Author: John Farley
Education institutions are increasingly vulnerable to cyber risks due to their unique operational characteristics and mission. These risks are exacerbated by budgetary constraints, reliance on outdated digital infrastructures and the need to balance strong cybersecurity controls with user-friendly network access. The high-profile nature of these institutions means that cybersecurity incidents can significantly impact finances, public trust and morale.
Key characteristics driving cyber risk in education
Information security
Schools often have disparate security protocols across their networks. While strong security measures protect academic records and financial information, student portals and learning resources prioritize ease of use, creating potential vulnerabilities. Striking the right balance between usability and security requires constant vigilance.
Compliance
The decentralized structure of the education sector complicates compliance with various cybersecurity regulations, such as Cybersecurity Maturity Model Certification (CMMC), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA ) and Family Education Rights and Privacy Act (FERPA).
While schools need to be concerned about data protection requirements and evolving attack techniques, there's a growing and parallel risk of non-compliance with evolving privacy laws. These laws often require specific obligations for data collection and data sharing limitations.
Business interruption
Schools are prime targets for ransomware attacks, which can disrupt academic schedules and administrative operations. Legacy systems, often incompatible with modern security updates, further exacerbate these risks.
Vendors/supply chains
The diverse vendor ecosystem in education makes it challenging to ensure all vendors meet security standards. Limited capacity for thorough vendor assessments increases the likelihood of breaches.
Social engineering
High turnover and training gaps among students, faculty and staff create vulnerabilities that attackers can exploit through phishing and social engineering campaigns.
Ransomware
Valuable research data makes some schools attractive targets for ransomware attacks. Inadequate backup systems can complicate recovery efforts.
Remote access
Remote learning platforms and unsecured personal devices pose significant security challenges, requiring constant monitoring and updates.
Artificial intelligence
The deployment of artificial intelligence (AI) in a school's operations introduces complexities in cyber risk management on multiple fronts. Both the improper use of AI and malfunctioning AI platforms can lead to a variety of losses, such as data bias claims, liability for intellectual property and trademark infringement, privacy liability and regulatory risk. Moreover, threat actors are increasingly using AI to develop sophisticated attacks using AI capabilities.
Payment cards
High-volume payment processing across fragmented point-of-sale (POS) systems increases the likelihood of cyber incidents, requiring substantial coordination to meet the Payment Card Industry Data Security Standard (PCI DSS).
The importance of Cyber insurance for schools
Cyber insurance plays a crucial role in helping education institutions prepare for and mitigate cyber attacks. It may provide financial protection for losses resulting from cyber incidents and often includes cyber risk services on a free or discounted basis. These services can help institutions assess vulnerabilities, implement stronger security measures and develop comprehensive recovery plans.
In the event of a cyber attack, Cyber insurance may provide coverage for a variety of costs that can reduce the financial burden on institutions. For example, cyber insurance may cover the costs related to business interruption, IT forensics investigations, call centers, credit monitoring services, public relations experts, data recovery, extortion payments, media liability, legal fees and settlements. It should be noted that when reviewing Cyber insurance, schools should be mindful of several potential coverage pitfalls. Exclusions and sub-limits may be imposed under certain circumstances, and the scope of coverage can vary greatly from one insurance policy to another.
By investing in Cyber insurance, the education sector can enhance its cybersecurity posture, better protect its assets and maintain public trust. As cyber threats continue to evolve, the strategic use of Cyber insurance becomes increasingly vital in safeguarding the mission and operations of these institutions.
