Cybersecurity is Just Too Expensive for K-12 and Higher Education- Debunked

Who says cybersecurity is too expensive for your organization? Perhaps your leadership? The trustees of your organization? In a recent report from the K12 Cybersecurity Resource Center, they found that major cyber incidents increased dramatically after the Covid-19 pandemic. Additionally, education institutions across the US have seen a rise in cyber incidents because these institutions are a prime target for cybercriminals.

With the increased reliance on remote learning, Cybersecurity planning, prevention, mitigation and recovery is a must for every organization but especially education. Due to the increased utilization and need for both remote and on-prem technology resources, organizations must mitigate their cyber risk and strengthen their cyber hygiene now more than ever. While there is a cost associated with cybersecurity and equipping your team with the right tools and strategies to protect your organization, the cost associated with a cyberattack on your organization is much higher.

Cybercrime will likely exceed $20 Billion annually this year (2021) according to Cybercrime Magazine. The costs associated with cybercrime are also more than just a dollar figure. It also represents an institutions operational disruption, altered business practices and most importantly their reputation. The reporting of data exposure and data breaches will impact the confidence our constituents have in our use of their data. All of which comes at a cost.

The ever-expanding threat landscape includes ransomware, malware, distributed denial-of-service attacks, social engineering, software vulnerabilities, open ports, backdoors, end of life software, end users and much more. Organizations that do not plan for proper mitigation of these attacks on any of these fronts can allow data loss, ransomware or complete systems failure to affect their data and operations.

Cybersecurity legislation and policies are creating requirements to enhance our cybersecurity posture and spend. Texas DIR TAC 202 establishes baseline security standards for state agencies and institutions of higher education.  Texas SB820 requires school districts to develop and maintain a cybersecurity framework. These directives and actions require additional security spending in order to adequately and properly meet their respective requirements. The additional manpower required to address these issues and requirements is another direct cost associated with cybersecurity that many organizations do not consider today.

Cyber risk insurance is a must for all organizations today and many new policy requirements mandate the need for multi-factor authentication among other requirements. Multi-factor authentication requires that a user have two or more means of identification usually referred to as something you know and something you have. No longer is a username and password adequate from a cyber risk policy. The additional requirement of “something you have” will come with additional implementation and maintenance costs for many organizations. The integration into their authorization and access policies will greatly enhance their security posture but at what cost? Is this too expensive for an organization to implement? What about the inability to have proper cyber liability coverage?

So, how should you plan?  What can you do for mitigation?

The answers will vary among organizations, but they should be aligned to your local, state and federal requirements. Your local requirements must take into account proper planning.  The NIST (National Institute of Standards and Technology)  cybersecurity framework outlines the steps that an organization should be prepared for.  The NIST framework consists of identification, protection, detection, response and lastly recovery.  Who in your organization is going to help implement the framework you choose for the various items that I have already mentioned?

Mitigation techniques and business continuity plans must also be part of the cyber policies and practices for your organization. These plans must include a wide array of policies and practices which include network patching, auditing, scanning, user awareness training, ransomware mitigation and recovery, remote learning cyber practices, malware defense and more. Furthermore, business continuity plans must include what data is required, retention policies, recovery timelines and more.  These plans must be included in all organization policies and at all levels of an organization. What is your level of risk and exposure? Who will make the decision on what needs to be covered and by whom?

Moreover, institutions must adequately implement safe, sound and secure policies, procedures and practices to ensure of their business continuity in the event of data exfiltration, cyber ransomware, data loss and more. To say that we cannot afford cybersecurity today is unrealistic due to the existing and ever-changing threat landscape today. Every opportunity for a cyber incident is another possible exposure and therefore another expense to the infrastructure.

It is important for everyone in our organizations to understand the potential impacts of all cyber related activities. As the criminals get better, so must we. Cyber security is an umbrella which will require us to examine all areas of our institution in order to better understand where we need additional “coverage”. We must also increase the institutional knowledge across all areas for cyber security and safety in order to continually improve our posture.  Bolstering our security posture is now a requirement and our budgets must adequately provide for our “umbrella” in order to implement a proper cyber security plan.

The time is now.