As ransomware attacks have increased in frequency and cost, insurance companies have begun raising their standards for cyber insurance policies, including policies for K–12 schools.
Organizations that fail to demonstrate good cyber hygiene will find it harder and more expensive to get cyber insurance policies without a long list of riders and exclusions. In some cases, organizations will find it impossible to get cyber insurance at all.
By putting endpoint security controls in place and following best practices for cyber hygiene, K–12 schools can demonstrate to insurers that they have taken prudent precautions against ransomware attacks. Insurers will then be more likely to issue them policies to cover the cost of damages that might be incurred following an attack.
In this post, I review cybercrime trends, consider how those trends are affecting insurance premiums, and offer recommendations for K–12 schools to follow to strengthen their IT security and more easily meet the increasingly strict coverage requirements.
Cybercrime pays, and insurers have been paying out
The cyber insurance business got its start after Target was the subject of a data breach in 2013. In that attack, criminals compromised the IT systems of a Target partner, and used that compromised partner’s access to retrieve the payment information of 110 million consumers.
Because the attack originated with a partner, Target began requiring its partners to carry cyber insurance to help cover expenses in the event of new security breaches. When Target partners began asking for coverage, insurance companies realized a new market had been born. They began writing lots of policies.
For the first few years, those policies were highly profitable. Then security attacks, including ransomware attacks, became bolder, more frequent, and more expensive to remediate.
In the past five years, the average cost of a successful cyberattack in the U.S. has risen to $13 million, and security breaches have increased 67%.
Around the time of the Target breach, business interruptions from cyber incidents ranked around 15 in the list of risks facing companies, according to risk experts. It’s now at the top of the list.
These security breaches were obviously bad for the companies directly affected by them. They were also bad for insurers. What had been a highly profitable market a few years earlier became break-even — or worse. Some insurance companies even found themselves paying out more in cyber insurance claims than they were taking in. The days of relatively quick and easy underwriting are over.
More threats mean more scrutiny
Now insurers are asking harder questions before writing policies. They want to make sure that the organizations they’re insuring are taking prudent steps to reduce the chance of security attacks like ransomware succeeding. So, insurers are asking applicants to fill out questionnaires, confirming that they’ve taken practical steps at minimizing ransomware threats.
For example, many ransomware variants use the Remote Desktop Protocol (RDP) port to move laterally across a network. In most organizations, this port can be closed on large numbers of endpoints with no loss of functionality to the organization. So, insurers are asking organizations to confirm that they’ve closed the port.
Once a policy is issued, the insurer will then use an IT security service to scan the organization’s public-facing network regularly, looking for holes in its defenses.
Closing unnecessary ports is without question a good security practice. And filling out questionnaires and submitting to network scans does provide insurers with a more accurate understanding of an organization’s preparedness for security attacks.
But can organizations do more to improve their defenses against attacks? And how can they more easily demonstrate their preparedness to insurers to make it easier to get an attractive policy?
Cyber insurance and K–12 schools
These questions apply to all organizations, including K–12 schools. Many people don’t think schools would be an attractive target for hackers. After all, wouldn’t financial institutions like banks have more funds to pay the ransom with? Wouldn’t hospitals feel more pressure to quickly resolve any network interruptions that might jeopardize the delivery of care?
But schools are attractive targets for cybercriminals because of their size, finances, and the wealth of personally identifiable information they manage.
The U.S. public school system employs more people — about 6.6 million — than any other industry in the country. Public school IT systems store information, including names, home addresses, and social security numbers, for over 50 million students.
Almost every one of those students will someday open financial accounts and use financial products such as credit cards. Criminals recognize that the personal data of these students is valuable for fraud now or in the future. That’s why criminals are willing to pay $250 to $350 for a student’s personal data on the dark web.
Most commercial enterprises, such as banks and hospitals, have sophisticated, multi-layered security defenses and robust staffing levels and budget to support every aspect of IT security. Most K–12 schools have a fraction of the budget and staff of these organizations of comparable size. Some smaller schools may not even have a full-time IT staff member. This lack of resources leaves K–12 schools vulnerable, which is why attacks are rising.
Not to mention the impact on a K–12 school district’s reputation. Most superintendents want to stay out of the news for embarrassing breaches that can not only drain their budget reserves in paying ransoms, but also have parents up in arms about their IT management processes.
There were 122 cyberattacks against K–12 schools in 2018. In August and September of 2020 alone, 57% of the ransomware attacks reported to the Center for Internet Security’s MS-ISAC team were against K–12 schools.
The security threats facing K–12 schools were already serious enough to merit a public service announcement from the FBI in 2018. . The problem is even more pressing now, especially with the rise in distance learning due to the COVID-19 pandemic. So much so, that in 2020, the Cybersecurity and Infrastructure Agency (CISA), created security guidelines for K–12 schools to deal with the rising threat landscape alongside an increase in distance learning.
So how can K–12 schools better defend themselves against cyber threats and demonstrate their IT security readiness to insurers?
Automating K–12 cybersecurity and meeting policy requirements
A K–12 school can dramatically strengthen its defenses against ransomware and other security threats by deploying an endpoint management and security platform. With that same platform, the school can gain valuable visibility into the security and ongoing operations of its endpoints — including laptops, desktops, virtual machines, and servers.
A platform that includes time-saving automation can also help under-resourced school districts manage their security better than they can today, by automating many manual and tedious tasks – helping their existing staff be more effective.
With this improved visibility, staff can identify problems that should be corrected to minimize vulnerabilities to attack. And when an attack occurs, IT teams can use endpoint security and visibility features to quickly characterize the attack and contain it.
In addition, an endpoint management and security platform can accurately inventory all the endpoints associated with the school, report on the vulnerability status of those endpoints, and automatically deliver patches and updates.
Because most security attacks take advantage of already known vulnerabilities in applications and operating systems, keeping endpoints continuously updated and patched significantly reduces the risk of attacks.
Unfortunately, in many schools, update and patch management is time-consuming work, performed only when the IT staff has time to analyze endpoints, identify the required changes, and then to run a patch or update scripts, hoping they work as planned. Even then, only some endpoints might be patched or updated.
Automating update and patch management with an endpoint management system makes this important work fast, easy, and comprehensive.
The Tanium Risk and Compliance Management solution provides real-time visibility into the status of endpoints. Tanium reports not only on which ports are open or closed but what endpoint activity is taking place and which of those activities constitutes a security threat.
The automatic reporting built into the platform allows staff to easily generate reports on managed or unmanaged assets in a K–12 school district’s environment — on or off the network. These reports can help immensely by providing real-time and accurate data without requiring weeks of data collection and assembly to share with cyber insurers as proof of good cyber hygiene. This means that schools can not only get insurance coverage more easily, but also reduces a school’s vulnerability to attack — when they have visibility into what’s going on in their environment.
K–12 schools can also use Tanium to automatically deliver patches and updates to all endpoints, improving the overall security of school endpoints and reducing the risk of an attack that would require an insurance policy to pay out.
With the threat of costly security attacks rising, getting cyber insurance is a prudent decision for any K–12 school. Tanium helps schools protect their networks, and get favorable policies for this important type of insurance.