Earlier this month I had the honor of presenting a session on Cyber Risk Management at the EDUCAUSE Annual Conference. Cyber insurance is top of mind for many universities, with ransomware proliferation increasing claims and losses, and resulting in rising premiums.

In today's digital age, the higher education sector faces numerous challenges when it comes to cybersecurity. With the increasing frequency and severity of cyber-attacks, it’s crucial for educational institutions to adopt progressive approaches for cyber risk management.

Challenges in the AMS Public Education Industry

The AMS public education industry faces unique cyber threats due to its diverse environment, which includes faculty, students, research and healthcare. Exploits and compromised credentials accounted for 77% of ransomware attacks against higher education organizations in CY'23. Breaches stemming from compromised credentials accounted for a much larger share (37%/36%) compared to the cross-industry average of 29%.

The industry also faces challenges in terms of securing cyber insurance policies. Limited demonstration of proper hygiene, efficacy of controls, and cyber resilience make it challenging for insurance providers to assess the risk accurately. The high frequency and severity of ransomware and privacy claims further impacts underwriting appetite.

Progressive Approaches for Cyber Risk Mitigation

To effectively mitigate cyber risks, higher education institutions should adopt progressive approaches that go beyond traditional security measures. One such approach is the implementation of a Zero Trust framework.

Zero Trust improves existing security postures by minimizing the attack surface, preventing lateral spread through segmentation, protecting against compromise and data loss, and utilizing AI/ML intelligence for automated cyber resilience. In addition to taking a firm stance on deploying Zero Trust, other industry practices should be adopted:

Multi-Factor Authentication (MFA)
Patch and Hardening
Security Awareness and Training
Cyber Security Framework adoption
SIEM/SOC and Endpoint Security
Data Loss Protection (DLP)

By adopting these progressive approaches, higher education institutions can significantly enhance their cybersecurity posture and reduce the likelihood of successful cyber-attacks.

Changing Landscape of Cyber Risk and Insurance

2023 is expected to bring significant changes in the cyber risk and insurance landscape. Ransomware attacks are at an all-time high, with claims surging 117% year-over-year and claim severity increasing by 42%. The estimated costs of ransomware attacks are projected to reach $265 billion by 2031.

The cost per data breach is also at an all-time high, further highlighting the need for robust cybersecurity measures.

These trends are likely to impact cyber insurance renewals and premiums, with rate reductions coupled with increased claims frequency becoming unsustainable. As a result, higher education institutions should anticipate premium increases and ensure they have adequate coverage to mitigate potential financial losses.

Guiding Principles for Cyber Risk Management

To effectively manage cyber risks, higher education institutions should adhere to the following guiding principles:

Assume you're compromised (or you will be): It is essential to have a proactive mindset and assume that a cyber-attack is inevitable. By adopting this principle, organizations can focus on implementing robust security measures and incident response plans.
Become more insurable: Creating a culture of cybersecurity awareness and promoting responsible behavior among faculty, staff, and students is crucial. By prioritizing cybersecurity education and training, institutions can reduce the likelihood of human error leading to security breaches.
Invest in mitigation controls - reduce the greatest amount of potential financial loss (PFL): Higher education organizations should prioritize and invest in mitigation controls based on their financial exposure. By identifying and addressing the most significant risks, institutions can minimize potential financial losses in the event of a cyber-attack.
Cyber Risk Quantification (CRQ) plays a crucial role in cyber risk management for higher education organizations. CRQ leads to more informed decision-making, technology prioritization, and board-level reporting. CRQ helps rewrite the rules of how cyber risk is assessed, measured, and managed. By identifying the top threats, risks, and exposures, institutions can prioritize controls that offer the maximum potential benefit in reducing financial exposure.

Progressive approaches for cyber risk management are crucial for higher education institutions to protect against the evolving threat landscape. By adhering to guiding principles, adopting progressive approaches, and leveraging industry best practices, organizations can enhance their cybersecurity posture and reduce the risk of successful cyber-attacks.

Additionally, the implementation of a Zero Trust framework, the use of cyber risk quantification, and staying informed about the changing landscape of cyber risk and insurance are essential for effective risk management. By prioritizing cybersecurity and investing in mitigation controls, higher education institutions can safeguard their data, reputation, and financial well-being in an increasingly digital world.

Zscaler will be speaking on this topic in more depth at the ISAC Best Practices session on Cyber Risk Transformation. Click here for more information and to register.