Data Privacy & Security Service
Summer 2018 (Issue 12)
Cyber Year in Review
Data Privacy & Security Service
Issue 12
CoSN FEATURE ARTICLE
10 Steps to Address Data Security & Data Privacy by Linette Attai & Marie Bjerede
In This Issue
With the news full of data breaches and other cyber attacks at school districts and also at numerous large public companies, today’s district leader has cybersecurity on the top of his or her mind. There is the risk to the reputation of the district and its leaders as reports of student data leaks make it into the press, the loss of learning time as denial of ser- vice attacks shut off access to the Internet, and loss of internal digital systems as ransomware holds their data hostage. There is also the cost of data breaches to consider: the average cost of a breach in educa- tion in the U.S. is $245/record. The average number of records exposed per data breach (across all sectors, not just education) is 28,512. Costs are incurred for lawyers, forensic discovery, liability, and identity theft management. How does a district take the first steps to mitigate the risk of cyberse- curity attacks? CoSN recommends the following: 1. Patch software and operating systems, and be ready to aban- don software when it becomes obsolete. 2. TRAIN, TRAIN, TRAIN! Make sure everyone knows security awareness is their job and who to talk to if they make a mistake. 3. Build a sustainable, long-range plan for security. Besides con- sistent training, create a rotation of other areas of security like technical hardware refreshes, application reviews/updates, assessing which vendors may have VPN access to your net- work, etc.
4. Utilize resources like Depart- ment of Homeland Security (DHS) and MultiState-I Informa- tion Sharing and Analysis Center (MS-ISAC). They provide free monitoring and will help remedi- ate in some cases; they have a host of resources and tools. 5. For more information, please see the CoSN resource: Getting Started with Cybersecurity. CoSN also has resources to help districts rigorously evaluate their Cy- bersecurity Preparedness and plan for improvements: • Cybersecurity Self-Assessment: Rate your cybersecurity stance based on the answers to specific questions in the areas of: Man- agement, Technology, Business Continuity, and Stakeholders. • Cybersecurity Planning Rubric: The Cybersecurity Planning Rubric follows the Cybersecurity Self-Assessment by breaking down what cybersecurity maturi- ty looks like for each of the ele- ments of the self-assessment. • Cybersecurity Planning Tem- plate: The Planning Template is helpful in identifying the short, medium, and longer term actions to be taken to address gaps. Find all of CoSN’s Cybersecurity Resources at: https://cosn.org/cybersecurity
Page 1 & 2: » » CoSN Feature Article: 10 Steps to Address Data Security & Data Privacy
Page 3: » » 2018 Verizon Data
Breach Report Findings
Page 4: Cyber Trends » » Cyber Predictions for 2018 » » Best Practices for Cyber- security Page 5: » » Comptroller’s Corner » » City of Atlanta Attacked by Ransomware Page 6 : » » Facebook’s Tracking of Non-Users Sparks Broader Privacy Con- cerns » » Zuckerberg, Facing Facebook’s Worst Crisis Yet » » You Tube Accused of Targeting Children with Ads, Violating Federal Privacy Law » » Android Apps Violate Children’s Privacy Page 7 : » » States Issue Privacy Ultimatums to Education Technology Vendors » » Helpful Privacy Tools
Page 1
Data Privacy & Security Service
Issue 12
CoSN FEATURE ARTICLE 10 Steps to Address Data Security & Data Privacy (continued) by Linette Attai & Marie Bjerede
Data security is just one side of the coin of a complete data protection and governance program. The other side of that coin is data privacy. Federal, state and global data protec- tion laws set the floor for data privacy requirements, and your district rules and com- munity norms and ethics set the ceiling. Leveraging that combination of work, today’s tech-enabled districts must also translate their data privacy ef- forts into clear and easy to un- derstand guidance to build trust with the community about how student data is being protected. It requires ongoing effort and focus on fundamentals across the district, as well as attention to strengthening the relation- ship with parents to move from fear-based discussions about data protection to fact-based and trusting partnerships. CoSN recommends the follow- ing as fundamental to any data privacy program: 1. Work with legal counsel and coordinate compliance with your technology, assess- ment, curriculum, student services, human resources, and all technology ven- dors to stay up to date and compliant with all applicable laws. 2. Embark on a program of
