Data Privacy & Security Service Digital Digest_Spring 2019

Data Privacy & Security Service DPSS Spring Digest K-12 Cybersecurity


PAGE 1 K-12 Cyber Incidents 2018

PAGE 2 • Cybersecurity is a must • Understanding more about phishing PAGE 3 • Cybersecurity management • Comptroller’s Corner

PAGE 4 Cybersecurity Resources PAGE 5 Cybersecurity News PAGE 6 Cybersecurity Help & Tips

Winter 19 (Issue 14)

The K-12 Cybersecurity Resource Center

K-12 Cyber Incidents: 2018

The most frequently experienced type of K-12 cyber incidents reported during 2018 were data breaches, primarily meeting one of the following four profiles : 1. Unauthorized disclosures of data by current and former K-12 staff, primarily—but not exclusively—due to human error. 2. Unauthorized disclosures of K-12 data held by vendors/ partners with a relationship to a school district. 3. Unauthorized access to data by K-12 students, often out of curiosity or a desire to modify school records (including grades, attendance records, or financial account balances). 4. Unauthorized access to data by unknown external actors, often for malicious purposes. Data Breaches • Just over half of all digital data breach incidents experienced by K-12 schools in 2018 were directly carried out or caused by members of the affected school community (staff or students). • Student data were included in more than 60% of K-12 data breaches in 2018. • During 2018, 46% of all K-12 digital data breaches

on school networks. • Perhaps most concerning in 2018 were a number of successful phishing attacks targeted at school district business officials. These scams—designed to redirect large payments from legitimate school contractors/ partners to criminal accounts—resulted in the theft of millions of tax payer dollars. Malware and Other Incidents • Responding to ransomware and other malware outbreaks - representing over 15% of all K-12 cyber incidents in 2018. • School-managed social media and website defacement - these incidents were experienced by about 5% of school districts in 2018. These attacks abuse official communication channels to deliver unauthorized messages or to automatically redirect users to third-party sites.

To read the full report use this link:

included data about current and former school staff (such as payroll or other personnel records). In some cases, this has led to payroll theft, identity theft, and the filing of false tax returns. Phishing Attacks • Phishing attacks— predominantly carried out over email, were commonly experienced by school districts. In many cases, these attacks were the method of choice that malicious third-parties employed to gain access to sensitive data systems or to deliver and propagate malware

Permission to use graphic provided by the K-12 Cybersecurity Resource Center, Powered by Knack

Cybersecurity Education

Responsibly navigating the cyber threats of the online world is a critical life skill that needs to be incorporated into the curriculum every day. For example, programming and using camera drones outside is great, as long as privacy concerns are addressed. A student testing their drone skills at home could inadvertently violate a neighbor’s privacy if their drone’s camera peers into the neighbor’s home. These are privacy

concerns students should be made aware of when using technology. The National Cyber Security Alliance runs a website called Stay Safe Online that weaves cybersecurity and safety into everyday instruction; especially at the elementary level.

Cybersecurity is a must in curriculum in increasingly digital classrooms

For more information on cybersecurity in digital classrooms use this link.

Understanding more about phishing techniques to reduce your digital risk

But since it only takes one click, you should keep these five tips in mind: • Limit information shared online • Monitor emails to see typos or slight changes • Add additional security measures • Protect with two-factor authentication • Regular training of employees

Phishing has been used for over 25 years and is the third most common technique used in data breaches. Attacks try to convince targets to click on a malicious link in phish- ing emails, social media posts or ext messages. Attacks may even spoof legitimate email accounts, making the phishing email appear to be authentic.

The good news is the percentage of individuals who will click in any given campaign has been greatly reduced.

For more information from “Security Week”, click here.

Reasons why you should manage your third-party security better in 2019

Vetting third parties and monitoring them for cyber gaps is getting increasingly difficult. Hackers are more creative and effective in breaching data and the number of third parties employed by organizations has risen from 378 in 2016 to 588 in 2018.

know how and with whom it is being shared. Using an automated third- party security management system regulates and continually evaluates third parties for compliance.

New regulations are on the way, and the penalties for not complying are becoming more significant. Many states are regulating data privacy rights, so citizens know what data is being collected about them, are guaranteed the right to edit and access this data, and have the right to

Use this link to read more on this issue.

Why many organizations still don’t understand cybersecurity

The overall assessment is that most leadership/ management under-invests in cybersecurity. They tend to think of cybersecurity as a finite problem that can be solved rather than an ongoing process that must constantly be addressed.

The focus should be risk management, not risk mitigation.

For some case studies of organizations taking the lead, check out this link.

