SlideShare a Scribd company logo

Critical Issues in School Board Cyber Security

Download as PPTX, PDF
Dan Michaluk
Dan Michaluk

An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.

Law
1 of 26
Presented By Critical issues in school board cyber security Dan Michaluk, May 12, 2022
Agenda o The current threat environment o Measuring up your defences o Getting ready to respond o Reporting, notifying and sharing o Managing supply chain risks 2 Critical issues in school board cyber security
The current threat environment
o High impact, moderate probability • Ransomware (encryption + data theft) • Business e-mail compromise o Moderate impact, moderate probability • Misconfiguration incidents • E-mail failures Types of incidents and attacks The current threat environment 4
o The public sector has been a significant target o Questions • Are we low hanging fruit? • Do we attract less “professional” criminals who are harder to manage? • Can we count on promises not to target the public sector? The public sector is a target The current threat environment 5
o IBM/Ponemon put the average cost of an attack in 2021 at $4.62 million USD o Costs are being driven by data exfiltration of loose files, which often requires e-discovery and heavy individualized • More files stolen = more cost • More variation in files = more cost • Less organization in files = more cost o Ransom demands are also rising The cost of a ransomware attack The current threat environment 6 Incident Response Budget (Major) Advisors Remediation and forensics expert $ 150,000.00 Threat actor expert $ 10,000.00 Legal counsel $ 75,000.00 Remediation costs Payment $ 400,000.00 Misc $ 10,000.00 Notification costs E-discovery $ 400,000.00 Credit monitoring $ 50,000.00 Notification costs $ 30,000.00 TOTAL $ 1,125,000.00
o IBM/Ponemon put the average cost of an attack in 2021 at $4.62 million USD o Costs are being driven by data exfiltration of loose files, which often requires e-discovery and heavy individualized • More files stolen = more cost • More variation in files = more cost • Less organization in files = more cost o Ransom demands are also rising The cost of a ransomware attack The current threat environment 7
Measuring up your defences
o RDP compromise and e-mail phishing have been the top attack vectors o Microsoft Exchange and other critical software vulnerabilities played an increasingly prominent role in 2021 Attack vectors Measuring up your defences 9
o Low hanging fruit • Multi-factor authentication, secure remote access via VPN o Are you investing enough? • Security awareness – phishing simulations? • Patch and vulnerability management • Incident response readiness • Legacy technologies o The wish list • Endpoint detection, security operations centre support Marsh’s 12 key controls Measuring up your defences 10
o The ideal • Records scheduled • Information classified • Protections applied o The reality • No classification and no control over sensitive files, including spreadsheets • Copies of loose files in e-mail accounts and across the network, all unencrypted • Pay dirt for ransomware actors o What to do • Create a rule about copies of sensitive documents • Scan the network periodically to check on compliance Data governance Measuring up your defences 11
Getting ready to respond
Incident response practice 13 Contain Starts with the disconnection of services Remediate Bring the services back safely Often relies upon special software Investigate Starts and time zero and continues in iterations Includes speaking with the threat actor Formal forensic investigation is usually required Mitigate Under legal counsel guidance, address the impact of the incident May include reporting, notification and information sharing Close Look at the cause and commit to improvements
o You must have one that • Defines what “incidents” you will respond to • Sets out the basic response tasks • Assigns responsibilities for response • Commits to lessons learned updating o You must also practice or test – it is a clear part of the standard of care (actual incident, tabletop or operational exercise every 15 months) Do you have a plan? Incident response practice 14
o Plans are of little to know use unless they are used as preparation tool o Many are created without team engagement o They are not aligned with the reality of incident response o They are not understood by law o To be prepared, conduct a “facilitated review” of your plan with team members o What does the plan mean? How will we actually do this? Then adjust. o Once you do this, then you’ll be ready for a tabletop exercise Does your team understand it? Incident response practice 15
o Who’s on the team? Always? Sometime? o When do we tell the Board? o What services are our priority? o Do we host information for other any other organizations? What do the MOAs say? o How will we communicate with each other if e-mail is down? o Who are our external stakeholders? When do we tell them? o Do we share threat information with other Boards. What? When? o What external experts will we use? Are they okay with our insurer? How do we reach them? Do you know the answers? Incident response practice 16
Reporting, notifying and sharing
o Police – voluntary • Typically done early, to help with the management of stakeholders when the incident is apparent to the public • Local police have jurisdiction, but can report through OPP o IPC – voluntary or mandatory • Only PHIPA has mandatory reporting • The IPC mandate and jurisdiction is to deal with misuse and theft of personal information, not cyber incidents without such an impact Reporting Reporting, notifying and sharing 18
o Mandatory under PHIPA, voluntary under FIPPA, and also a matter of mitigating the risk of civil liability o Purpose is to alert individuals to a risk so they can take steps to protect themselves o In general, notify based on a risk assessment and not automatically o The same goes for extending credit monitoring offers – do so based on a risk assessment and not automatically o Mass notification may be an option to deal with large populations Notifying Reporting, notifying and sharing 19
o Voluntary, but there are many reasons to share threat information with others in the public sector • Indicators of compromise (IOCs) • Tactics techniques and procedures (TTPs) o Threat information has a limited shelf life, so must be shared early, and before the public knows much about an incident o There is therefore a need to share in confidence to a trusted network or though a trusted intermediary Sharing Reporting, notifying and sharing 20
Managing supply chain risks
o More and more of public sector IT infrastructure is being outsourced to third- parties o Legal accountability for storing personal information remains with the institution o There is a duty of due diligence that needs to be met • Go or no-go decision • The identity of the vendor • The vendor’s controls • The contract • Administering the relationship The context Managing supply chain risks 22
Managing supply chain risks 23 o Compliance with privacy legislation o Ownership of data o Use and disclosure limitation o Notice of legal demands o Notice of access requests o Reasonable security controls o Security audit right o Notice of security incident o No limitation of liability o Express indemnification for breach of promises (not just wilful misconduct and gross negligence) o Cyber insurance minimum o Secure disposition o Governed by local law Contract terms to aim for
o Seek clarity on who is accountable (or should be treated as accountable) to the affected individuals o Seek an appropriate level of control over outreach to affected individuals o Even if you remain at arms length, demand an appropriate level of “visibility” o But don’t interfere with the vendors investigation process – do you really need daily meetings? When your vendor has an incident Managing supply chain risks 24
Questions? Questions?
For more information, contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2022 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 dmichaluk@blg.com