ongoing management and improvement of your com- pliance program that des- ignates rules, procedures spearheaded by district leadership. 3. Train! Anyone who collects or has access to students’ personal information should be taught how to use stu- dent data securely, effec- tively, legally, and ethically, in keeping with your dis- trict’s policies and require- ments. 4. Address community and other stakeholder expecta- tions in a clear and compre- hensive manner, with pub- licly available information and resources. 5. Keep instructional goals in the picture, balancing those needs with the data privacy requirements. CoSN also has a variety of resources to help districts evaluate and improve their data privacy programs: • Protecting Privacy in Con- nected Learning Toolkit. This free resources is an in-depth guide to key feder- al student data privacy laws. It also includes guidance on how the laws operate together, suggested con- tract terms, explanations of metadata and data de-iden- tification, use of click-wrap
agreements, and more. • Trusted Learning Environ- ment Seal Program. The Trusted Learning Environ- ment Seal Program (TLE), ensures that school sys- tems are taking meaningful and measurable steps to protect the privacy of stu- dent data and are communi- cating these efforts to par- ents, communities and other stakeholders. • Online Privacy Training This eight module course is designed for school district leaders who want to under- stand existing privacy laws, define best and necessary practices around privacy, and communicate effectively with their communities. Find more of CoSN’s privacy resources at CoSN.org/privacy. For even more actionable strategies, join us on July 16th in Washington, DC. CoSN will work with you to help improve your efforts regarding student data privacy and build a foun- dation for earning the TLE Seal! Space is limited. Regis- ter today! For more information about how CoSN can help support your district efforts across a variety of disciplines, visit us at CoSN.org.
Page 2
Data Privacy & Security Service
Issue 12
CYBER YEAR IN REVIEW 2018 Verizon Data Breach Investigation Report Findings
The 2018 Verizon Data Breach Investigations report (DBIR) has been released. Use the link provided to access the full report: https://info.verizonenter- prise.com/VBM-2018-DBIR-ulp. html In a list of top industries subject to social breaches, education ranked third at 41%. Most data breaches in educa- tion fall into a miscellaneous category called “Everything Else”, accounting for 36% of data breaches. It is very dif- ficult to pinpoint a specific “4% of people will click on any given phishing campaign”- Verizon 2018 DBIR pattern these breaches fall under. However, W-2 scams were common, accounting for 22 instances in education this year. This may be due to the “open source natures of schools” (Verizon 2018 DBIR). Personal data is more readily disclosed by educational insti- tutions which may make them more vulnerable to these types of attacks. The second most common data breach method in education
is the Social attack, account- ing for 41% of breaches. Cy- ber-Espionage was prevalent in education with 25% of attacks falling under this pattern. The Hacking action type was dominant in education coming in at 72% because of the con- tinuing pervasiveness of DDoS (Denial of Service) attacks. Data breaches account for 44% of hacking actions while 16% of data breaches were due to human error. Here are some additional sta- tistics Verizon shared in their report: In 2017, there were over Who executed the breaches? • 73% of the breaches were perpetrated by outsiders • 28% involved internal actors • 50% of breaches were exe- cuted by organized criminal groups • 12% involved privilege mis- use 53,000 incidents and 2,216 confirmed data breaches.
