close

Вход

Забыли?

вход по аккаунту

?

How To Use This Capabilities Deck - Electronic Resource Center

код для вставки
Taming the
Social Media Beast
63rd Illinois ASBO Conference
04/30/2014
В© 2014 RETA Security, Inc.
Presenter Background
•
•
•
•
•
President, RETA Security, Inc.
Physical Security Professional (PSP)
SCAT Member (NOVA)
Illinois Terrorism Task Force (ITTF)
Assessments, Emergency Planning,
Keynotes/Training, Expert Witness
• paul@retasecurity.com
facebook.com/safeschools1
twitter.com/schoolsecurity
linkedin.com/in/paultimmpsp
www.retasecurity.com
В© 2014 RETA Security, Inc.
(630) 932-9322
Facebook Security
“https”
(settings)
– account settings
– security
– secure browsing
(settings)
– privacy settings
– who can see my stuff
“Create a Page”
www.retasecurity.com
В© 2013 RETA Security, Inc.
Social Media – Awareness
• Twitter Uses
• School “Handle”
– i.e. @schoolsecurity
• Activity “Hashtag”
• Twitter Tips
– computerhope.com/tips/tip149.htm
www.retasecurity.com
В© 2014 RETA Security, Inc.
(630) 932-9322
Involving Students
• YouTube
• Mass Notification
• Security Committee
• School Safety
– Marketing
– Training
– Technology
– Incentives
www.retasecurity.com
В© 2014 RETA Security, Inc.
(630) 932-9322
Security Resources
• ncpc.org/topics/
• eric.ed.gov/?id=ED536527
• computerhope.com/tips/tip149.htm
• lexisnexis.com/government/investigations/
• eschoolnews.com/2011/10/21/ten-ways-schools-are-usingsocial-media-effectively/
www.retasecurity.com
В© 2014 RETA Security, Inc.
(630) 932-9322
WHAT IS CYBER RISK? NETWORK SECURITY & PRIVACY
The CONVERGENCE of TECHNOLOGY with INFORMATION
Information & Data is Valuable:
Advancements in technology has enabled organizations to capitalize on the value
of Information & Data
Ease of Business:
Technology has made storing and removing data easy and convenient (Laptops,
back-up drives, thumb drives, recordable CD’s, PDA’s)
The most vigilant Network Security and Privacy Policies are
Vulnerable to Hackers, Rogue Employees, Independent
Contractors, and Human Error!
В© 2012 ARTHUR J. GALLAGHER & CO.
PERSPECTIVES – IT/EMPLOYEE
Employees
IT Departments
Challenge = Balancing demands of
safeguarding the network/data while
adapting to ever-changing technologies
and business needs
пѓ� Encryption
Challenge = Balancing work flow needs with
safeguarding the confidential information
used to perform their job
пѓ�
пѓ� Servers are porous and need constant care
пѓ� Patches to software
пѓ� Lack of tested back-up processes
пѓ�
пѓ� More data often collected than needed
пѓ�
пѓ� Data often stored for too long
пѓ�
пѓ� Tools that help hackers are readily available
and shared on the Internet at no cost to
malicious attackers
пѓ� Limited Resources $$/Budgets
пѓ�
пѓ�
Rogue Employees, social engineering, hacker
sophistication, and human error (Societe
Generale)
Private records disposed of improperly
(dumpster)
Many employees lack computer common sense
Employees choose easy to decipher passwords
Clean Desk policy
Training
В© 2012 ARTHUR J. GALLAGHER & CO.
SOURCES OF SECURITY AND PRIVACY BREACHES
2012 Results
35%
Human
Error
37%
Malicious or
Criminal Acts
29%
System Failure
Source: 2013 Annual Study: Cost of a Data Breach – by The Ponemon Institute, LLC; Sponsored by Semantec
В© 2012 ARTHUR J. GALLAGHER & CO.
POSSIBLE EXPOSURES
•
•
•
•
•
•
•
•
Human Error – most common
Hackers
Rogue Employees
Independent Contractors & Vendors
Social Media
Mobile Devices
Cloud Computing
A Changing Regulatory Environment
В© 2012 ARTHUR J. GALLAGHER & CO.
WHAT DOES A BREACH COST?
IL law requires notification to potentially affected persons whose first & last name and
SSN, DL or account / credit / debit card numbers are compromised.
Regulatory
Response Costs
пѓ�
пѓ�
пѓ�
пѓ�
пѓ�
пѓ�
Forensic Investigations
Notification Costs
Credit Monitoring Costs
Call Center Support
Identity Theft Services
Public Relations
пѓ� HIPAA, FERPA
пѓ� Fines & Penalties
� Government – privacy laws
Other
пѓ� 3rd Party Vendors (Epsilon)
пѓ� Cloud Storage
пѓ� Lawsuits arising from Identity
Theft, including class action
В© 2012 ARTHUR J. GALLAGHER & CO.
WHAT DOES A BREACH COST?
Costs of A Breach1:
пѓ�
$188 average cost per record (includes response costs, defense and damages)
пѓ�
$5.4M average total cost per breach
пѓ�
15% - Costs to defend a claim
Response Costs Per Record2:
пѓ�
Notification (in/outbound) 11% - $21
пѓ�
Forensics/Legal Assistance/Compliance/Public Relations 15% - $29
пѓ�
Credit Monitoring and ID Theft Services 3% - $6
1) Source: 2012 Annual Study: Cost of a Data Breach – by The Ponemon Institute, LLC; Sponsored by Symantec.
В© 2012 ARTHUR J. GALLAGHER & CO.
BREACH EXAMPLES
Examples
The report cards of 101 high school students were accidentally sent to the person listed as their emergency
contact, in many cases not the students’ parent. A vendor made an unauthorized change to the computer
program that generates report cards. Student ID numbers, schedules, and grades were exposed.
Two laptops were stolen from a car of an Illinois State Board of Education (ISBE) subcontractor who is used for
special education reimbursement purposes. The laptops contained the personal information of over 10,000
students and staff. Employees were using the laptops for training in data entry. Information included were
student and staff SSN, student names, DOB and other educational information, staff names, demographics and
teacher certification numbers.
Because of an incorrect security setting, an high school student was able to access a temporary file on a server
that contained the names, addresses and Social Security numbers of students at 22 schools – 11,000 students.
The breach was discovered when the student tried to print some of the information in the school library. The
information included names, addresses and SSN, parent names, phone numbers, class schedules, birth dates
and student ID numbers.
A human resources employee uploaded sensitive employee information onto a flash drive. Somehow the
information was uploaded onto a website when the employee used the flash drive to perform volunteer work at
her church. An employee who Googled their own name discovered that they could also see their Social Security
number and other sensitive information. The information was available for six months. The district decided to
ban flash drives as a result of the incident.
В© 2012 ARTHUR J. GALLAGHER & CO.
BREACH EXAMPLES
Examples
An employee accidentally sent an email with the names, SSN and other personal information of 110
employees to 3,300 employees. Administrators began limiting access to the document and the entire email
system after the mistake was discovered half an hour later. The email contained personnel changes, but was
supposed to be emailed without the personal information of those employees who were moving within the
organization.
Personal information of more than 2,000 public school employees are at risk because the hard drives of eight
computers were not removed before the units were sold as surplus. The drives contained the names, school
locations and SSN of the division's employees.
Hundreds of documents with student Social Security numbers, pictures, phone numbers and ages were left
near a dumpster.
Around 6,500 ACT Explore test results for 8th graders were mailed to incorrect addresses. The breach was
discovered when parents began calling the district. The exact cause of the mailing error is unknown.
В© 2012 ARTHUR J. GALLAGHER & CO.
FINANCIAL OPTIONS FOR DEALING WITH CYBER RISK
Option 1: Retain the risk
пѓ�
No insurance or risk management is purchased and risk is taken on by entity
Option 2: Transfer the risk
пѓ�
Purchase a form of the various cyber liability insurance programs available
Option 3: Invest in mitigating the risk
пѓ�
Reduce exposure by purchasing up to date firewall, antivirus, and security software in
addition to retaining quality IT staff
(It is also strongly recommended that districts review their contracts with 3rd party
vendors to determine potential liabilities when data could be lost)
В© 2012 ARTHUR J. GALLAGHER & CO.
SAMPLE INSURANCE COVERAGES
Security & Privacy Liability
Pays for defenses costs and damages arising from:
пѓј Unauthorized access to your network and use of data by outsider (hacker)
пѓј Unauthorized access/use by an employee (rogue employee)
пѓј Theft or loss of data (electronic or paper)
Privacy Regulatory Action
Pays for:
пѓј Investigative costs for civil demand or proceeding brought by or on behalf of a governmental
agency, including requests for information related thereto.
Breach Response
Pays for the expenses and costs incurred within one year of a security breach for:
пѓј Investigation/forensics to determine cause of security breach.
пѓј Hiring a crisis management and/or public relations firm.
пѓј Notifying potential victims of the breach as required by state law.
пѓј One year of credit monitoring for potential victims.
пѓј Identity Theft assistance including identity restoration.
В© 2012 ARTHUR J. GALLAGHER & CO.
POLICY STRUCTURE & LIMITS – SAMPLE
Coverage
Policy Aggregate
Limit
$2,000,000
Occurrence Limit
$1,000,000
Security & Privacy Liability – per claim
$1,000,000
Privacy Regulatory Action – sublimit
$100,000
Event Management – sublimit
$25,000
Privacy Notification –
$1,000,000
Retention –each event
$10,000 - $25,000
Privacy Notification
В© 2012 ARTHUR J. GALLAGHER & CO.
17
QUESTIONS???
Contact Information:
Tyler LaMantia
Area Vice President – Public Sector
Arthur J. Gallagher Risk Management Services
Phone: 630-285-4344
E-Mail: Tyler_LaMantia@ajg.com
В© 2012 ARTHUR J. GALLAGHER & CO.
Документ
Категория
Без категории
Просмотров
12
Размер файла
981 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа