Privileged access management: Empowering higher-ed cyber insurance policies

Key points:

• Privileged access management helps higher-ed orgs achieve successful security outcomes
• See also: As invisible threats to education loom, cybersecurity is paramount
• See also: Higher ed kicks off a new semester–and new cybersecurity threats
• For more news on cybersecurity, visit eCN’s Cybersecurity page

In today’s world, navigating the cybersecurity market for risk-reducing solutions can be a daunting task. Between buzzwords and current trends, the threat landscape is continuously evolving, and the cyber insurance market is no different. In fact, cyber insurance has become the trending topic in higher-ed cybersecurity conversations. Understanding the criticality of what cyber insurance is, what is covered, how to qualify, and whether or not you’re putting adequate effort into risk mitigation are all areas in which cyber insurance remains unique.

Unlike conventional insurance, cyber insurance plays by a set of rules that continue to evolve. Each policy request must be individually and thoroughly evaluated, whether it is a new or renewed plan. This meticulous process comes after many colleges and universities were targets for ransomware attacks over the past several years. As a result, cyber insurance companies had to evolve their current policies to remain agile in an evolving digital world. This, in turn, created an influx of higher premiums.

Introduction of the Ransomware Supplemental Application (RSA)

Evolved cyber insurance review policies are found in the “Ransomware Supplemental Application,” a document which focuses on risk mitigation for ransomware and how to reduce the effects of a breach.

The Ransomware Supplemental Application (RSA) is the focal point for higher education institutions to meet cyber insurance requirements. Auditors use this as a tool to determine coverage premiums and qualification. The RSA is broken down into 9 categories:

1. Multi-Factor Authentication
2. Patch Management/Vulnerability Management
3. Active Directory/Service Accounts/Privileged Accounts
4. Endpoint Security – Privileged Elevation/Application Control/Detection and Response
5. Secure RDP/VPN
6. Disaster Recovery/Data Backups
7. Security Awareness/Training
8. Incident Response Plan
9. Email Filtering

Privileged access management (PAM) aligns to cyber insurance requirements

By evaluating these categories, one might find that Privilege Access Management (PAM) aligns with RSA to its core and should be considered a foundational component for organizations and institutions looking to reduce risk and meet cyber insurance requirements. For instance, when the University of South Florida was tasked with acquiring a cyber insurance policy, the RSA requested information around the school’s password protection plan. Because the University of South Florida (USF) has a PAM solution in place, they were able to identify specifics around the number of users, systems, and local administrative accounts. This enabled them to provide clear evidence of how the PAM solution has improved their system security overall.

Acquiring a PAM solution within your organization’s cybersecurity strategy can also prevent any policy exclusions, such as two-factor implementation. In addition, part of the process of finding privileges within an organization or institution is in the discovery process. PAM discovery processes provide a comprehensive inventory of privileges, which falls in line with most patch management solutions. Although PAM doesn’t handle patching, it does provide the level of detail that organizations and institutions need to make a decision on whether or not an asset or its installed software/version pose a risk to the organization. Lastly, all PAM solutions can be configured in a high availability/disaster recovery configuration and can be configured to data backup recovery sets. PAM solutions lend themselves to what cyber insurers are looking for when it comes to risk reduction.

Privileged access management lowers the cost of cyber insurance

A benefit that some universities encounter during their cyber insurance renewal process relates to the common question of, “How much money can I save by implementing a PAM solution?” During the due diligence process with a broker, colleges and universities must answer questions heavily related to risk mitigation involving Privilege Access Management (PAM). Most universities start out with only two carrier insurance policies available based on eligibility, however, upon completion of the Ransomware Supplemental Application, cyber insurance brokers can obtain several additional policy options as a direct result of having implemented PAM controls into their security posture. Implementing PAM solutions can ultimately lead to more cyber insurance options and significant cost savings.

Partner with PAM to achieve successful security outcomes

Many organizations and institutions are tired of buying security solutions. They no longer just want a solution. Instead, they want a partnership with a vendor that is invested in them and the longevity of their success. Anyone can go out and buy a solution, but not everyone can partner with customers on their journey to achieve successful security outcomes.

About the Author: