1 / 17

Cybersecurity

Cybersecurity. Tony Rey, Senior Vice President Marsh Cindy Smail, Loss Control Consultant Marsh Risk Consulting. Cybersecurity as Defined by Merriam - Webster. cybersecurity Noun I cy-ber-se-cu-ri-ty.

jkelly
Télécharger la présentation

Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity Tony Rey, Senior Vice President Marsh Cindy Smail, Loss Control ConsultantMarsh Risk Consulting

  2. Cybersecurity as Defined by Merriam - Webster cybersecurity Noun I cy-ber-se-cu-ri-ty : measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack

  3. Cyber Is An Evolving RiskMANY ACTORS, MANY ATTACKS • Ransomware • WANNACRY and PETYA. (2017) targeted the “Eternal Blue” vulnerability for a legacy Microsoft protocol. Self-proliferating capability spreads ransomware worldwide. • Nation State Attacks • In 2014, North Korean targeting of a media company with “wiper malware,” disabling networks for more than a week and triggering 7 class action data breach lawsuits. • Dependent Business Interruption • DYN DDoS (2016) Attackers using the Marai botnet to target a DNS provider with the largest DDoS attack ever recorded, degrading cloud services and websites worldwide. • Data Breach • For a decade, hackers have persistently and successfully targeted consumer data. Examples include Target, Home Depot, FaceBook, JP Morgan Chase, Anthem. • System Outages • Cyber attacks & system failures repeatedly create havoc for airline systems, affecting major carriers as Delta, United, Southwest and British Airways. • Industrial Control Attacks • CrashOverride (2016) Second known malware designed to disrupt physical systems. Highly adaptable to target specific industrial control systems. • Insider Attacks • GEORGIA PACIFIC INSIDER (2014) Terminated systems administrator for remotely hacks into his ex-employer’s industrial control system and caused significant damage.

  4. So Many Areas to Protect Source: Beazley Higher Data Risk White Paper, June 16, 2017

  5. Classifying Data

  6. Cyber Risk for Higher EducationBREACHES BY THE NUMBERS Source: Verizon 2017 Data Breach Investigations Report

  7. Cyber Risk for Higher EducationBREACHES BY THE NUMBERS Source: Beazley Breach Insights January 2017

  8. Causes of Higher Education Data Breaches In 2015, there were multiple data breach cases at colleges & universities Source: Beazley Higher Data Risk White Paper, June 16, 2017

  9. Social Engineering In Higher Ed • Public University • Transparent - vendors and contracts • Accessible – contract information and project information available online • Week of holiday break, campus staff at skeleton level • Mid-week, before 9:00 AM • Two current university contractors with the same crime and impersonator • Two incidents • Banking forms were processed and approved • University called BY THE VENDOR to verify changes were received

  10. Cyber Risk for Higher Education • THREAT HORIZON & INDUSTRY OUTLOOK • Higher education institutions continue to face significant cyber threats due to the valuable information stored their networks and the ability for threat actors to use network infrastructure to launch operations against other targets. University networks can be difficult for administrators to effectively secure because of their size and the number of users as well as the need for internal and external users to access and share information. • Factors that May Increase Threat Activity • Research programs: • Especially programs with potentially high economic payoff or that support sensitive government research contracts. • Advanced persistent threat (APT) groups often search for intelligence to benefit their sponsoring government or associated state-owned companies. • Prominent faculty: • Association with high profile or influential academics or dissidents may result in a greater threat activity from APT groups. • Groups often seek to gather information that would allow their sponsoring government to monitor that individual’s activity and gain insight into policy discussions. • Symbolic targets: • Targets that are perceived to be highly visible or symbolic may lead to threat activity from hacktivists or APT groups seeking to disrupt website or network operations for political purposes. • Involvement in controversy may lead to threat activity from hacktivists seeking to protest and embarrass the victim organization through disrupting website access, defacing webpages, or stealing and exposing the organization’s sensitive information.

  11. Cyber Risk for Higher Education • RISK CONSIDERATIONS • Before determining the best strategy for mitigating cyber risk, you must understand both broad and education industry-specific cyber exposures. There is often a lack of consistency in how cyber risk is viewed and how it is quantified and transacted. • Questions to Ask • How are you assessing, managing and responding to cyber risks? • What aspects of cyber risk are you most concerned about? • How do you assess — and lower — the potential for a data breach at your institution? • What changes have you made recently in how you manage and protect sensitive data? • How often do you assess/quantify each of your institution’s cyber risks? • How would you manage a breach across your different service providers? • What responsibility do you have if an affiliated service provider has a breach? • What are you obligated to do for students or faculty or prospective applicants following a breach? • How can you regain trust following a breach?

  12. Controls • Personal information review • Policy and program development • Limit user & administrator privileges • Training • Vendor management • IRT and IRP practice

  13. M.U.S.I.C. Cyber Coverage Insurance

  14. Cyber Risk for Higher EducationKEY Privacy & Security Takeaways • Family Educational Rights and Privacy Act (FERPA) Complying with the law is a key concern for higher education institutions. This includes notifying students of FERPA rights, training faculty and staff on the appropriate uses of student records, and providing students with online/offline tools to consent to or opt-out of the sharing of records and directory information.   • Health Insurance Portability and Accountability Act (HIPAA) Addressing compliance issues around HIPAA is a top priority. These include developing policies and procedures and related training for the handling of patient information and research subjects. • Strategies for handling Social Security numbers Developing strategies for reducing reputational, operational, and other risks related to the continued collection and use of Social Security numbers is imperative. • Educating students of risks This includes how to use credit responsibly and minimize the risk of identity theft. It also covers the safety and professional risks associated with certain online activities such as posting to blogs and social networking sites like Facebook and Twitter. It is also critical for higher education institutions to create policies and procedures on how and when they can monitor and/or access the documents, e-mail, and voicemail messages of faculty, staff, and students.

  15. Cyber Risk for Higher EducationKEY Privacy & Security Takeaways • Working with IT departments to create privacy Building privacy into new IT applications and databases is crucial. It is important to also collaborate with other operational units such as information security, procurement, and legal counsel in establishing vendor management programs and appropriate language for contracts involving personally identifiable information (PII) and confidential data. • Payment Card Industry Data Security Standard (PCI DSS) Any institution that accepts credit cards must ensure that it complies with the PCI DSS — now in version 3.1 — to protect sensitive cardholder data and avoid significant monetary penalties for noncompliance. • Protecting Alumni and Donor Data Although protecting the PII of staff, faculty, students, and their parents is an issue, higher education institutions also need to protect the information of their alumni and donors. It is important to develop procedures for the appropriate use of alumni and donor data, including the process for selecting and administering partnerships with outside organizations offering services to alumni. • Notifying other of privacy initiatives Successful privacy initiatives often include processes and tools to inform others that it exists and where they can go for questions. One way is to accomplish this is by posting privacy policies on all institutionally controlled websites.

  16. ?

  17. This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended solely for the entity identified as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.

More Related