What FinAid offices need to know about cyberattacks Presented by: Chris Chumley, COO at CampusLogic Thursday, March 31, 2016 @12pm EST
BY 2014, OVER 1 BILLION PERSONAL DATA RECORDS HAD BEEN COMPROMISED 2013. Up to 40 million credit cards compromised. Sources attribute the hack to malware at POS systems, or to customer data being stolen en route from Target to credit card processors. Debit & credit info 2014. Up to 56 million credit and debit cards and an additional 53 million email addresses. Criminals used thirdparty vendor s username & password to enter network. Deployed custom-built malware to POS. Debit & credit info 2014. Five unreleased movies leaked, 47,000 Social Security numbers. In some cases PI including full name, DOB, address. Breach still TBD. Debit & credit info 2014. Undisclosed number impacted. Sources attribute the hack to nearly undetectable Backoff malware. Debit & credit info, but not Social Security numbers, email addresses, PIN or PII. WERE YOU PERSONALLY IMPACTED? 2
As of March 29, 2016, the Privacy rights clearinghouse Chronology of data breaches documented 4,766 data breaches in the U.S. involving at least 898,458,345 records from all industry sectors. Of these, 768 breaches involved educational institutions, encompassing 14,790,624 breached records. Source: https://www.privacyrights.org/data-breach 3
TOP 3 CHALLENGES FACING HIGHER ED IT PROFESSIONALS 4
THE EDUCATION SECTOR: AT-RISK SYMANTEC S 2015 INTERNET SECURITY THREAT REPORT, VOLUME 20, RANKS EDUCATION THIRD IN TERMS OF TOP 5 SECTORS BREACHED BY NUMBER OF INCIDENTS. 5
THE EDUCATION SECTOR: AT-RISK SYMANTEC S 2015 INTERNET SECURITY THREAT REPORT, VOLUME 20, REPORTS 1,359,190 IDENTITIES WERE EXPOSED DUE TO HIGHER EDUCATION BREACHES IN 2014. 6
BREACH COSTS: DOLLARS & ATTRITION According to the Ponemon Institute s 2015 Cost of Data Breach Study: US COST PER COMPROMISED EDUCATIONAL RECORD: $225 Schools with a data breach can expect an additional 1.9% of attrition A breach of 100,000 records could cost an institution $22,500,000. 7
BREACH COSTS: ADDITIONAL CONSEQUENCES Implications to your bottom-line: Loss of student trust Damage to reputation Reduction in alumni donations Reduction in enrollment Loss of staff productivity Legal action/representation Additional audit reuirements 8
WHAT WOULD YOU DO? A Southern California hospital received a reuest from hackers for $17,000 in digital currency (Bitcoin) to regain control of their computer systems after a so-called "ransom ware" attack. Knowing how much a breach might potentially cost your school, if your FinAid computer systems were held ransom, which option would you choose? Pay Decline 9
THE WEAKEST LINKS IN YOUR SECURITY PEOPLE MAKE MISTAKES In March of 2016, the University of Sydney admitted it lost a notebook computer containing sensitive information about students using disability support services. The major privacy breach has shocked and angered students.the culprit? Human error. 10
HOW HACKERS GET THROUGH 11
HOW HACKERS GET THROUGH 12
BETTER-PROTECT YOUR FINAID OFFICE BY FOCUSING ON FOUR KEY AREAS 13
KEY AWARENESS TOPICS SECTION 1 Password Management Mobile Device Security Public WiFi Use/Security Secure Processes-Email IT Security Best Practices Vendor Checklist Vendor Audits & Certifications 14
PASSWORD MANAGEMENT Use uniue passwords for services NEVER use your email account Use combinations of words, numbers and symbols and use upper and lower case letters Don t use easily-guessed passwords see picture at right of SplashData s annual worst passwords Don t use words found in dictionary or seuences Complexity is nice, but length is more important Never keep a list of passwords around, either digitally or on paper Use two-step or two-factor authentication wherever possible 15
MOBILE DEVICE SECURITY Use pin, password, or pattern lock on your phone Enable data encryption features Download apps only from trusted stores Install an anti-malware program (e.g. Lookout) Install anti-theft software Don t root or jailbreak your phone Keep your operating system & apps updated Log out of sites after you make a payment Switch off WiFi and Bluetooth when not in use 16
PUBLIC WIFI USE/SECURITY Know that you are never secure on public WiFi Use built in tools Enable firewall Block all incoming traffic Disable file sharing Look for Padlock Confirm network name with your location Use common sense Image source: WiFi Password Hacker Simulator, which has 109,934 ratings on Google Play. It doesn t actually hack any network. But the description copy It s an awesome tool to impress your friends is a great reminder that hacking has become a game of prestige. 17
SECURE PROCESSES - EMAIL Email was not designed with any privacy or security in mind - Geoff Duncan, Digital Trends 18
