ePlace Solutions cybersecurity risk management services aim to simplify complicated regulatory requirements and provide practical guidance for security compliance, breach prevention, and mitigate losses.

In this issue:

Over 50% of Higher Education Hit with Ransomware

Criminals specifically target schools for a variety of reasons. The Los Angeles Unified School District (one of the largest districts in the US) is a recent example of a district falling victim to ransomware.

In fact, 56% of lower education organizations and 64% of higher education organizations were hit by ransomware in 2021 according to Sophos.  The encryption success rate for ransomware in the education sector is much higher than the average with 74% of attacks resulting in data being encrypted! Sophos also found that paying the ransom will only restore some of the data and victims can’t count on the ransom payment to get all the data back. Similarly, only 4% of ransom payers in 2021 got ALL their data back, down from 8% in 2020.

Prevention is the key!

How do Schools Protect Themselves?

First, to improve, districts likely will need to increase cyber budgets. The spending should go toward training users on security principles and social engineering tactics. Other recommendations include:

  • Use multi-factor authentication on systems including email, remote access, and all privileged accounts.
  • Deploy modern security tools (like next generation antivirus and EDR tools) on devices to continuously look for and mitigate threats.
  • Update or patch all systems to protect against all known vulnerabilities and change passwords across networks so previously stolen credentials are useless to malicious actors.
  • Back up data and ensure air-gapped or offline backups beyond the reach of hackers.
  • Test incident response plans so organizations are prepared to respond quickly to minimize the impact of any attack.
  • Encrypt the data so it cannot be used if it is stolen.
  • Educate employees to common tactics attackers will use over email or through websites, and encourage users to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.

Oakland Declares State of Emergency After Ransomware Attack

The City of Oakland declared a state of emergency a week after a ransomware attack wrecked government operations.

Six local governments this year already reported ransomware attacks! It was only February.

In fact, in 2022, 106 state or local governments or agencies were hit with ransomware.

This can happen to anyone – are your clients ready for a ransomware attack? How prepared are they?

Prevent Ransomware with these Best Practices:

  • Close all RDP ports if not in use. Otherwise, place all RDP services behind a VPN and protect them using 2FA.
  • Protect all accounts (including email) and remote access points with 2FA.
  • Keep all software up-to-date and implement a patch management program.
  • Train employees to recognize phishing emails and how to report them to IT.
  • Implement geo-IP filtering to block web traffic from entire countries.
  • For cloud backups, use separate, dedicated credentials for access and consider any immutable storage options.
  • Segment networks to build internal barriers to prevent ransomware from spreading.
  • Apply “least privilege” principle to all user accounts.
  • Backup data regularly using the 3-2-1 back up rule.

Clients have access to a complete guide of ransomware protection.

Iowa Passes a Consumer Privacy Law

in March, the Iowa legislature passed Senate File 262, the Consumer Privacy Act related to consumer data and privacy protection.

The statute becomes effective January 1, 2025, and Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing a consumer privacy law.

Who does it apply to?

Covered businesses are those entities that control or process personal data on 100,000 Iowa consumers or derive 50% of their revenue from selling the data of more than 25,000 Iowa consumers.

What rights are defined in the statute?

The statute creates the following consumer rights:

  • To confirm that covered businesses are processing the consumer’s personal data and access that personal data.
  • To delete personal data provided by the consumer.
  • To get a copy of the consumer’s personal data with certain limitations.
  • To opt out of the sale of personal data or targeted advertising.

Covered businesses must adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Additionally, businesses must protect sensitive data, including racial information, biometric data, and even geolocation under the statute but not processing the data without clear notice to the consumer and an opportunity to opt-out of the processing.

Enforcement

The statute does not include a private right of action and the attorney general of the state has exclusive authority to enforce the law.

Learn More

Contact the Experts

Clients receive unlimited support by phone and email from cybersecurity experts and privacy professionals.