As seen on eCampus News

3 best practices to manage cyber insurance

cyber insurance can help networks remain safe
By Josh McDonough, Lead Solutions Engineer, BeyondTrust
April 27th, 2022

Cyber insurance rates for universities are astronomical--here’s what institutions can do to manage it

For a service designed to give consumers peace of mind, cyber insurance has become a convoluted and contentious subject. The skyrocketing rates of cyber-attacks necessitate a parallel increase in cyber insurance costs. Paradoxically, this trend is forcing many higher education institutions to abandon their insurance plans just when they need coverage most. 

A Perfect Storm

The abrupt, sweeping shift to telework in 2020 cast a harsh light on cybersecurity vulnerabilities throughout the nation’s higher education institutions. The education sector now suffers the overwhelming majority of malware encounters when compared to the financial and corporate sectors. Alarmingly, the increase in ransomware attacks against higher education institutions in the first year of the pandemic was so significant that the FBI’s Cyber Division released an advisory on the subject in March 2021.

Another contributing factor to this increase is that cybercrime has become relatively easy to perpetrate with modern technology. The tools and skills necessary to implement a ransomware attack are so rudimentary that some malicious actors cannot even retrieve the data they have stolen once a victim forks over the ransom. Of course, there is no refund policy for cyber-attacks, and therefore the victim is left without data or money, and the information they paid top dollar to get back is floating around in cyber-space.

Higher education institutions are a perfect target for cyber criminals given the confidential, groundbreaking research they conduct, and the minimal safeguards in place to defend that valuable information.

Moreover, the collaborative nature of universities promotes information sharing, whereas the access restrictions of security strategies like zero trust can create friction in the information sharing process.

Steps Institutions Can Take Now

Certain best-practice recommendations have become requirements for institutions interested in obtaining or maintaining their cyber insurance.

Recent attacks against the likes of Howard University, University of California San Francisco, University of Massachusetts Lowell, and many more have shown that with or without cyber insurance, changes to current security protocols must be made, and hastily. 

1. One substantial change universities and colleges can implement to defend themselves is to limit the number of users in their network with administrative rights. Bad actors often seek to obtain credentials through phishing or malware schemes to gain entry to a network and the data within it, and since privileged credentials can access the most data, they are the most valuable.

By reducing the number of users with administrative rights, institutions can minimize the potential attack surface, and reduce the likelihood of a ransomware attack. 

2. Another key update higher education institutions can adopt is network visibility. Particularly in the current remote and hybrid education environment, it is imperative that universities understand the master identities of users accessing their network. That includes monitoring who is accessing the network, when it’s being accessed, the amount of access granted, and from where it’s being accessed. Without this master concept of identity, it is nearly impossible to detect abnormalities in user behavior that could signal a cyber-attack. 

3. However, visibility is meaningless if the information is inaccurate, which is why multi-factor authentication (MFA) is recommended. Users must be able to prove they are who they say they are, which is integral not only to visibility, but to access management as well, because if a bad actor obtains privileged credentials, MFA is another substantial layer of protection. 

The above defense mechanisms are required by most cyber insurers to procure coverage because they limit the risk associated with insuring the customer. Frequently, carriers mandate their clients have privileged access management (PAM) controls in place to protect privileged accounts.

PAM works by exerting control over privileges, applications, and remote access pathways, and enforcing zero trust security principles. The main solutions found in PAM platforms include: secure remote access, endpoint privilege management, privileged password management, and cloud security management.   

The decision of whether to pay for cyber insurance or is highly complicated, and the answer will vary depending on an institution’s available resources. However, the requirements to obtain cyber insurance exist because the mandated strategies are vital when it comes to preventing cyber-attacks.

Higher education administrations should strongly consider adopting these security controls, regardless of their decision to seek insurance. 

When it comes to a cyber-attack, no one ever believes it will happen to them. Unfortunately, the consequences of these attacks can be financially and personally disastrous, which is why those who have the means are willing to pay high insurance rates.

It is always better to be proactive than reactive, so institutions should consider implementing PAM solutions before it’s too late. 

About the Author:

Josh McDonough, Lead Solutions Engineer at BeyondTrust, has a decade of experience in IT and systems engineering. BeyondTrust is a worldwide leader in intelligent identity and access security.

eSchool Media Clients and Partners