Comptroller’s Corner

Cybersecurity weaknesses are commonly cited in NYSED school districts IT audits conducted in 2018 and 2019. A New York State school district was cited in a 2019 information technology audit for not adopting “adequate security policies and procedures to safeguard IT assets.” The school district was also cited for not providing information technology

security training to employees.

Recommendations included: • Adopt comprehensive IT security policies, procedures and plans to safeguard IT assets and data.

• Provide periodic IT security awareness

training to personnel who use IT resources.

Cybersecurity Resources

7 Social Media Scams to Avoid

In this avast blog they point out seven social media scams to recognize and avoid: 1. Data-mining quizzes, surveys and contests - you don’t need to know ‘what kind of dog you are’ 2. Clickbait - be careful where you click 3. “Friendly” cash requests - always check with the friend in person 4. Short URLs - while helpful, it’s hard to tell where they came from 5. Strange friend requests - if you don’t know them, they’re really not your ‘friend’ 6. Double friend requests - it’s fake, don’t accept it 7. Fake Emergencies - check your account status directly, not through a provided link

Cartoon by Michael Maslin. The New Yorker Magazine, Inc.

Education Law 2-d Part 121 Proposed Regulations Update

Ed Law 2-d Part 121 regulations were proposed to strengthen the privacy and security of student and school staff personally identifiable information. The public comment period concluded on March 31, 2019 and the regulations have been to submitted to the Board of Regents for review and ultimately, for adoption. Visit the NYS Education Department Student Data Privacy page to learn more about the latest Part 121 proposed regulations.

Check out the latest Digital Debrief- an interview with Deborah Snyder, Chief Information Officer for the NYS Office of Information Technology Services. Ms. Snyder explains how NYS has established a comprehensive and robust cybersecurity program and provides recommendations on how to protect data.

Cybersecurity News

Privacy becomes a selling point for tech

During the recent Apple media event in March, Apple CEO Tim Cook spoke frequently about Apple’s commitment to security and privacy, and their stellar privacy reputation. Privacy and security has now become a major selling point for companies, including Microsoft and other industry peers. These companies recognize consumer privacy concerns may impact tech investment decisions, both today

and in the future.

Even Facebook, a major privacy violator, announced plans to “pivot to privacy” by investing more in “encrypted, ephemeral messaging.” Only time will tell if Facebook truly will take steps to secure user data and respect user privacy.

Click here to read more about this consumer privacy trend.

Education Gets an ‘F’ in Cybersecurity

Security Score Card, “a company that performs security ratings on IT infrastructure risks” analyzed 17 industries, with education coming in “second to last” in cybersecurity. Data at risk in the education sector includes “names, addresses, Social Security numbers, test scores and behavioral assessments.” They also sited that the use of “software-as-a- service” doesn’t protect schools. The report also cited that computer- based assessments can pose “extra

privacy and cybersecurity concerns” because the PII collected “could be used to identify students.” The education industry does not seem to be prepared to deal with malicious threats, and needs to do more to secure data. The full report can be reviewed (with registration) on the SecurityScoreCard website.

Use this link to read the full article.

Cybersecurity Help & Tips

Data Privacy & Security Service Digital Digest

Common Sense Education has provided some great data privacy tools for teachers to protect student privacy. The resources include guidance on how to minimize online privacy risks and helps teachers be more FERPA and COPPA compliant. Resources include video tutorials, privacy lesson plans, social media tips for teachers and schools, and so much more.

Contact your Local RIC for additional information. Click here to find your local RIC contact. For Subscribers to the Service: • Digests & Archived Digests • Digital Debrief • Inventory Tool • Information Security Online Professional Development • Digital Blasts Education Week has posted resources from K-12 Cybersecurity, including the articles on what was learned after a “constant barrage of attacks,” a district CTO’s recommendations on how to defend against cyberattacks, and “6 Steps for Preventing and Cleaning Up Cyberattacks”. Use this link to access these articles and more. The resources are great! K-12 Cybersecurity: Big Threats & Best Practices

To access these amazing resources just click here.

The K-12 Cyber Incident Map shows cybersecurity related incidents affecting US K-12 schools and districts from 2016-present. Click the map for a closer look.

Google Password Checkup

Google Password Checkup identifies accounts that may have been impacted by data breaches. Once the extension is installed you will receive an alert if you enter a username and password that appeared in a data breach known to Google. The alert will inform the user to reset their password or any other accounts that use the same credentials. You can read more about this new privacy tool in this Google blog post. The post also includes information on how to install the extension.

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7

Made with FlippingBook - professional solution for displaying marketing and sales documents online