The DPSS DIGITAL DIGEST The Spring 2021 Issue
IN THIS ISSUE: Cyberattacks on the rise, employment benefits fraud, cybersecurity insurance, privacy news and helpful resources to improve your cybersecurity posture
Cyberattacks
It’s time for K-12 schools to prepare for cyberattacks
2020 saw a rise in ramsomware attacks targeting public schools. The cyberattack on Baltimore County Public Schools managed to reach all of their networks and disrupted online learning for 115,000 students. Schools all across the country have experienced cyberattacks and ransomware targeting public schools is on the rise. Public schools are “easy and attractive targets for cybercriminals” who are taking advantage of school vulnerabiltiies. 28% of all reported ransomware attacks from January to July impacted K-12 schools. This increased to 57% in August and September when K-12 schools started their fall semesters. Increased reliance on remote learning made schools a prime target for cybercriminals hoping for a quick payout. Why Target Schools? Schools are vulnerable to cyberattacks for a myriad of reasons. Financial resources may not be allocated for cybersecurity and schools may pay the ransom under community pressure to restore services quickly, especially as students continue to rely on remote learning during the pandemic.
Ransomware attacks can bring online learning to a screeching halt and can also compromise data. In “nine of the 31 ransomware incidents” reported, data was stolen and in one case the “personal data of faculty, staff, and students” was published online, an alarming new trend. What Can Schools Do to Reduce Risk? Securing networks can be difficult without dedicated funds and without solid restoration backups and procedures. Schools cannot secure students’ personal devices and wireless networks while students are learning from home. Despite these limitations, there are steps schools can take to minimize risk: • Develop cybersecurity policies and procedures • Provide cybersecurity training to faculty, staff and students • Access free services, such as the free membership provided by the Multi-State Information Sharing Analysis Center (MS- ISAC) • Install security patches • Back up data frequently and securely • Purchase cyberinsurance Click here to read the full article.
The annual report on cyber incidents impacting U.S. K-12 education institutions provided by the K-12 Cybersecurity Resource Center is now available. You can download the 2020 report and access additional resources by visiting https:// k12cybersecure.com/year-in-review/. The State of K-12 Cybersecurity Year in Review from the K-12 Cybersecurity Resource Center
Data Privacy & Security Service, Issue 22
Page 1
s on the Rise
COVID-19 Vaccine Scams Cybercriminals never let a good opportunity to scam people go to waste, so it is not surprising that they are taking advantage of people hoping to get the COVID-19 vaccine. Scammers are now trying to sell “fake vaccine appointments and knockoff vaccine cards” to unsuspecting victims desperate to get a vaccine appointment. The vaccine scams are all over the internet, and can be found on “eBay, in Google ads, and on social media platforms like Facebook and Twitter.” It doesn’t help that states are all following different procedures for vaccine rollout, making it easier for cybercriminals to sell the scam. The proud newly vaccinated people posting images of completed vaccine cards on social media aren’t helping either. The Better Business Bureau has warned against posting images of vaccine cards on social media, as it only helps the cybercriminals improve the authenticity of their fake vaccine cards. Each card also includes personally identifable information, including a person’s full name, date of birth, and vaccine site location.
How to Identify Vaccine Scams Fake vaccine cards are only one of the scams circulating around COVID-19 vaccinations. There are advertisements for fake vaccines, fake vaccine appointment registration websites, and email phishing campaigns to watch out for as well. You may see a “state seal” on the email or the site, but don’t be fooled. The Federal Trade Commission shared some tips on how to identify these scams. No one will ask for money upfront for an appointment or for “reserving a spot on a waitlist.” A real vaccine appointment notification will not ask you to provide your social security number, credit card number or banking information. The safest way to schedule an appointment is to visit your local public health department website. Learn more about COVID-19 vaccine scams. Click here to access the Fraud Alert on COVID-19 Scams from the Office of the Inspector General.
“Smishing” using SMS Notifications “Smishing,” SMS phishing via text, has become an effective way for attackers to gain access to sensitive information. Messages “take the form of alerts” or notifications we frequently receive, making it easy for scammers to get clicks.
respond too quickly, states you owe money, or that your order was not delivered, don’t click the links. Instead, visit the website of the company or organization that “sent” the text and verify the information directly. Learn more about smishing here.
You can identify smishing by reading messages carefully. If a text makes an offer that appears to be “too good to be true,” prompts you to
Data Privacy & Security Service, Issue 22
Page 2
Unemployment Benefits Fraud
Cybercriminals continue to scam labor departments out of much-needed relief funds
Fraudulent unemployment benefit claims continue to plague unsuspecting victims nationwide, including New York State. The NYS Department of Labor (NYS DOL) shared that “over 425,000 fraudulent unemployment benefit claims” were identified during the pandemic in this press release. Most people don’t know they are victims of fraud until they are contacted by their Human Resources (HR) department or until they receive a benefits debit card in the mail. Experts still don’t know how the payments are collected or what stolen database is connected to the personally identifiable information used when cybercriminals file the claims. The U.S. Department of Justice (DOJ) also issued a warning on fake unemployment
benefit websites , including convincing copies of State Workforce Agency (SWA) websites that unlawfully collect consumer personal information. The scammers use phishing emails and text messages to lure victims to these pages. If you believe you are a victim of unemployment benefit fraud please notify your HR department. You can also access the links provided below for additional information. U.S. DOJ: Unemployment Insurance Fraud NYS DOL: Unemployment Insurance Benefits Fraud (includes a 24-hour Toll-Free Hotline) News 10: Capital Region residents report identity theft due to widespread unemployment benefits fraud
Click “Play” to access the NPR “4-Minute Listen” on Unemployment Relief Fraud
Data Privacy & Security Service, Issue 22
Page 3
Cybersecurity Insurance The advantages and disadvantages of investing in a cybersecurity insurance policy
We all know that K-12 school districts are a target of cybercriminals, and that a cyberattack can disrupt instruction, lead to bad press and can be costly to mitigate. That is why experts recommend investing in a comprehensive cybersecurity insurance policy. A well-drafted policy should include protections for financial losses, recovery expenses, and liability costs. “An effective policy should cover all threats from ransomware to social engineering attacks to insider threats.” Review a policy carefully to ensure the policy does not contain “exclusions you expect to be covered” and that the policy addresses K-12 specific threats and risks. Having a cybersecurity insurance policy can help an organization rebound from a cyber-incident “more quickly and at a lower cost.” Policies that are more “modern” may also include additional services such as risk assessment and training. Lastly, cybersecurity insurance policies can provide a “safety net” as your organization is developing security programs while “providing access to funds and special services in the event of an incident.” While we still recommend having a stand- alone cybersecurity insurance policy, there are some caveats to bear in mind. Like any insurance policy we invest in, you may pay high premiums and never file a claim. You will want to avoid policies that are too complicated or confusing as well as policies
“An effective policy should cover all threats from ransomware to social engineering attacks to insider threats.”
that are “bundled with other commercial policies.” Also, try to ensure your policy does not contain too many exclusions and doesn’t set “inappropriate limits” to cover an incident. While holding a cybersecurity insurance policy may “encourage” cybercriminals hoping you will use the insurance to pay the ransom, investing in policies that incorporate ransomware payments is not a best practice recommendation. Look for insurance companies that support organization recovery attempts and discourage agreeing to ransom demands. Even if you manage to get the best cybersecurity insurance policy out there for your district, you still want to implement strong cybersecurity and recovery programs to defend against cyberattacks. Click here to learn more about cybersecurity
Data Privacy & Security Service, Issue 22
Page 4
Privacy News
New York State’s Moratorium on Biometric Technology
Last December New York State issued a moratorium on the use of biometric identifying technology in schools that prohibits the purchase and use of these types of technologies. This law applies to all biometric data, including facial recognition technology, but extends to “fingerprints, handprints, retina and iris patterns, DNA sequence, voice, gait, and facial geometry.” This can pose some difficulties for schools that use these technologies to deliver services, track payments, and for device access. Recognizing the “potential for some unintended consequences” the New York legislature amended a “‘technical error’ in the moratium” and then added an exception for “fingerprinted background checks for prospective employees.” The New York law is unique as the law requires the state’s Director of Information Technology Services to reviewpotential school technology requests to determine if the technology
is K-12 appropriate while considering the privacy implications of accessing biometric data. The law also requires the Director to produce a report on the “risks and benefits of biometric technology in schools during the moratorium” which may allow for changes to the legislation in 2022. Schools can address this legislation by: • Identifying any current technologies in use that collect biometric data, and what specific biometric data is collected • Determining if technology can be used if the technology includes biometric features that are disabled • Updating policies to reflect these new technology use requirements • Ensuring contracts with technology providers include informationonbiometric data collection and use when applicable Learn more about this NYS moratorium here. Looking for a good book? Add these notable privacy and security books to your reading list! Check out these recommended privacy and security books from2020, including the latest release from student data privacy expert Linnette Attai, president of PlayWell, LLC. on “Managing Vendor Relationships.” Happy Reading!
Data Privacy & Security Service, Issue 22
Page 5
Time for Some Spring Cleaning!
It’s that time of year again! Lucky for us the 2021 Cybersecurity Spring Cleaning Checklist from the Center for Internet Security (CIS) was just released this March and includes a comprehensive list so you can clean all of those hard to reach cyber-spots. Checklist items include password management, an email deep-clean, removing unused applications, reviewing social media accounts, sunsetting obsolete accounts, paper disposal, backups, device updates and secure disposal. You can even download a Word version of the doc if you prefer or you can just visit the online version using this link.
Spring is also a great time to update your district software inventory in the Data Privacy and Security Service (DPSS) Inventory Tool. The latest version 3.3 includes some great new features, including an improved product search and the ability to add a data administrator without establishing an inventory tool account. Login to the RIC One DPSS website or use this direct link to the DPSS Inventory Tool to access your district inventory. Please feel free to contact your local DPSS representative with any inventory tool questions or concerns you may have, we are happy to help.
Data Privacy & Security Service, Issue 22
Page 6
Data Privacy and
Student Privacy Communications Toolkit for School Districts
Student Privacy Compass in association with the Future of Privacy Forum (FPF) has developed a Student Privacy Communications Toolkit for Schools and Districts to “help school and district leaders communicate about student privacy.” This extensive guide provides tools for administrators, including templates for a variety of privacy related communications.You will also find information on privacy communication strategies, parent communications and federal privacy laws. There is even a Spanish translation of the toolkit available for your Spanish-speaking community stakeholders. Use this link to access the full privacy toolkit in both English and Spanish.
Cybersecurity Podcasts: K-12 Episode Spotlight
If you are looking for a podcast episode that focuses on K-12 cybersecurity we have you covered. The Cybr Podcast episode “Public schools are being targeted by Cybercriminals” highlights the “dangerous cyber threats” facing academic institutions and features speakers Eric Lankford and Doug Levin. In Episode 27 of the Unsecurity podcast, security architect and education advocate Ryan Cloutier shares how we can teach young students the “importance of information security and internet safety.” Feel free to listen to additional cybersecurity podcasts from Cybr Podcast and Unsecurity while driving or walking the dog to stay cyber-smart!
Data Privacy & Security Service, Issue 22
Page 7
d Security
Helpful Ransomware and Incident Response Checklists The Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Center for Information Security (CIS) have developed helpful checklists to help organizations recover from ransomware attacks and other cybersecurity related incidents.
and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) and is split into three sections: • Establish Reliable Facts and a Way to Stay Informed • Mobilize a Response • Communicate What You Know These checklists can provide clarity and guidance should your district ever experience a cyber incident, though we hope your districts never do.
The MS-ISAC Ransomware Guide is divided into two parts. Part 1 covers Ransomware Best Practices and Part 2 includes a detailed Ransomware Response Checklist. The CIS Incident Response Checklist was developed in partnership with MS-ISAC
The Cybersecurity and Infrastructure Security Agency (CISA) and CYBER.ORG worked together to produce a Cyber Safety video series that focuses on common cyber threats people may encounter online and how to address them. The series covers ransomware, phishing, passwords, online gaming and video call safety. Each topic also has a companion tip card with eye-catching graphics. Visit https://cyber.org/cybersafety to watch all of these helpful videos. Cyber Safety Video Series
Data Privacy & Security Service, Issue 22
Page 8
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9Made with FlippingBook - Online catalogs