What FinAid offices need to know about cyberattacks. Presented by: Chris Chumley, COO at CampusLogic Thursday, March 31, EST

Similar documents
Cyber security tips and self-assessment for business

Cybersecurity in Higher Ed

Cybersecurity Auditing in an Unsecure World

PCI Compliance. What is it? Who uses it? Why is it important?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

DeMystifying Data Breaches and Information Security Compliance

GUIDE TO STAYING OUT OF PCI SCOPE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity The Evolving Landscape

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Cyber Attack: Is Your Business at Risk?

Personal Cybersecurity

Internet of Things Toolkit for Small and Medium Businesses

mhealth SECURITY: STATS AND SOLUTIONS

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Data Compromise Notice Procedure Summary and Guide

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Effective Strategies for Managing Cybersecurity Risks

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Data Privacy Breach Policy and Procedure

Best Practices Guide to Electronic Banking

What to do if your business is the victim of a data or security breach?

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Cybersecurity and Nonprofit

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Data Breach Trends: What Local Government Lawyers Need to Know

Jeff Wilbur VP Marketing Iconix

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

The most extensive identity protection plan available

Altius IT Policy Collection Compliance and Standards Matrix

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

A practical guide to IT security

Cyber Risks in the Boardroom Conference

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Insurance: What is your bank doing to manage risk? presented by

Ransomware A case study of the impact, recovery and remediation events

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Defense in Depth Security in the Enterprise

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Managing Cybersecurity Risk

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

5LINX ID GUARD Product Overview. Credit/Presenter Goes Here

How to Build a Culture of Security

Legal Aspects of Cybersecurity

Cloud Communications for Healthcare

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Cyber Security and Project Planning: How to Bake It In

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

The security challenge in a mobile world

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

The Data Breach: How to Stay Defensible Before, During & After the Incident

Higher Education Privacy Update

Combating Cyber Risk in the Supply Chain

HELPFUL TIPS: MOBILE DEVICE SECURITY

PCI DSS Compliance for Healthcare

cs642 /introduction computer security adam everspaugh

June 2012 First Data PCI RAPID COMPLY SM Solution

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Mobile Security and Public Networks

Data Breach Notification Policy

SECURING DEVICES IN THE INTERNET OF THINGS

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Google Identity Services for work

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Using international standards to improve US cybersecurity

ANNUAL SECURITY AWARENESS TRAINING 2012

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

A QUICK PRIMER ON PCI DSS VERSION 3.0

Keep the Door Open for Users and Closed to Hackers

SECURING DEVICES IN THE INTERNET OF THINGS

Are You Avoiding These Top 10 File Transfer Risks?

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Total Security Management PCI DSS Compliance Guide

2017 Annual Meeting of Members and Board of Directors Meeting

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

Cyber Security Risk Management and Identity Theft

BEST PRACTICES FOR PERSONAL Security

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

The Realities of Data Security and Compliance: Compliance Security

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Chapter 6 Network and Internet Security and Privacy

Red Flag Regulations

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Transcription:

What FinAid offices need to know about cyberattacks Presented by: Chris Chumley, COO at CampusLogic Thursday, March 31, 2016 @12pm EST

BY 2014, OVER 1 BILLION PERSONAL DATA RECORDS HAD BEEN COMPROMISED 2013. Up to 40 million credit cards compromised. Sources attribute the hack to malware at POS systems, or to customer data being stolen en route from Target to credit card processors. Debit & credit info 2014. Up to 56 million credit and debit cards and an additional 53 million email addresses. Criminals used thirdparty vendor s username & password to enter network. Deployed custom-built malware to POS. Debit & credit info 2014. Five unreleased movies leaked, 47,000 Social Security numbers. In some cases PI including full name, DOB, address. Breach still TBD. Debit & credit info 2014. Undisclosed number impacted. Sources attribute the hack to nearly undetectable Backoff malware. Debit & credit info, but not Social Security numbers, email addresses, PIN or PII. WERE YOU PERSONALLY IMPACTED? 2

