The 2022/23 school year has closed, and teachers and administrators are no doubt looking forward to a well-deserved summer vacation. However, there’s a looming threat that isn’t taking any time off: cybersecurity attacks targeting K-12 and higher education organizations.
Last year, 44 universities and colleges and 45 school districts operating 1,981 schools experienced ransomware attacks. The total number of schools hit was nearly double that of the prior year and, likewise, the attackers’ success rate increased too—exfiltrating data in 65 percent of the 2022 incidents, up from 50 percent in 2021.
Without proper policies and procedures put in place, cyber attacks will continue to plague schools and universities. Whether large or small, academic organizations aren’t powerless. But many overlook a key measure of defense that’s essential to protecting school data and operating systems: cybersecurity insurance.
We sat down with Mark Spaak, senior manager of security solutions and Kim Lindsay, principal of governmental and not-for-profit services to discuss why cybersecurity insurance for K-12 and higher education organizations is critical and, importantly, how these organizations can overcome the hurdles of qualifying for cybersecurity insurance.
Why are K-12 and higher education organizations at an especially high risk?
K-12 and higher education organizations are particularly enticing to threat actors because of the large amount of personally identifiable data these organizations possess—generally, thousands upon thousands of student records containing names, phone numbers, addresses, fiscal aid information, and more. The sheer amount of detail greatly increases the risk these organizations have and further increases the need for cybersecurity insurance. The global average cost of a cybersecurity incident is $164 per record. Multiply that cost by the thousands of records an academic organization has and it’s easy to see how quickly a single cyber-attack could decimate an organization.
The COVID-19 pandemic and the pivot to virtual learning is another factor that increased risk to educational organizations. Most had to pivot quickly to virtual platforms without ample time to mitigate or even consider the risk involved. Three years later, many educational organizations remain vulnerable to a cyber-attack.
Solutions
Historically, K-12 schools have relied on their Intermediate School District (ISD) to handle issues like cybersecurity threats and insurance. The ISD oversees the individual schools in the district, therefore it’s easy to pass the problems up the chain. Mark and Kim suggest moving away from that default mindset and recommend that administrators instead consider what steps have (or have not) been taken to protect data records in their district and how today’s cybersecurity risks could affect their individual school.
It’s no secret that public schools struggle with tight budgets. It can be difficult to not only get the money for cybersecurity insurance but also put in place proper training, policies, and procedures. One solution school systems have found to combat this problem is finding power in numbers. School systems partner with their ISD to create a sort of consortium. These consortiums have the power to push down security solution pricing because they can convince the solution providers that they have multiple school systems with buying power–if the pricing can be negotiated.
Some cyber-insurance providers will create grant programs with a percentage of the fees they collect. Money is allocated into these grant programs and set aside for educational organizations that need to implement cybersecurity measures but don’t have the proper funds to do so. We are seeing a lot of creativity being put into solving these problems for educational organizations with tight budgets.
SET SEG
SET SEG is a nonprofit property casualty organization and a major player in cyber-insurance space for educational organizations. It operates on a membership model, offering training and educational resources on a wide variety of topics like cybersecurity. A big positive of SET SEG is that it understands the challenges within the educational space and offers a grace period for organizations, allowing them to catch up on cybersecurity protections, including necessary policies and procedures like an incident response plan. However, as in the commercial insurance space, we expect to see a tightening of baseline requirements in the next few years. Insurance companies have essentially become the regulators of minimum requirements and best practices for cybersecurity.
Next steps
It can be easy to feel overwhelmed with all the information about cybersecurity and the requirements that need to be met to obtain cyber insurance. Kim Lindsay suggests getting all your key players together: your district’s superintendent, representatives from both the finance and technology departments, and insurance providers. All of these stakeholders should be communicating about cybersecurity risks on a regular basis to stay ahead of issues and put a plan in place. Do a SWAT analysis together to figure out where your district is vulnerable. If you decide to implement large changes, make sure to communicate with your stakeholders and have a plan in place for training.
Mark Spaak also suggests checking out the Center for Internet Security’s free resources. Their Version 8 framework self-assessment is free and a great place for organizations to get a baseline of where they rank with their current cybersecurity controls. Following an industry-standard framework like CIS ensures organizations are adhering to generally recognized best practice approaches with a taxonomy that is universal. It’s estimated that nearly 85 percent of the cyber-attacks seen in 2021 and early 2022 could have been avoided if organizations had implemented only group one of the Version 8 family of cybersecurity controls.
Connect with us
If you have any questions or would like to discuss cyber insurance for the K-12 or higher education organization you’re a part of, contact us today!
