Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ransomware and Data breaches in public libraries

Published byLeon Snow Modified over 5 years ago

Similar presentations

Presentation on theme: "Ransomware and Data breaches in public libraries"— Presentation transcript:

1 Ransomware and Data breaches in public libraries

2 What is Ransomware A specific type of malware that targets a computer or network with the intent of holding it hostage for payment. The infection can be caused by an intentional (such as a hacker) or an accidental (clicking on a phishing ) source The once the malware is in the system it encrypts the data until the release code is entered. Some strains of ransomware also send key types of data back to the hacker. First ransomware attack occurred in 1989 (Aids Cyborg)

3 What is a Data Breach A data breach is the unintentional or malicious release of sensitive information Depending on the information (and the industry) this can have financial or legal repercussions. Data breaches can be caused by electronic or paper means in the state of Wisconsin

4 Results in a Nutshell part 1
Library Data Breaches are not reported in a central location Ransomware is considered “big news” and tends to get more press in technical journals Library records had not been assigned a quantitative value for risk assessment purposes

5 Results in a nutshell part 2
Based on the publicized ransomware attacks, the financial loss for libraries from a data breach could catastrophic St Louis Public Library: (859,000 * ) = 145,907,290.00 Spartanburg: (269,291 * $167.50) = $45,106,242.50 Brownsburg: (40,256 * $225.00) = $9,057,600 Some libraries (.14%) have documentable information security policies Wealthy libraries and systems have invested in cyber insurance but a levels that would not cover a full breach.

6 What are Library Records worth?
Value does not refer to Dark web market value (average total records packe value $30) Value refers to total cost of recovering from a data breach per record This cost includes: Legal fees Network repair Notification of affected parties Penalties Loss of income due to loss of customers/clients/patrons

7 Library records values part 2
Because of reciprocal borrowing, this value differs from state to state The more liberal the reciprocal borrowing polices the higher the records value No reciprocal borrowing $ (public service level Ponemon institute) Partial reciprocal borrowing $167.50 Full reciprocal borrowing $ (average value of a data record in the United States. This is due to churn or potential patron turnover Wisconsin's’ records are valued at $225.00 To put that number in perspective had L.E. Phelps Memorial Library had a true data breach the estimated cost would have been $19,061,775

8 So what does that mean for us?

9 Information Security is essential to your library

10 Policy Procedure Training Response

11 Setting up an Information Security Policy is essential
What should the policy contain? What are we protecting? What are the objectives (aka how secure are we going to be?) Who does what and who has ACCESS to what. Reference legislation (aka what statutes we need to follow based on our industry Source: Infosec Institute: Key Elements of an Information Security Policy;

12 What can a policy contain
Security Policy part 2 What can a policy contain Data Movement criteria (What mediums are allowed or disallowed) Backup Criteria (frequency, storage criteria, access to backups etc) Network security strategies (antivirus, firewalls, etc.) Source: Infosec Institute: Key Elements of an Information Security Policy;

13 What legislation effects us?
Wisconsin Statute (Data breach Statute) Graham-Leach-Bliley Act Red Flags Law

14 Service Level Agreement (SLA)
Used to define who is responsible for what in an IT service contract Is your provider going to do your backups? What documentation will they provide? Will they do your patching (aka system updates) what documentation will be provided In the event of a data breach/malware incident what will be their role?

15 Procedure Policy is what you will do Procedure is how you will do it.
Procedures that would bolster library security Authentication aka password procedure Access Rights (including physical) Onboarding/offboarding procedures

16 Training – “knowing is half the battle”
Policy training – make sure the information security policy is reviewed on a regular basis Procedure training aka “if someone asks us….” Incident response training aka “if this happens what do I do”

17 Training tools https://securityiq.infosecinstitute.com/

18 Incident response – aka what to do when the worst happens
Isolate the threat Who needs to be contacted? Who cleans up the infections? Examples and more resources After you have your IRP in place make sure you practice – just like a Fire Drill

19 Remember, You can do everything right and you will still be compromised

20 That being said you can still protect your self and your patrons
Less is more – think long and hard about the data you keep in your online system At the Library System Level consider a coding system for birthdays/ages Make sure you have a paper records disposal policy Know what happens to your photocopier – they are actually a form of computer at this point.

21 Questions?

Download ppt "Ransomware and Data breaches in public libraries"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Possible Threats To Data. Objectives To understand: Types of threats Importance of security Preventative and remedial actions Personal safety This will.

Possible Threats To Data. Objectives To understand: Types of threats Importance of security Preventative and remedial actions Personal safety This will.
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
2 3 4 5 6 www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Information Security Steven Hall 21 st Jan 2009. Today’s Presentation Why do this now? What is information? The effects of lost information Newcastle.

Information Security Steven Hall 21 st Jan Today’s Presentation Why do this now? What is information? The effects of lost information Newcastle.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Insurance Institute for Business & Home Safety Even if the worst happens, be prepared to stay.

Insurance Institute for Business & Home Safety Even if the worst happens, be prepared to stay.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Similar presentations

Ads by Google