• 76% of breaches were financially motivated • 48% of breaches featured hacking • 17% were social attacks • 30% included malware • 39% of cases where mal- ware was identified involved Ransomware • 49% of non-POS (Point of Sale) malware was installed via malicious email • 68% of breaches took months or longer to discov- er Verizon provides a summary of what you can do to thwart these breaches and attacks. Here are the basics: • Be vigilant • Make people your first line of defense • Only keep data on a need- to-know basis • Patch promptly • Encrypt sensitive data • Use two-factor authentica- tion • Don’t forget physical secu- rity
Data breaches by the numbers:
Page 3
Data Privacy & Security Service
Issue 12
CYBER TRENDS
attack on the City of Atlanta supports this prediction and demonstrates how govern- Cyber Predictions for 2018
Government Technology has shared a curated list of cyber- security predictions for 2018. Dan Lohrmann, the author of the blog “Lohrmann on Cy- bersecurity & Infrastructure” for Government Technology magazine, provides an “annu- al security industry prediction roundup” including insights from top cybersecurity experts and publications. He even provides a Prediction Awards listing at the end of blog with categories such as “Most Creative” and “Most Scary”. Dive into this extensive list by clicking this link. Forbes has also provided a listing of the 60 Cybersecurity Predictions for 2018, compiled from multiple sources. You can see all 60 predictions by using this link. Predictions included a like- ly increase in Ransomware and monetary demands. The
Some other predictions in- cluded more hacking through the IoT (Internet of Things)
ment agen- cies can be vulnerable to these types of attacks. The Equi- fax and
Facebook breaches support the predic- tion that government oversight and regulation will increase based on the increasing number of data breaches. The Europe- an Union passed the GDPR (General Data Protection Regulation) to protect the data of all EU citizens and other countries may soon follow their example. GDPR enforce- ment starts on May 25, 2018.
with more people using smart devices at home and at work, DDOS attacks will continue, possibly for money more than causing chaos, and there may be more malicious use of AI. Let’s see what the second half of 2018 brings and try to stay safe out there in cyberspace!
Best Practices for Cybersecurity: Stay Cyber SMART
In today’s times, the most effective approach is to assume a breach will happen and have a plan in place to address it. This includes con- stant vigilance, and effective incident response. Follow the SMART 5 pronged approach: Self-governance, Monitoring, Assessments, Remediation and Training. For more on this visit: https://mytechdecisions.com/network-security/ best-practices-cybersecurity-stay-cyber-smart/
Page 4
Data Privacy & Security Service
Issue 12
COMPTROLLER’S CORNER
• Update the District’s IT policies. • Require District employees to attend cyber- security and awareness training. • Monitor Internet usage and configure the web filtering software to block access to sites that violate the acceptable use policy. • Address the IT recommendations communicated confidentially Please use this link to access the full Report of Examination for the Cai- ro-Durham Central School District: http://www.osc.state.ny.us/localgov/audits/ schools/2018/cairo-durham.pdf
The Cairo-Durham Central School District au- dit was released on February 16, 2018. The key findings of the report focused on IT-related policies and web access and determined the following: • IT-related policies were not ade- quate. • Users accessed websites unre-
lated to business activities, and web filters were not adequate.
Recommendations to address these issues were provided. The auditors rec- ommended the district implement the following measures:
City of Atlanta Attacked by Ransomware
A ransomware attack shut down the City of Atlanta’s online systems on March 22. Six days later forms were being filled out by hand, residents could not pay their parking tickets or water bills, and all
schedule. Court dates sched- uled between March 22 and April 16 had to be reset and reset dates had to be sent via snail mail. Systems are still not up and running in Atlanta, almost a
systems had to be re-built from the ground up. This demonstrates how devas- tating a ransomware attack of this magnitude can be. Govern- ment agencies need to learn from this, see what they can do to protect themselves and have contingency plans if it happens. Six Tips for Spring Cleaning Your Security System 1. Patch Often 2. Change Passwords 3. Pare Down Privileges 4. Audit Dispensible Data 5. Awareness Training 6. Review Security Policies Read the full article at this link.
month after the date the attack oc- curred. The City of Atlanta has spent 2.7 million dollars to fix their munici- pal computer systems,
scheduled court cas- es were effectively cancelled. Applica- tions for city jobs were halt- ed. Having to
turn to manual paper forms for processing has had a lasting impact. Atlanta Municipal court finally opened on April 16, but they are still using paper to
a significantly larger dollar amount than the $50,000 ran- som demanded by attackers. Experts believe such high spending may indicate Atlanta
Page 5
Data Privacy & Security Service
Issue 12
CYBERSECURITY NEWS Facebook’s Tracking of Non-Users Sparks Broader Privacy Concerns
Concerns over Cambridge Analytica ability to access privacy information from Facebook users has spark outrage. To compound the problem
the tracking. The end result is to push for legis- lation to require consent prior to data collection which is already being addressed by the Europe- an Union Law.
