By Christopher Hills, chief security strategist, BeyondTrust.
While cyber insurance is intended to provide consumers peace of mind, in recent years it has become a complex and strenuous process. As a result of the shift to hybrid or remote environments, many organizations were forced to expedite their digital transformation initiatives to continue functioning. For higher education institutions, seismic changes were needed to allow their students and faculty to connect, and to enable remote learning.
Unfortunately, the sweeping migration to digital services and remote learning presented an opportunity for bad actors and cyber criminals by broadening attack surfaces. These bad actors have realized how to capitalize on organizations or higher education institutions that lack security controls or who have made poor security decisions.
The response to the increase in cyberattacks has been an overwhelming rise in cyber insurance claims over the past few years. Cyber insurance brokers responded with soaring rates, coverage decreases, risk assessments, and even a lack of coverage due to the lack of money available to write policies. Paradoxically, this response by insurance brokers from a costs basis alone is forcing many higher education institutions to opt-out of their insurance policies just when they are needed the most.
Higher-education institutions represent a perfect target for cyber criminals given sensitive, cutting-edge research they conduct. In addition to the potential cost of the information being compromised, downtime is considered a major disruptor in any attack. If a higher-education institution were to suffer an attack, resulting in students not being able to connect, learn, and get the education that is being paid for, it could have severe consequences in the long term.
One noteworthy shift universities and colleges can make to defend against cyber criminals is to limit the number of users within their network that are granted administrative rights. Administrative rights granted to end users are a perfect storm for cyber criminals when it comes to footholds and leverage.
Another key change higher-education institutions can adopt with those who need administrative rights is credential vaulting and cyber hygiene. If you can manage the privilege by controlling and minimizing when, where, and how the identity uses the privilege or administrative rights, you can significantly reduce the attack surface cyber criminals are lurking at. When you couple that control with management, hygiene, and audit capability, creating a trail of information on the who, what, when, and where of network access, it becomes nearly impossible to fall victim to the bad actors.