Understanding common cybersecurity and data privacy events

Understanding common cybersecurity and data privacy events

 

Understanding common cybersecurity and data privacy events

By Marsh McLennan

Marsh McLennan is an endorsed provider of the MSBA Insurance Trust.

Over the last several years, we have discovered that one of the many challenges that some school districts have with respect to embracing cybersecurity risk management and insurance recommendations is understanding key preventative controls and disaster response planning, as well as what might be considered a “cybersecurity” or “data privacy” breach or incident event. And, who can blame them? Many issues and complications have arisen with these types of threat exposures over the past five to 10 years.

Although cyber and data privacy events arguably may no longer be considered new in today’s world, it seems well understood that the frequency of cyber criminals who often perpetrate such events continue to further invest, develop, and evolve their attacks and threat exposures. As such, every school district is likely subject to being impacted, irrespective of their preventive planning and process.

This often leads to a frustrating, battle-oriented dynamic: because there are sometimes at least a few (perhaps inescapable) vulnerabilities in nearly every school district’s cybersecurity and data privacy systems (i.e., “nothing’s perfect”), there’s sometimes a tail-chasing activity that follows – i.e., the more attacks and threat exposures that arise, the more proactive and defensive strategies and tactics need to be developed and deployed to address them! This dynamic (and the ongoing resources and costs associated with it) might even tempt some school districts to give up or give in!

Notwithstanding the challenges, we urge school districts not to give up or give in! With potentially millions of dollars at risk (think: attorneys’ fees, forensic review and correction expenses, system patches and upgrades costs, breach notification and monitoring charges, ransomware and indemnity payments, etc.) in addition to public relations issues associated with EACH cybersecurity or data privacy event, we strongly encourage school districts to avoid being complacent about or dismissive of these threat exposures. One way to help do that is to better understand the nature and scope of the continuously evolving key controls tied together with the more common threat exposures so that your school district can potentially better plan and process related prevention and response activities.

With an overall goal of continuing to develop your school district’s practical and effective risk management and insurance decision-making, we encourage you to consider the following (not all inclusive) set of threat exposures and attack vectors often related to or associated with cybersecurity or data privacy events:

  • Ransomware (Extortion)

A ransomware attack typically involves software (malware) being introduced into a computer/computer system that is designed to encrypt computer files and which often leads to those files (and the systems that rely on them) unusable. In order to release (or remove the impairment to access) those encrypted files, the malicious actors will often demand ransom (sometimes in alternative or cryptocurrencies) in exchange for decryption or a decryption key/code. Potential issues extend well beyond ransom payment as cyber criminals typically leverage valuable stolen information such as social security numbers, sensitive student information, health information, etc. That is why it is critical to not only have proactive controls in place on the front-end to help prevent attacks, but also dedicated insurance protection and specific response plans on the back end in coordination with your risk-management consultant.

See https://www.cisa.gov/stopransomware.

  • “Breaches” and “Hacks” … “Brute Force” Intrusions

A breach, hack, or intrusion/exploitation of an electronic device, computer, computer system, or basic web application attack (including firewalls and antivirus software) may occur from external or internal malicious actors typically seeking “personally identifiable information” or “protected health information” for financial sale. To access such information, these malicious actors often use mathematical models to generate passwords to access a device or system, downloadable attack scripts and tools from the internet, or credential information (passwords) taken from internal sources.

See https://www.cisa.gov/news-events/alerts/2018/03/27/brute-force-attacks-conducted-cyber-actors.

  • Accidental Disclosure of Confidential Information by Error

An accidental disclosure of confidential information (often “personally identifiable information” or “protected health information”) can sometimes occur due to human error or inadvertent release (including through the theft or loss of an electronic device). This may also include actions such as sending or receiving information to or from an unauthorized person, sharing information about the wrong person between two parties who are otherwise authorized to receive/transmit confidential information, or distributing information in an aggregated way such that what was intended to be individually de-identified actually enabled identification.

See https://studentprivacy.ed.gov/content/disclosure.

  • Phishing/Spear-Phishing/Whaling/Social Engineering

These types of attacks typically use email or malicious websites to infect computer machine or devices with malware and viruses to collect personal and financial information, and may often be highly targeted to certain individuals in an organization (including executives). Moreover, often cybercriminals may lure targets to click on a link or open an attachment – which then infects their computers and creates vulnerability to the attacks – or directs them to approve financial releases/transactions.

See https://www.cisa.gov/sites/default/files/publications/NCSAM_Phishing_2020.pdf; https://www.dni.gov/files/NCSC/documents/campaign/Counterintelligence_Tips_Spearphishing.pdf; and https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing.)

  • Denial-Of-Service

Denial-of-service (DoS) attacks typically involve targeting specific applications or websites with malicious software or access attempts designed to exhaust the target system’s resources, which often results in the target being unreachable or inaccessible and denying legitimate users access to the service.

See https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf.

  • Video Conferencing Disruptions

Video conferencing disruptions include exploiting communication tools to take users offline by overloading services; eavesdropping on meetings or conference calls; hijacking video-teleconferences by inserting pornographic images, hate images, or threatening language; compromising applications (used in some distance learning solutions to enable screen sharing for collaboration and presentations) to infiltrate other shared applications; and attempting to penetrate sensitive meetings by using social engineering to deceive individuals into divulging information (e.g., meeting links) or by inferring meeting links from other links that use a common structure.

See https://www.cisa.gov/sites/default/files/publications/CISA_Cybersecurity_Recommendations_for_K-12_Schools_Using_Video_Conferencing_S508C_5.pdf.

Cybersecurity and data privacy events present significant challenges and threat exposures to your school district. However, managing those challenges and threats can be done. To help you get started or continue to advance your cybersecurity and data privacy event awareness and resiliency, visit our website at https://www.marshmclennan.com/solutions/cyber-resilience.html for more information; or contact one of our school risk consultants (Patrick Truax or Casey Holland).

This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such.  Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Copyright © 2024 Marsh & McLennan Insurance Agency LLC.  All rights reserved.

Share this post

Start typing and press Enter to search

Shopping Cart