Far too often we hear people say “I don’t need to worry about security tools and training, I have Cyber Insurance”. While this doesn’t apply to everyone, we did want to take the time this week to talk about why Cyber Insurance isn’t enough to give your district the protection it needs and deserves. Few people would get car insurance and then decide they can drive their car around curvy rounds at 90 mph. And most people won’t leave their car unlocked when left unattended because insurance will just replace it (or what’s inside). Cyber security is the same. While insurance can help with the financial pain of an incident, it can’t get your network up and running again, nor can it fix your tarnished reputation if it turns out your district did not take reasonable steps to safeguard itself.
Not only can ignoring Cyber threats disrupt your network and day-to-day activities that depend on it, but it can also leave you open to liability if it appears you did not follow guidelines to protect your district’s employees and students’ data. Cyber insurance is not going to help you if it turns out you did not take reasonable steps to come into line with Ed Law 2-d and the NIST Cybersecurity Framework. Most likely there will be a lot of questions, and a lot of publicity (if not more).
In the future (if not already) you may not be able to push off security measures and qualify for Cyber Insurance. It is also possible that if the insurance company finds out anything you reported in your assessment during your application for insurance does not prove to be true, they may not pay anything on your claim. Because Cyber Insurance companies have seen a large rise in claims, they are clamping down on those they insure. They want to make sure the risk of cyber-attacks on their customers is as low as possible. According to the Sophos report “State of Ransomware 2022” 94% have found it harder to secure Cyber Insurance coverage over the last year, and 97% that do have Cyber Insurance have made changes to their defenses to improve their Cyber Insurance position.
Hopefully, your district is addressing this cyber threat head-on, with insurance, security measures that line up with the NIST CSF, and training. According to a recent post from SentinelOne, education is the most targeted industry with an average of 2,297 cyberattacks against organizations each week in the first half of 2022; a 44% increase compared to the first half of 2021. In July 2022, the education sector experienced double the number of weekly cyberattacks when compared to other industry averages. With threats continuing to escalate, it is even more important to fight with everything you can
Next week’s bulletin will discuss “Are your old userids opening the door to Cyber attackers?”
· Talk to your Director of IT about the Cyber Insurance assessment so you can understand what is expected from the district.
· It is vital that whatever insurance-related assessments and declarations the district has made to your cyber insurer are factually accurate and not wishful thinking. If it isn’t done, the form must state that. If it is in progress, you can state that, but be prepared to demonstrate the progress you are making in completing the task.
· Continue (or start) the process of coming into line with the NIST Cybersecurity Framework guidelines
If you would like some help navigating the NIST CSF journey or if you and your Director of IT would like to hear more about how you can improve your security posture, please contact Lisa MacDougall at lmacdougall@csiny.com or call 845.897.9480.