Facebook gets data on non-us- ers from people on its network and cookies. Facebook is being targeted be- cause of its popularity and size, but they are not forthcoming about the extent and reasons for
For more information, read: https://www.huffingtonpost. com/entry/facebook-track- ing-of-non-users-sparks-broad- er-privacy-concerns_us_5ad34f10e- 4b016a07e9d5871
Zuckerberg, Facing Facebook’s Worst CrisisYet
The reaction to the Cambridge Analytica disclo- sure over data has been severe. Unfortunately, Zuckerberg has not said much to acknowledge how the gathering of user data was fundamen- tal to the day-to-day operations of Facebook. As a result, more calls for regulation of Internet
companies like Facebook are being pursued by Washington and this issue is far from over. For further information, read: https://www.nytimes.com/2018/03/21/technology/ facebook-zuckerberg-data-privacy.html
YouTube Accused of Targeting Children with Ads, Violating Federal Privacy Law
A complaint by over 20 consumer advocacy groups was filed with the FCC alleging that You- Tube, using personal data, has been targeting children through their advertisements.This would be considered a violation of the Children’s Online Privacy Protection Act (COPPA).
For more information: http://blogs.edweek.org/edweek/DigitalEduca- tion/2018/04/youtube_targeted_ads_coppa_com- plaint.html?cmp=soc-edit-tw
Android Apps Violate Children’s Privacy
UC Berkeley’s International Computer Science Institute researchers determined over half of child-centered Adroid Apps from the Google Play Store may have violated the Children’s Online Privacy Protection Act (COPPA). Even apps that were certified as COPPA compli- ant under the US Federal Trade Commission’s
(FTC) Safe Harbor program, a COPPA Compli- ance certification program, were found to have potential COPPA violations.
Learn more here: http://exclusive.multibriefs.com/ content/new-study-reveals-android-apps-vio- late-childrens-privacy/education
Page 6
Data Privacy & Security Service
Issue 12
CYBERSECURITY NEWS
States Issue Privacy Ultimatums to Education Technology Vendors
Connecticut passed a new state law that requires vendors to sign written privacy agreements if they want their product to be used in any classroom throughout the state. The deadline for compliance is July 2018. The law is similar to New York State Education Law 2-d as it legislates vendors, state education agencies (SEAs) and local education agencies (LEAs) to protect student data. The Connecticut law sets guide- lines for how identifiable student information can be used by ven-
dors. Privacy advocates and par- ents praise the new measures taken to protect students from targeted advertising and for requir- ing notification of data breaches as they occur. However, there are education leaders who feel the law may be overreaching based on the type of student data collected and compliance may be elusive. Read the full article here: https://www.edsurge.com/ news/2018-03-12-states-is- sue-privacy-ultimatums-to-educa- tion-technology-vendors
Data Privacy & Security Service Digital Digest
For Further Information Contact your Local RIC.
Click here to find your local RIC contact
For Subscribers to Service: • Digests & Archived Digests • Digital Debrief • Inventory Tool • Information Security Online Professional Development • Digital Blasts
Helpful Privacy Tools
Check out these cool privacy tools that upgrade privacy and security
Signal - provides “military-grade” encryption to text chats, video calls and documents. Haven - Turns al- most any Android smartphone into a video recording device.
Virtual Private Network (VPN) - an encryped “tunnel” for web traffic, to
protect private information like passwords. Read all about
these tools and ac- cess the links here: https://www. themanual.com/ culture/best-pri-
Brave - a web browser made to avoid online habit tracking
vacy-apps-tools/?utm_medium=- push&utm_source=1sig&utm_cam- paign=One%20Signal
Page 7
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8Made with FlippingBook - professional solution for displaying marketing and sales documents online