Protecting Your School’s Data: the Importance of Cyber Insurance
Did you know that one in five educational institutions have been targeted by ransomware or malware attacks, most commonly through the unsuspecting download of malware or through phishing attacks?
“Phishing” is a general term for emails, text messages and websites fabricated and sent by criminals. They are designed to look like they come from well-known and trusted businesses, financial institutions and government agencies in an attempt to collect personal, financial and sensitive information. Canadian Centre for Cyber Security
Social engineering refers to the increasingly common techniques used to manipulate people into divulging confidential information or taking actions for fraudulent purposes. Think your school is immune? A BC independent school was targeted by a hacker who accessed the personal information of parents, sent out letters advising of tuition increases, and directed parents to send tuition payments to a new bank account. Insured losses amounted to $80,000. The city of Saskatoon was recently defrauded of over $1 million by someone impersonating the chief financial officer of one of the city’s vendors. Fortunately, most of that money was located in a dozen frozen bank accounts.
Cybercrime is the fastest growing crime in the world, incorporating a wide range of attacks including ransomware, malware and phishing, but also identity theft, hacking, cyber extortion and denial of service attacks. Data is one of a school’s most valuable resources, yet the loss of data is not typically covered by a traditional property insurance policy as is the building and equipment. The requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) can also involve significant expenses related to mandatory reporting, regulatory fines and costs, and legal issues. Additionally, standard business interruption insurance does not typically cover the loss of income and extra expenses resulting from a cybercrime that disrupts operations.
For these reasons, it is important for your school to invest in a cyber insurance policy, providing protection from losses resulting from a wide range of electronic risks and providing valuable support services during a cyber event. If you don’t have such a policy in place, talk to your insurance broker about adding it – the premiums are not prohibitive and will provide significant peace of mind around an increasingly complex area of risk.
The Office of the Privacy Commissioner of Canada also offers some useful tips for containing or reducing the risks of a privacy breach:
Prepare an inventory of data and map out the processes through which it is collected so you know what personal information you have, and where and when you need to protect it.
Conduct vulnerability assessments and penetration tests to identify privacy threats. Consider both electronic data and paper forms (e.g. application forms).
Encrypt laptops, USBs and other portable media in the event of theft.
Limit the amount of personal information you collect and retain to what is absolutely necessary and protect that information through the end of its useful life, including policies on its secure destruction.
Inform yourself of what is happening in the educational industry so you can learn from the experience of others.
Train employees to understand their roles and responsibilities in protecting personal information and limit their access to information on a “need to know” basis.
Update all software, especially anti-virus. Use intrusion prevention and detection systems such as firewalls and audit logs and proactively monitor them.
Following these steps will help reduce the risks of your school being affected by cybercrime and having a cyber insurance policy in place will provide the necessary back up if something does go wrong. Given the volume of personal data that schools collect for students, parents and staff, adequately safeguarding it is an important responsibility.
Tracey Yan (firstname.lastname@example.org)
SCSBC Director of Finance