Recommended

Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Dan Michaluk
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
Dan Michaluk
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
Cordium
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
Dan Michaluk
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
Nathan Desfontaines
 
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
VITNetflix
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Joe Bartolo
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
Financial Poise
 

Recommended

Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Dan Michaluk
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
Dan Michaluk
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
Cordium
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
Dan Michaluk
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
Nathan Desfontaines
 
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
VITNetflix
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Joe Bartolo
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
Financial Poise
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
Kevin Duffey
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
Glenn E. Davis
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
James Fisher
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
This account is closed
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
SurfWatch Labs
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Compliancy Group
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
Patrick Florer
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
Kroll
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
Arianto Muditomo
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Clio - Cloud-Based Legal Technology
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
Next Dimension Inc.
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxEcno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Dan Michaluk
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
Dan Michaluk
 

More Related Content

Similar to Critical Issues in School Board Cyber Security

protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
James Fisher
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 

Similar to Critical Issues in School Board Cyber Security (20)

Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay CompliantLaw Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 

More from Dan Michaluk

More from Dan Michaluk (20)

Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxEcno cyber - 23 June 2023 - djm(137852631.1).pptx
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
 
Higher Education Sexual Violence Presentation
Higher Education Sexual Violence PresentationHigher Education Sexual Violence Presentation
Higher Education Sexual Violence Presentation
 
Cyber class action claims at an inflection point
Cyber class action claims at an inflection pointCyber class action claims at an inflection point
Cyber class action claims at an inflection point
 
The pandemic and privacy
The pandemic and privacyThe pandemic and privacy
The pandemic and privacy
 
Union access to information
Union access to informationUnion access to information
Union access to information
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
 
Cyber, secrecy and the public body
Cyber, secrecy and the public bodyCyber, secrecy and the public body
Cyber, secrecy and the public body
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy UpdateAdvocates' Society Tricks of the Trade 2019 - A Privacy Update
Advocates' Society Tricks of the Trade 2019 - A Privacy Update
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice Cyber Insurance and Incident Response Practice
Cyber Insurance and Incident Response Practice
 
Role of a breach coach
Role of a breach coachRole of a breach coach
Role of a breach coach
 
PHIPA for school boards
PHIPA for school boardsPHIPA for school boards
PHIPA for school boards
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Finding internet evidence
Finding internet evidenceFinding internet evidence
Finding internet evidence
 
Sexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and PracticeSexual Assault in Higher Education - Law Policy and Practice
Sexual Assault in Higher Education - Law Policy and Practice
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
 
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining CredibiliityStudent Conduct Investigations - Examining Evidence and Determining Credibiliity
Student Conduct Investigations - Examining Evidence and Determining Credibiliity
 

Recently uploaded

一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
yogita9398
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样
一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样
一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样
mefyqyn
 
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
trryfxkn
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
mefyqyn
 

Recently uploaded (20)

一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
Call Girls in Nizamabad 9332606886 High Profile Call Girls You Can Get The...
Call Girls in Nizamabad 9332606886 High Profile Call Girls You Can Get The...Call Girls in Nizamabad 9332606886 High Profile Call Girls You Can Get The...
Call Girls in Nizamabad 9332606886 High Profile Call Girls You Can Get The...
 
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptxCASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
 
Common Legal Risks in Hiring and Firing Practices.pdf
Common Legal Risks in Hiring and Firing Practices.pdfCommon Legal Risks in Hiring and Firing Practices.pdf
Common Legal Risks in Hiring and Firing Practices.pdf
 
一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样
一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样
一比一原版(BCU毕业证书)伯明翰城市大学毕业证成绩单原件一模一样
 
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
一比一原版(McMaster毕业证书)麦克马斯特大学毕业证学历认证可查认证
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
The Main Procedures for a Divorce in Greece
The Main Procedures for a Divorce in GreeceThe Main Procedures for a Divorce in Greece
The Main Procedures for a Divorce in Greece
 
judicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptxjudicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptx
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 

