It is no exaggeration to say the cyber insurance marketplace is in disarray. Cyberattacks have risen to an all-time high. Data shows that educational institutions, including private K-12 schools, have been increasingly targeted by bad actors, and the reliance on remote learning in response to the COVID-19 pandemic made schools a heightened target for ransomware attacks. Due to the proliferation of these attacks in the last two years and the valuable information at stake, one can expect that the education sector will continue to be a top target. Many institutions were hit with the notable Blackbaud breach and some with the most recent ransomware attack on workforce management platform Kronos.
This environment puts schools renewing their cyber insurance or applying for the first time in a difficult situation. There are fewer insurers offering coverage to schools, and the ones that remain are imposing significant changes to policy terms, pricing and, perhaps most importantly, underwriting requirements.
The key recommendation in this cyber marketplace is to start the renewal process early and make it a team effort, including your leadership team, IT team and outside IT vendors where necessary. To help schools protect their data from cyberattacks and best position themselves in the marketplace, we compiled five key areas to review:
In a time when bad actors are targeting businesses based on their security controls (or lack thereof) rather than on the information that they might have stored on their network, MFA is the best means for keeping the cybercriminals out.
Use Multi-Factor Authentication
Multi-factor authentication (MFA) is a system for securing your accounts by requiring multiple forms of verification to prove your identity when logging into an application. In a time when bad actors are targeting businesses based on their security controls (or lack thereof) rather than on the information that they might have stored on their network, MFA is the best means for keeping the cybercriminals out.
Risk Management Guidance
Carriers will look to see MFA implemented on all business-critical systems, with a particular focus on MFA for remote access to email, remote network access, and privileged/administrative access. One of the more onerous requirements we anticipate coming is that all students accessing the school’s network remotely be required to have multi-factor authentication enabled. This is normally an inconvenience for all parties, but may be even more difficult for schools with younger students.
Back up Your Data
Maintaining timely and comprehensive data backups is something that many cyber insurance carriers require. Implementing a good data and system backup plan is a critical step to recovering from and reducing the severity of a ransomware attack.
Risk Management Guidance
It is imperative that data backups be encrypted. If a bad actor can gain access to your systems and start manipulating data, it can cause even more problems when you restore your systems.
Also key is to separate data backups from the primary network. You can do this in two different ways, using either an offline backup separate from the primary network or a cloud backup solution. You can also use a combination of the two.
Test your backups. It’s good to know how quickly you can restore the data and your systems in the event of a cyberattack. Implementing a routine test to ensure that everything works properly after restoring a full system backup is a critical step in your mitigation efforts.
Implement Security Awareness Training Programs
Cybersecurity requires a culture that holds employees, IT teams, and management alike accountable for their role in protecting their school, its data and any student information they store. Any school is one momentary lapse in judgment away from opening the door to a bad actor who could ultimately carry out a ransomware attack. Cyber insurance carriers often require ongoing cybersecurity training, and may require additional training moving forward.
Risk Management Guidance
Implement training for your faculty, staff and students to identify and report suspicious emails using a combination of training videos, simulated phishing attacks and a suspicious email reporting plugin to your email system. Several vendors provide these services, including KnowBe4, Proofpoint and Curricula. This kind of training has always been an excellent risk management measure, but now it is becoming a requirement to get quotes from cyber insurance companies.
In its 2021 Phishing by Industry Benchmarking Report, KnowBe4 reported that 31.4% of users with no security awareness training clicked a simulated phishing attempt email. That means almost 1 in 3 users clicked when they should not have. This stat is alarming, considering it only takes one click for bad actors to get in. KnowBe4 also reported that, for users after 90 days of participating in their security awareness program, 16.4% clicked when they shouldn’t have. And, after one year, only 4.8% clicked when they shouldn’t have.
Verizon’s 2021 Data Breach Investigations Report shows that phishing continues to be the top threat action used in successful breaches. About 85% of breaches were linked to stolen login credentials that were obtained using social engineering schemes. The FBI reported that the frequency of phishing incidents nearly doubled from 114,702 in 2019 to 241,324 in 2020. All indications are that frequency is worsening, and this unfortunate trend shows no sign of changing.
Scan for Malicious Software
With the number of endpoints in schools increasing (instances where devices such as desktops, laptops or phones connect to the network) plus more sophisticated cyberattacks, insurance carriers are looking for schools to require more advanced antivirus protection programs to identify and prevent threats.
Risk Management Guidance
Endpoint detection and response (EDR) is a relatively new technology that addresses the need for 24/7 monitoring and response of your network’s endpoints. Examples of companies offering this software include Sophos, SentinelOne, McAfee, Carbon Black, FireEye and Microsoft Defender for Endpoint.
Despite your best efforts and security implementations, cybercriminals can still get in. It is crucial that you know how to manage the response when they do.
Have an Incident Response Plan
Despite your best efforts and security implementations, cybercriminals can still get in. It is crucial that you know how to manage the response when they do. Having a cyber incident response plan can help reduce the chaos brought on by a cyberattack and potentially reduce the severity of the loss. Procedures like these are looked upon favorably in the cyber insurance marketplace.
Risk Management Guidance
Your incident response plan should incorporate reporting a breach to your insurance agent and carrier as soon as possible. Many carriers have incident response teams standing by 24/7. The sooner they are aware of the breach, the sooner they can help you bring in experts who can potentially mitigate the damages.
You should regularly test your incident response plan. One way to do this is by facilitating a tabletop exercise with those team members who are a part of the incident response plan. Make sure everyone knows their role and that the goal is keeping up with any developing best practices or new security implementations you may have added.
A recent white paper by CrowdStrike, a leading provider of incident response services, says not to unplug your system when you become aware of a breach. It’s likely that the bad actor has been in the system for some time, and unplugging will either tip them off and cause them to install additional malware or can damage significant forensic evidence needed for remediating the damage.
Building the Budget
The unfortunate reality is that implementing security controls and increasing cyber insurance costs will impact budget dollars.
It’s important to note that this is an evolving marketplace. These five steps are just a sampling of ways you can improve your school’s cybersecurity measures and be more attractive to cyber insurance carriers. Four months ago, the lack of a particular security implementation at your school may have been of no consequence at renewal. However, in today's environment, it could be a requirement on a cyber insurance policy.
One thing we’ve learned with cyber is that the market is changing fast and often, so making future price predictions is very difficult. Our advice as of early 2022 is for schools to budget for 50%+ premium increases. More than ever, individual school protocol deficiencies and claims activity will contribute to a larger increase. While the pricing challenge is real and should be paid attention to, the more concerning area is that schools without key controls (like multi-factor authentication) may struggle to find coverage at all. The unfortunate reality is that implementing security controls and increasing cyber insurance costs will impact budget dollars. Some schools have created separate line items to ensure they have the necessary funds allocated for cyber risk management.
Notably, while the cyber insurance marketplace is facing unprecedented changes, insurance policies with broad coverage terms are still available for those schools keeping up to date with these cyber security implementations and risk management steps. While the guidance outlined is a good place to start to help prevent a cyberattack, we are now at a point where such security controls and procedures must be continually assessed and adapted as a part of your school’s overall risk management to safeguard your school from becoming a victim of cybercrime.