IT SECURITY BEST PRACTICES Encrypt your data Use a digital certificate to sign all of your sites Implement a removable media policy Protect school websites Network endpoint security Stay current with patches and upgrades Establish and document a policy of no PII data on laptops or mobile devices After the Edward Snowden revelations in 2013, some technology companies began integrating encryption more tightly and seamlessly into their products and enabling it as the default setting Apple s ios8, release in 2014, was a watershed in that respect. Google s next release of Android did the same, Inside Apple s <Code War>, Time Magazine, March 28, 2016 edition. 19
VENDOR CHECKLIST Encryption Data Access Policies User Authentication and Password Management How are users authenticated? Physical Security Audits and Controls Contract Language *Additional resource tool available. 20
VENDOR AUDITS & CERTIFICATIONS Certification SSAE 16, SOCC1 and 2 Purpose Auditing standard to ensure appropriate controls for your hosting provider. Certification of controls for privacy and security. TRUSTe Certification Privacy protection certification PCI DSS Certifies data security of credit card payment processing FedRAMP Government program providing a standard approach to security assessment, authorization and monitoring of cloud products and services FIPS 140-2 Federal Information Processing Standard for accrediting data encryption standards ISO 27001 Audit and risk assessment framework for information security management 21
KEY AWARENESS TOPICS SECTION 2 Life Cycle of a Breach Building Your Breach Response Plan Breach Response Plan Tips The First 24-Hours of a Breach: Checklist Best Practices for Notifications 22
Source: https://www.experian.com/assets/data-breach/brochures/response-guide.pdf 23
BUILDING YOUR BREACH RESPONSE PLAN Audit and document your current FinAid processes Define an internal response team with clear roles and responsibilities Assign someone to maintain an updated contact list Create a procedures document for key areas of the lifecycle Plan how you will manage a potential increase in call volumes If there is an institution-wide Breach Response Plan, ensure that the PR procedures document includes a section on how the FinAid office will specifically communicate with students and employees Develop a policy for cases warranting complimentary identity protection and credit monitoring services Identify a Data Forensics vendor with higher education experience to assist in managing the breach. Your institution may already have a Breach Response Plan in place. Is the FinAid Office represented? Is there potential to review the plan and provide insights and suggestions? Be proactive: you are the gatekeeper of your FinAid Office and need to speak up on behalf of your students. If there is no plan, our downloadable guidelines to Building Your Breach Response Plan can help. *Additional resource tool available. 24
BREACH RESPONSE PLAN TIPS PREPAREDNESS TRAINING IS IMPORTANT FREE CREDIT MONITORING REDUCES LAWSUITS BOARD INVOLVEMENT REDUCES COST OF BREACH DO YOUR HOMEWORK: STATE-SPECIFIC NOTIFICATIONS FinAid Offices are busy, but it is important to set aside time to practice your plan. It is also important to ensure your team members understand the plan and their roles. Research shows that individuals affected in a breach who receive free credit monitoring are six times less likely to file a lawsuit. This is also an investment to address loss of trust and reputation. The Ponemon Institute s Cost of Data Breach Study: Global Analysis, reveals board-level involvement can reduce the cost of a breach by up to $5.50 per record. Each state may have different reuirements for notification. Work with your legal department to determine who you must notify, such as your Attorney General s Office. 25
THE FIRST 24-HOURS OF A BREACH: CHECKLIST Validate the data breach Create a Document Incident Report Alert your Response Team Determine current status and scope of the breach Notify necessary agencies Preserve evidence Bring in Forensics team Set response plans in action This checklist combines best practice suggestions from credit monitoring, education, and government experts. It is offered as a starting point and should be refined as your FinAid Office sees fit. *Additional resource tool available. 26
BEST PRACTICES FOR NOTIFICATIONS Speed, openness, and transparency are key Notify affected individuals within 10 business days of confirming the breach Alert affected individuals prior to sending out a press release, if possible *Additional resource tool available. 27
QUESTIONS? 28
CampusLogic transforms the way colleges and universities deliver financial aid with the first and only student self-service platform. Modern, mobile, and personalized, CampusLogic s cloud-based software simplifies financial aid, so more students can get through the door into the classroom. With nearly 40 institutions and 300K+ active students, our customers optimize efficiencies, increase enrollment, and improve the student experience. For more information visit www.campuslogic.com. Connect with CampusLogic Twitter: https://twitter.com/campuslogic Blog: http://campuslogic.com/blog/ LinkedIn: https://www.linkedin.com/company/campuslogic Connect with Chris Chumley, COO at CampusLogic Twitter LinkedIn