Critical Issues in School Board Cyber Security

  • 1. Presented By Critical issues in school board cyber security Dan Michaluk, May 12, 2022
  • 2. Agenda o The current threat environment o Measuring up your defences o Getting ready to respond o Reporting, notifying and sharing o Managing supply chain risks 2 Critical issues in school board cyber security
  • 4. o High impact, moderate probability • Ransomware (encryption + data theft) • Business e-mail compromise o Moderate impact, moderate probability • Misconfiguration incidents • E-mail failures Types of incidents and attacks The current threat environment 4
  • 5. o The public sector has been a significant target o Questions • Are we low hanging fruit? • Do we attract less “professional” criminals who are harder to manage? • Can we count on promises not to target the public sector? The public sector is a target The current threat environment 5
  • 6. o IBM/Ponemon put the average cost of an attack in 2021 at $4.62 million USD o Costs are being driven by data exfiltration of loose files, which often requires e-discovery and heavy individualized • More files stolen = more cost • More variation in files = more cost • Less organization in files = more cost o Ransom demands are also rising The cost of a ransomware attack The current threat environment 6 Incident Response Budget (Major) Advisors Remediation and forensics expert $ 150,000.00 Threat actor expert $ 10,000.00 Legal counsel $ 75,000.00 Remediation costs Payment $ 400,000.00 Misc $ 10,000.00 Notification costs E-discovery $ 400,000.00 Credit monitoring $ 50,000.00 Notification costs $ 30,000.00 TOTAL $ 1,125,000.00
  • 7. o IBM/Ponemon put the average cost of an attack in 2021 at $4.62 million USD o Costs are being driven by data exfiltration of loose files, which often requires e-discovery and heavy individualized • More files stolen = more cost • More variation in files = more cost • Less organization in files = more cost o Ransom demands are also rising The cost of a ransomware attack The current threat environment 7
  • 9. o RDP compromise and e-mail phishing have been the top attack vectors o Microsoft Exchange and other critical software vulnerabilities played an increasingly prominent role in 2021 Attack vectors Measuring up your defences 9
  • 10. o Low hanging fruit • Multi-factor authentication, secure remote access via VPN o Are you investing enough? • Security awareness – phishing simulations? • Patch and vulnerability management • Incident response readiness • Legacy technologies o The wish list • Endpoint detection, security operations centre support Marsh’s 12 key controls Measuring up your defences 10
  • 11. o The ideal • Records scheduled • Information classified • Protections applied o The reality • No classification and no control over sensitive files, including spreadsheets • Copies of loose files in e-mail accounts and across the network, all unencrypted • Pay dirt for ransomware actors o What to do • Create a rule about copies of sensitive documents • Scan the network periodically to check on compliance Data governance Measuring up your defences 11
  • 13. Incident response practice 13 Contain Starts with the disconnection of services Remediate Bring the services back safely Often relies upon special software Investigate Starts and time zero and continues in iterations Includes speaking with the threat actor Formal forensic investigation is usually required Mitigate Under legal counsel guidance, address the impact of the incident May include reporting, notification and information sharing Close Look at the cause and commit to improvements
  • 14. o You must have one that • Defines what “incidents” you will respond to • Sets out the basic response tasks • Assigns responsibilities for response • Commits to lessons learned updating o You must also practice or test – it is a clear part of the standard of care (actual incident, tabletop or operational exercise every 15 months) Do you have a plan? Incident response practice 14
  • 15. o Plans are of little to know use unless they are used as preparation tool o Many are created without team engagement o They are not aligned with the reality of incident response o They are not understood by law o To be prepared, conduct a “facilitated review” of your plan with team members o What does the plan mean? How will we actually do this? Then adjust. o Once you do this, then you’ll be ready for a tabletop exercise Does your team understand it? Incident response practice 15
  • 16. o Who’s on the team? Always? Sometime? o When do we tell the Board? o What services are our priority? o Do we host information for other any other organizations? What do the MOAs say? o How will we communicate with each other if e-mail is down? o Who are our external stakeholders? When do we tell them? o Do we share threat information with other Boards. What? When? o What external experts will we use? Are they okay with our insurer? How do we reach them? Do you know the answers? Incident response practice 16
  • 18. o Police – voluntary • Typically done early, to help with the management of stakeholders when the incident is apparent to the public • Local police have jurisdiction, but can report through OPP o IPC – voluntary or mandatory • Only PHIPA has mandatory reporting • The IPC mandate and jurisdiction is to deal with misuse and theft of personal information, not cyber incidents without such an impact Reporting Reporting, notifying and sharing 18
  • 19. o Mandatory under PHIPA, voluntary under FIPPA, and also a matter of mitigating the risk of civil liability o Purpose is to alert individuals to a risk so they can take steps to protect themselves o In general, notify based on a risk assessment and not automatically o The same goes for extending credit monitoring offers – do so based on a risk assessment and not automatically o Mass notification may be an option to deal with large populations Notifying Reporting, notifying and sharing 19
  • 20. o Voluntary, but there are many reasons to share threat information with others in the public sector • Indicators of compromise (IOCs) • Tactics techniques and procedures (TTPs) o Threat information has a limited shelf life, so must be shared early, and before the public knows much about an incident o There is therefore a need to share in confidence to a trusted network or though a trusted intermediary Sharing Reporting, notifying and sharing 20
  • 22. o More and more of public sector IT infrastructure is being outsourced to third- parties o Legal accountability for storing personal information remains with the institution o There is a duty of due diligence that needs to be met • Go or no-go decision • The identity of the vendor • The vendor’s controls • The contract • Administering the relationship The context Managing supply chain risks 22
  • 23. Managing supply chain risks 23 o Compliance with privacy legislation o Ownership of data o Use and disclosure limitation o Notice of legal demands o Notice of access requests o Reasonable security controls o Security audit right o Notice of security incident o No limitation of liability o Express indemnification for breach of promises (not just wilful misconduct and gross negligence) o Cyber insurance minimum o Secure disposition o Governed by local law Contract terms to aim for
  • 24. o Seek clarity on who is accountable (or should be treated as accountable) to the affected individuals o Seek an appropriate level of control over outreach to affected individuals o Even if you remain at arms length, demand an appropriate level of “visibility” o But don’t interfere with the vendors investigation process – do you really need daily meetings? When your vendor has an incident Managing supply chain risks 24
  • 26. For more information, contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2022 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 dmichaluk@blg.com

Editor's Notes

  1. Talk lots about this But we need to keep talking No shortage of complexity change or learning I’ll come back to that That’s my key takeaway though Get IT together with executive teams Talk often, talk regularly
  2. And today’s maybe a start to that There’s lots to talk about Here’s a sampling of the key issue We’ll do a survey of them here … Been lean Should have time for questions
  3. -here’s most pre an ent types of incidents you should be concerned about -risk matrix embedded here -impact x, probability y -