How To Use This Capabilities Deck - Electronic Resource Centerкод для вставки
Taming the Social Media Beast 63rd Illinois ASBO Conference 04/30/2014 В© 2014 RETA Security, Inc. Presenter Background вЂў вЂў вЂў вЂў вЂў President, RETA Security, Inc. Physical Security Professional (PSP) SCAT Member (NOVA) Illinois Terrorism Task Force (ITTF) Assessments, Emergency Planning, Keynotes/Training, Expert Witness вЂў email@example.com facebook.com/safeschools1 twitter.com/schoolsecurity linkedin.com/in/paultimmpsp www.retasecurity.com В© 2014 RETA Security, Inc. (630) 932-9322 Facebook Security вЂњhttpsвЂќ (settings) вЂ“ account settings вЂ“ security вЂ“ secure browsing (settings) вЂ“ privacy settings вЂ“ who can see my stuff вЂњCreate a PageвЂќ www.retasecurity.com В© 2013 RETA Security, Inc. Social Media вЂ“ Awareness вЂў Twitter Uses вЂў School вЂњHandleвЂќ вЂ“ i.e. @schoolsecurity вЂў Activity вЂњHashtagвЂќ вЂў Twitter Tips вЂ“ computerhope.com/tips/tip149.htm www.retasecurity.com В© 2014 RETA Security, Inc. (630) 932-9322 Involving Students вЂў YouTube вЂў Mass Notification вЂў Security Committee вЂў School Safety вЂ“ Marketing вЂ“ Training вЂ“ Technology вЂ“ Incentives www.retasecurity.com В© 2014 RETA Security, Inc. (630) 932-9322 Security Resources вЂў ncpc.org/topics/ вЂў eric.ed.gov/?id=ED536527 вЂў computerhope.com/tips/tip149.htm вЂў lexisnexis.com/government/investigations/ вЂў eschoolnews.com/2011/10/21/ten-ways-schools-are-usingsocial-media-effectively/ www.retasecurity.com В© 2014 RETA Security, Inc. (630) 932-9322 WHAT IS CYBER RISK? NETWORK SECURITY & PRIVACY The CONVERGENCE of TECHNOLOGY with INFORMATION Information & Data is Valuable: Advancements in technology has enabled organizations to capitalize on the value of Information & Data Ease of Business: Technology has made storing and removing data easy and convenient (Laptops, back-up drives, thumb drives, recordable CDвЂ™s, PDAвЂ™s) The most vigilant Network Security and Privacy Policies are Vulnerable to Hackers, Rogue Employees, Independent Contractors, and Human Error! В© 2012 ARTHUR J. GALLAGHER & CO. PERSPECTIVES вЂ“ IT/EMPLOYEE Employees IT Departments Challenge = Balancing demands of safeguarding the network/data while adapting to ever-changing technologies and business needs пѓ� Encryption Challenge = Balancing work flow needs with safeguarding the confidential information used to perform their job пѓ� пѓ� Servers are porous and need constant care пѓ� Patches to software пѓ� Lack of tested back-up processes пѓ� пѓ� More data often collected than needed пѓ� пѓ� Data often stored for too long пѓ� пѓ� Tools that help hackers are readily available and shared on the Internet at no cost to malicious attackers пѓ� Limited Resources $$/Budgets пѓ� пѓ� Rogue Employees, social engineering, hacker sophistication, and human error (Societe Generale) Private records disposed of improperly (dumpster) Many employees lack computer common sense Employees choose easy to decipher passwords Clean Desk policy Training В© 2012 ARTHUR J. GALLAGHER & CO. SOURCES OF SECURITY AND PRIVACY BREACHES 2012 Results 35% Human Error 37% Malicious or Criminal Acts 29% System Failure Source: 2013 Annual Study: Cost of a Data Breach вЂ“ by The Ponemon Institute, LLC; Sponsored by Semantec В© 2012 ARTHUR J. GALLAGHER & CO. POSSIBLE EXPOSURES вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў Human Error вЂ“ most common Hackers Rogue Employees Independent Contractors & Vendors Social Media Mobile Devices Cloud Computing A Changing Regulatory Environment В© 2012 ARTHUR J. GALLAGHER & CO. WHAT DOES A BREACH COST? IL law requires notification to potentially affected persons whose first & last name and SSN, DL or account / credit / debit card numbers are compromised. Regulatory Response Costs пѓ� пѓ� пѓ� пѓ� пѓ� пѓ� Forensic Investigations Notification Costs Credit Monitoring Costs Call Center Support Identity Theft Services Public Relations пѓ� HIPAA, FERPA пѓ� Fines & Penalties пѓ� Government вЂ“ privacy laws Other пѓ� 3rd Party Vendors (Epsilon) пѓ� Cloud Storage пѓ� Lawsuits arising from Identity Theft, including class action В© 2012 ARTHUR J. GALLAGHER & CO. WHAT DOES A BREACH COST? Costs of A Breach1: пѓ� $188 average cost per record (includes response costs, defense and damages) пѓ� $5.4M average total cost per breach пѓ� 15% - Costs to defend a claim Response Costs Per Record2: пѓ� Notification (in/outbound) 11% - $21 пѓ� Forensics/Legal Assistance/Compliance/Public Relations 15% - $29 пѓ� Credit Monitoring and ID Theft Services 3% - $6 1) Source: 2012 Annual Study: Cost of a Data Breach вЂ“ by The Ponemon Institute, LLC; Sponsored by Symantec. В© 2012 ARTHUR J. GALLAGHER & CO. BREACH EXAMPLES Examples The report cards of 101 high school students were accidentally sent to the person listed as their emergency