As of March 29, 2016, the Privacy rights clearinghouse Chronology of data breaches documented 4,766 data breaches in the U.S. involving at least 898,458,345 records from all industry sectors. Of these, 768 breaches involved educational institutions, encompassing 14,790,624 breached records. Source: https://www.privacyrights.org/data-breach 3

TOP 3 CHALLENGES FACING HIGHER ED IT PROFESSIONALS 4

THE EDUCATION SECTOR: AT-RISK SYMANTEC S 2015 INTERNET SECURITY THREAT REPORT, VOLUME 20, RANKS EDUCATION THIRD IN TERMS OF TOP 5 SECTORS BREACHED BY NUMBER OF INCIDENTS. 5

THE EDUCATION SECTOR: AT-RISK SYMANTEC S 2015 INTERNET SECURITY THREAT REPORT, VOLUME 20, REPORTS 1,359,190 IDENTITIES WERE EXPOSED DUE TO HIGHER EDUCATION BREACHES IN 2014. 6

BREACH COSTS: DOLLARS & ATTRITION According to the Ponemon Institute s 2015 Cost of Data Breach Study: US COST PER COMPROMISED EDUCATIONAL RECORD: $225 Schools with a data breach can expect an additional 1.9% of attrition A breach of 100,000 records could cost an institution $22,500,000. 7

BREACH COSTS: ADDITIONAL CONSEQUENCES Implications to your bottom-line: Loss of student trust Damage to reputation Reduction in alumni donations Reduction in enrollment Loss of staff productivity Legal action/representation Additional audit reuirements 8

WHAT WOULD YOU DO? A Southern California hospital received a reuest from hackers for $17,000 in digital currency (Bitcoin) to regain control of their computer systems after a so-called "ransom ware" attack. Knowing how much a breach might potentially cost your school, if your FinAid computer systems were held ransom, which option would you choose? Pay Decline 9

THE WEAKEST LINKS IN YOUR SECURITY PEOPLE MAKE MISTAKES In March of 2016, the University of Sydney admitted it lost a notebook computer containing sensitive information about students using disability support services. The major privacy breach has shocked and angered students.the culprit? Human error. 10

HOW HACKERS GET THROUGH 11

HOW HACKERS GET THROUGH 12

BETTER-PROTECT YOUR FINAID OFFICE BY FOCUSING ON FOUR KEY AREAS 13

KEY AWARENESS TOPICS SECTION 1 Password Management Mobile Device Security Public WiFi Use/Security Secure Processes-Email IT Security Best Practices Vendor Checklist Vendor Audits & Certifications 14

PASSWORD MANAGEMENT Use uniue passwords for services NEVER use your email account Use combinations of words, numbers and symbols and use upper and lower case letters Don t use easily-guessed passwords see picture at right of SplashData s annual worst passwords Don t use words found in dictionary or seuences Complexity is nice, but length is more important Never keep a list of passwords around, either digitally or on paper Use two-step or two-factor authentication wherever possible 15

MOBILE DEVICE SECURITY Use pin, password, or pattern lock on your phone Enable data encryption features Download apps only from trusted stores Install an anti-malware program (e.g. Lookout) Install anti-theft software Don t root or jailbreak your phone Keep your operating system & apps updated Log out of sites after you make a payment Switch off WiFi and Bluetooth when not in use 16

PUBLIC WIFI USE/SECURITY Know that you are never secure on public WiFi Use built in tools Enable firewall Block all incoming traffic Disable file sharing Look for Padlock Confirm network name with your location Use common sense Image source: WiFi Password Hacker Simulator, which has 109,934 ratings on Google Play. It doesn t actually hack any network. But the description copy It s an awesome tool to impress your friends is a great reminder that hacking has become a game of prestige. 17

SECURE PROCESSES - EMAIL Email was not designed with any privacy or security in mind - Geoff Duncan, Digital Trends 18

IT SECURITY BEST PRACTICES Encrypt your data Use a digital certificate to sign all of your sites Implement a removable media policy Protect school websites Network endpoint security Stay current with patches and upgrades Establish and document a policy of no PII data on laptops or mobile devices After the Edward Snowden revelations in 2013, some technology companies began integrating encryption more tightly and seamlessly into their products and enabling it as the default setting Apple s ios8, release in 2014, was a watershed in that respect. Google s next release of Android did the same, Inside Apple s <Code War>, Time Magazine, March 28, 2016 edition. 19

VENDOR CHECKLIST Encryption Data Access Policies User Authentication and Password Management How are users authenticated? Physical Security Audits and Controls Contract Language *Additional resource tool available. 20

VENDOR AUDITS & CERTIFICATIONS Certification SSAE 16, SOCC1 and 2 Purpose Auditing standard to ensure appropriate controls for your hosting provider. Certification of controls for privacy and security. TRUSTe Certification Privacy protection certification PCI DSS Certifies data security of credit card payment processing FedRAMP Government program providing a standard approach to security assessment, authorization and monitoring of cloud products and services FIPS 140-2 Federal Information Processing Standard for accrediting data encryption standards ISO 27001 Audit and risk assessment framework for information security management 21

KEY AWARENESS TOPICS SECTION 2 Life Cycle of a Breach Building Your Breach Response Plan Breach Response Plan Tips The First 24-Hours of a Breach: Checklist Best Practices for Notifications 22

Source: https://www.experian.com/assets/data-breach/brochures/response-guide.pdf 23

BUILDING YOUR BREACH RESPONSE PLAN Audit and document your current FinAid processes Define an internal response team with clear roles and responsibilities Assign someone to maintain an updated contact list Create a procedures document for key areas of the lifecycle Plan how you will manage a potential increase in call volumes If there is an institution-wide Breach Response Plan, ensure that the PR procedures document includes a section on how the FinAid office will specifically communicate with students and employees Develop a policy for cases warranting complimentary identity protection and credit monitoring services Identify a Data Forensics vendor with higher education experience to assist in managing the breach. Your institution may already have a Breach Response Plan in place. Is the FinAid Office represented? Is there potential to review the plan and provide insights and suggestions? Be proactive: you are the gatekeeper of your FinAid Office and need to speak up on behalf of your students. If there is no plan, our downloadable guidelines to Building Your Breach Response Plan can help. *Additional resource tool available. 24

BREACH RESPONSE PLAN TIPS PREPAREDNESS TRAINING IS IMPORTANT FREE CREDIT MONITORING REDUCES LAWSUITS BOARD INVOLVEMENT REDUCES COST OF BREACH DO YOUR HOMEWORK: STATE-SPECIFIC NOTIFICATIONS FinAid Offices are busy, but it is important to set aside time to practice your plan. It is also important to ensure your team members understand the plan and their roles. Research shows that individuals affected in a breach who receive free credit monitoring are six times less likely to file a lawsuit. This is also an investment to address loss of trust and reputation. The Ponemon Institute s Cost of Data Breach Study: Global Analysis, reveals board-level involvement can reduce the cost of a breach by up to $5.50 per record. Each state may have different reuirements for notification. Work with your legal department to determine who you must notify, such as your Attorney General s Office. 25

THE FIRST 24-HOURS OF A BREACH: CHECKLIST Validate the data breach Create a Document Incident Report Alert your Response Team Determine current status and scope of the breach Notify necessary agencies Preserve evidence Bring in Forensics team Set response plans in action This checklist combines best practice suggestions from credit monitoring, education, and government experts. It is offered as a starting point and should be refined as your FinAid Office sees fit. *Additional resource tool available. 26

BEST PRACTICES FOR NOTIFICATIONS Speed, openness, and transparency are key Notify affected individuals within 10 business days of confirming the breach Alert affected individuals prior to sending out a press release, if possible *Additional resource tool available. 27

QUESTIONS? 28

CampusLogic transforms the way colleges and universities deliver financial aid with the first and only student self-service platform. Modern, mobile, and personalized, CampusLogic s cloud-based software simplifies financial aid, so more students can get through the door into the classroom. With nearly 40 institutions and 300K+ active students, our customers optimize efficiencies, increase enrollment, and improve the student experience. For more information visit www.campuslogic.com. Connect with CampusLogic Twitter: https://twitter.com/campuslogic Blog: http://campuslogic.com/blog/ LinkedIn: https://www.linkedin.com/company/campuslogic Connect with Chris Chumley, COO at CampusLogic Twitter LinkedIn

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback