible for system  Develop procedures for using and maintaining system  Data Breach Notification  Public Schools: O.R.C. 1347.12  Private Schools: O.R.C. 1349.19

Cyber Insurance Disclaimer: For informational purposes only. Please consult insurance and legal professionals for more information. Some information attributed to AIG and other sources.

Ba c k ro und Cyber Security Insurance is the hot topic in the IT world right now, and understandably so. Recent studies show that cyber crime is on the rise at an alarming rate – and IT experts predict that cyber crime will result in approximately $2 Trillion in losses globally by 2019, up from $500B in 2015. The number of reported ransomware cases increased 500% from 2015 to 2016, with the average security breach costing approximately $4M.

Sho rt Histo ry In 2015, Cyber Security was a relatively unknown segment of the Insurance market, since then however, it has become the fastest growing segment – increasing from approximately $1B in 2015 to $2.5B today. With that being said, not all cyber insurance policies are created equal. It is a new market, and there are still a lot of undetermined sweet spots surrounding things like coverage limits, deductible amounts, and even what is and what is not covered under these policies. NEOnet and the MCOECN are collaboratively and aggressively pursuing answers to these questions to ensure that all members are adequately covered in the event of a breach.

Wha t Sho uld E xe c utive s Be T hinking Ab o ut? As c yb e r risks g ro w, se nio r ma na g e me nt a nd b o a rds o f dire c to rs o f c o mpa nie s a re inc re a sing ly fo c use d o n a holistic re sponse to c yb e r thre a ts tha t inc lude s: • Risk Mitig a tion – How do we r e duc e the odds or se ve r ity of some thing happe ning? • Risk T ra nsfe r – How c an we c ontr ac tually shift a por tion of our r isk to some one e lse ? • Re sponse / Re c ove ry – Some thing happe ne d, now what? Whe n thinking a b o ut c yb e r insura nc e , c o nside r a ll thre e e le me nts.

Wha t Ca n Go Wro ng ? E mploye e L ost F la sh Drive An e mplo ye e o f a he a lthc a re pro vide r lo st a fla sh drive c o nta ining the pro te c te d he a lth info rma tio n o f a ppro xima te ly 600 individua ls. T he pro vide r no tifie d the a ffe c te d individua ls a nd pro vide d c re dit mo nito ring se rvic e s. Va rio us sta te re g ula to rs we re a lso no tifie d in a c c o rda nc e with a pplic a b le la w. L e gal c osts + $110,000 for notific ation, c all c e nte r se r vic e s, c r e dit monitor ing, and le gal fe e s to de te r mine the insur e d’s r e gulator y obligations

Wha t Ca n Go Wro ng ? Rog ue e mploye e An e mplo ye e le a rns she ma y b e te rmina te d, a nd in re spo nse , she ste a ls na me s, a ddre sse s, so c ia l se c urity numb e rs a nd o the r pe rso na l info rma tio n fro m c usto me r file s. She so ld the info rma tio n to he r c o usin who use d the ide ntitie s to fra udule ntly o b ta in c re dit c a rds. T he affe c te d individuals file d suit against the c ompany for ide ntity the ft.

Wha t Ca n Go Wro ng ? Sma ll busine ss ha c ke d A b usine ss is ha c ke d b y a lo c a l te e na g e r who sto le so c ia l se c urity numb e rs a nd b a nk a c c o unt da ta fro m c usto me r file s. He so ld the info rma tio n to a n inte rne t we b site whic h use d it to c re a te fa lse ide ntitie s fo r c rimina ls to use . T he busine ss inc ur r e d notific ation and c r e dit monitor ing c osts, and the le gal e xpe nse s as we ll as the damage s fr om pote ntial lawsuits r e sulte d in mor e than $500,000 in damage s.

Wha t Ca n Go Wro ng ? Pa pe r Re c ords, T oo Outside a middle sc ho o l, pa pe rs we re b lo wing a ro und in the wind b e side a g a rb a g e c o nta ine r. A stude nt, se e ing the pa pe rs, g ra b b e d so me a nd re a d a b o ut the spe c ia l ne e ds a sse ssme nt fo r a se ve nth- g ra de r na me d K e vin, inc luding his I Q sc o re , psyc ho lo g ic a l a sse ssme nt da ta , b e ha vio ra l info rma tio n, a nd fa mily histo ry. Ove r the ne xt fe w we e ks, stude nts re le ntle ssly ta unte d K e vin, c a lling him "stupid," "dumb ," a nd "re ta rde d." Ke vin's family sue d the sc hool distr ic t, and at the tr ial c our t, the jur y r e tur ne d a ve r dic t that found the distr ic t liable for $60,000 in past damage s and $80,000 in futur e damage s--and also awar de d mor e than $45,000 in le gal fe e s to the family.

Wha t do yo u ha ve to lo se ? T a ng ible Costs – L o ss o f funds – Da ma g e to Syste ms/ F o re nsic s T ime a nd E xpe nse – L e g a l Da ma g e s/ Co mmunic a tio n E xpe nse s – F ina nc ia l Co mpe nsa tio n Inta ng ible Costs – L o ss o f c o mpe titive a dva nta g e – L o ss o f c usto me r a nd/ o r pa rtne r trust – L o ss o f inte g rity (c o mpro mise d dig ita l a sse ts) – Da ma g e to re puta tio n a nd b ra nd

11th a nnua l Co st o f Da ta Bre a c h Study (2016), the industry’ s g o ld- sta nda rd b e nc hma rk re se a rc h, inde pe nde ntly c o nduc te d b y Po ne mo n I nstitute . The average cost incurred for each lost or stolen record containing sensitive and confidential information increased to $158. $158/record (some estimates at $225+)