By Christopher Hills, chief security strategist, BeyondTrust.
While cyber insurance is intended to provide consumers peace of mind, in recent years it has become a complex and strenuous process. As a result of the shift to hybrid or remote environments, many organizations were forced to expedite their digital transformation initiatives to continue functioning. For higher education institutions, seismic changes were needed to allow their students and faculty to connect, and to enable remote learning.
Unfortunately, the sweeping migration to digital services and remote learning presented an opportunity for bad actors and cyber criminals by broadening attack surfaces. These bad actors have realized how to capitalize on organizations or higher education institutions that lack security controls or who have made poor security decisions.
The response to the increase in cyberattacks has been an overwhelming rise in cyber insurance claims over the past few years. Cyber insurance brokers responded with soaring rates, coverage decreases, risk assessments, and even a lack of coverage due to the lack of money available to write policies. Paradoxically, this response by insurance brokers from a costs basis alone is forcing many higher education institutions to opt-out of their insurance policies just when they are needed the most.
Higher-education institutions represent a perfect target for cyber criminals given sensitive, cutting-edge research they conduct. In addition to the potential cost of the information being compromised, downtime is considered a major disruptor in any attack. If a higher-education institution were to suffer an attack, resulting in students not being able to connect, learn, and get the education that is being paid for, it could have severe consequences in the long term.
One noteworthy shift universities and colleges can make to defend against cyber criminals is to limit the number of users within their network that are granted administrative rights. Administrative rights granted to end users are a perfect storm for cyber criminals when it comes to footholds and leverage.
Another key change higher-education institutions can adopt with those who need administrative rights is credential vaulting and cyber hygiene. If you can manage the privilege by controlling and minimizing when, where, and how the identity uses the privilege or administrative rights, you can significantly reduce the attack surface cyber criminals are lurking at. When you couple that control with management, hygiene, and audit capability, creating a trail of information on the who, what, when, and where of network access, it becomes nearly impossible to fall victim to the bad actors.
Visibility is another crucial component to network security. If the privileged accounts within a given network are unknown, it is highly unlikely that the proper actions are being taken to protect them. However, visibility is useless if the information is inaccurate, which is why multi-factor authentication (MFA) is also recommended. One thing is for certain, at the center of every breach, compromise, or ransomware attack lies an identity, and with that identity is some degree of privileged access. Privilege and identity are the two factors abused in almost every attack.
Acquiring the proper defense mechanisms is often a prerequisite to obtaining cyber insurance because such defenses limit the risk associated with insuring the customer. Cyber insurance brokers will also complete their own independent risk assessment prior to insuring potential customers, such as non-evasive port probing and scanning, to mitigate the chances of an expensive payout. Additionally, cyber insurers follow the Ransomware Supplemental Addendum/Application which focuses on nine critical categories those seeking a policy must adhere to in order to be considered for a policy.
Frequently, carriers mandate that their clients have privileged access management (PAM) controls in place. PAM works by exerting control over privileges, applications, and remote access pathways. Regardless of the decision to seek insurance, higher-education administrators should strongly consider adopting PAM controls because they help organizations meet compliance requirements, ensure network visibility, and provide an audit trail so, if needed, the organization can prove what actions were taken and when.
Visibility is crucial in protecting privileged access and implementing an automated way to discover privilege is equally critical. To take proactive measures, institutions should consider adopting PAM solutions and other security controls before it is too late.