contact, in many cases not the studentsвЂ™ parent. A vendor made an unauthorized change to the computer program that generates report cards. Student ID numbers, schedules, and grades were exposed. Two laptops were stolen from a car of an Illinois State Board of Education (ISBE) subcontractor who is used for special education reimbursement purposes. The laptops contained the personal information of over 10,000 students and staff. Employees were using the laptops for training in data entry. Information included were student and staff SSN, student names, DOB and other educational information, staff names, demographics and teacher certification numbers. Because of an incorrect security setting, an high school student was able to access a temporary file on a server that contained the names, addresses and Social Security numbers of students at 22 schools вЂ“ 11,000 students. The breach was discovered when the student tried to print some of the information in the school library. The information included names, addresses and SSN, parent names, phone numbers, class schedules, birth dates and student ID numbers. A human resources employee uploaded sensitive employee information onto a flash drive. Somehow the information was uploaded onto a website when the employee used the flash drive to perform volunteer work at her church. An employee who Googled their own name discovered that they could also see their Social Security number and other sensitive information. The information was available for six months. The district decided to ban flash drives as a result of the incident. В© 2012 ARTHUR J. GALLAGHER & CO. BREACH EXAMPLES Examples An employee accidentally sent an email with the names, SSN and other personal information of 110 employees to 3,300 employees. Administrators began limiting access to the document and the entire email system after the mistake was discovered half an hour later. The email contained personnel changes, but was supposed to be emailed without the personal information of those employees who were moving within the organization. Personal information of more than 2,000 public school employees are at risk because the hard drives of eight computers were not removed before the units were sold as surplus. The drives contained the names, school locations and SSN of the division's employees. Hundreds of documents with student Social Security numbers, pictures, phone numbers and ages were left near a dumpster. Around 6,500 ACT Explore test results for 8th graders were mailed to incorrect addresses. The breach was discovered when parents began calling the district. The exact cause of the mailing error is unknown. В© 2012 ARTHUR J. GALLAGHER & CO. FINANCIAL OPTIONS FOR DEALING WITH CYBER RISK Option 1: Retain the risk пѓ� No insurance or risk management is purchased and risk is taken on by entity Option 2: Transfer the risk пѓ� Purchase a form of the various cyber liability insurance programs available Option 3: Invest in mitigating the risk пѓ� Reduce exposure by purchasing up to date firewall, antivirus, and security software in addition to retaining quality IT staff (It is also strongly recommended that districts review their contracts with 3rd party vendors to determine potential liabilities when data could be lost) В© 2012 ARTHUR J. GALLAGHER & CO. SAMPLE INSURANCE COVERAGES Security & Privacy Liability Pays for defenses costs and damages arising from: пѓј Unauthorized access to your network and use of data by outsider (hacker) пѓј Unauthorized access/use by an employee (rogue employee) пѓј Theft or loss of data (electronic or paper) Privacy Regulatory Action Pays for: пѓј Investigative costs for civil demand or proceeding brought by or on behalf of a governmental agency, including requests for information related thereto. Breach Response Pays for the expenses and costs incurred within one year of a security breach for: пѓј Investigation/forensics to determine cause of security breach. пѓј Hiring a crisis management and/or public relations firm. пѓј Notifying potential victims of the breach as required by state law. пѓј One year of credit monitoring for potential victims. пѓј Identity Theft assistance including identity restoration. В© 2012 ARTHUR J. GALLAGHER & CO. POLICY STRUCTURE & LIMITS вЂ“ SAMPLE Coverage Policy Aggregate Limit $2,000,000 Occurrence Limit $1,000,000 Security & Privacy Liability вЂ“ per claim $1,000,000 Privacy Regulatory Action вЂ“ sublimit $100,000 Event Management вЂ“ sublimit $25,000 Privacy Notification вЂ“ $1,000,000 Retention вЂ“each event $10,000 - $25,000 Privacy Notification В© 2012 ARTHUR J. GALLAGHER & CO. 17 QUESTIONS??? Contact Information: Tyler LaMantia Area Vice President вЂ“ Public Sector Arthur J. Gallagher Risk Management Services Phone: 630-285-4344 E-Mail: Tyler_LaMantia@ajg.com В© 2012 ARTHUR J. GALLAGHER & CO.